Security does not have to be complicated
Most cyber attacks against small businesses are not sophisticated. They are opportunistic. Someone clicks a dodgy link, or a password gets reused from a breached website, or a system that should have been updated six months ago gets exploited. You do not need a massive budget or a dedicated security team to protect your business. You just need to get the basics right.
Here are the things that actually matter for a small business in Somerset.
Turn on multi-factor authentication everywhere
MFA (sometimes called two-factor authentication or 2FA) is the single most effective thing you can do to protect your accounts. It means that even if someone steals a password, they cannot log in without a second verification step, usually a code from an app on your phone.
Turn it on for:
- Microsoft 365 or Google Workspace (this is the most important one)
- Your accounting software
- Banking and financial services
- Remote access tools (VPN, remote desktop)
- Social media accounts
- Any system that holds customer or employee data
Use an authenticator app like Microsoft Authenticator or Google Authenticator rather than SMS codes. SMS can be intercepted. Authenticator apps cannot.
Yes, it adds a few seconds to logging in. That is a tiny price for preventing someone from draining your bank account or reading all your emails.
Keep everything updated
Software updates exist primarily to fix security vulnerabilities. When a vendor releases a patch, it is because they have found a hole that attackers can exploit. Every day you delay installing that patch, your systems are exposed.
The important stuff to keep updated:
- Windows and macOS operating systems. Turn on automatic updates.
- Web browsers (Chrome, Edge, Firefox). These update automatically if you restart them regularly.
- Microsoft Office and other productivity software.
- Your firewall and router firmware.
- Any business-specific applications.
If you are running software that is no longer supported by the vendor (like Windows Server 2012 or older versions of SQL Server), it is not getting security patches anymore. That is a ticking time bomb. Budget to replace it.
Backups that actually work
Having backups is not enough. You need backups that you have tested and that you know work. The number of businesses that discover their backup has been failing silently for six months is genuinely alarming.
A good backup setup for a small business looks like this:
- Daily backups of all business data, servers, and critical systems.
- At least one backup copy stored offsite or in the cloud. If your office floods or burns down, a backup drive sitting next to the server is useless.
- Regular test restores. At least quarterly, actually restore some files from backup to prove it works.
- Backup monitoring. Someone should be checking every day that the backup completed successfully.
- Retention long enough to recover from slow-burn problems. Ransomware can sit quietly encrypting files for weeks before you notice. If your backup only goes back three days, you might not have a clean copy.
Somerset businesses with offices near flood-risk areas on the Levels should be especially careful about having offsite backups. Local flooding has caught out more than a few businesses over the years.
Get your email security sorted
Email is the main way attackers get into small businesses. Phishing emails are getting better and harder to spot. But there are technical controls you can put in place to reduce the risk.
SPF (Sender Policy Framework) tells receiving email servers which servers are allowed to send email on behalf of your domain. Without it, anyone can send emails pretending to be from your company.
DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails so receiving servers can verify the email has not been tampered with.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication. It also sends you reports about who is trying to send email using your domain.
These three things are DNS records that your IT provider can set up in an afternoon. They will not stop all phishing, but they will stop people from impersonating your email domain, and they will improve your email deliverability too.
Train your staff (without being annoying about it)
You do not need a three-hour annual security awareness lecture that everyone sleeps through. What you need is regular, short, practical training.
- Show people what phishing emails actually look like. Use real examples.
- Teach them to check the sender address, not just the display name.
- Make it easy to report suspicious emails. One click to forward to IT.
- Run occasional phishing simulations so people stay alert.
- Keep it practical and blame-free. If someone clicks a phishing link, the response should be "thanks for reporting it" not "you idiot."
The goal is to build a culture where people feel comfortable asking "is this email real?" rather than either clicking everything or being so paranoid they cannot use email at all.
Stop reusing passwords
This one is simple. If someone uses the same password for their work email and their personal shopping account, and that shopping site gets breached (which happens constantly), attackers now have their work email password.
The fix:
- Use a password manager (Bitwarden, 1Password, or the one built into your browser). It generates and stores unique passwords for every site.
- Every account should have a different password. The password manager handles the complexity.
- Set a policy that work passwords must be unique and not reused from personal accounts.
Combined with MFA, this makes it extremely difficult for someone to break into your accounts through stolen credentials.
Start with what matters most
If you do nothing else, turn on MFA for Microsoft 365 and your accounting software today. That alone will block the majority of account compromise attacks. Then work through the rest of this list over the next few weeks. None of it requires a big budget. Most of it is just configuration and process rather than buying expensive products.