Cybersecurity Basics for Small Businesses: Protecting Your Software and Data

Small businesses are disproportionately targeted by cybercriminals. This is not because they are more valuable targets individually — they are not — but because they are considerably easier targets than larger organisations. Enterprise businesses invest heavily in security infrastructure, security teams, and employee training. Small businesses often have none of these, relying instead on default settings and hope. Cybercriminals know this, and they exploit it systematically.

The good news is that basic cybersecurity measures are not expensive, technically complex, or time-consuming. The majority of successful attacks against small businesses exploit known vulnerabilities, weak passwords, and unpatched software — all things that are preventable with straightforward practices. This guide covers the fundamentals.

Understand Your Threat Landscape

The threats that actually affect small UK businesses are dominated by three categories:

Phishing

Phishing is the use of fraudulent communications — typically emails, but increasingly SMS texts and phone calls — to trick employees into revealing credentials, clicking malicious links, or transferring money. Phishing is responsible for the majority of successful attacks against businesses of all sizes. Modern phishing emails are often very convincing, impersonating trusted organisations (HMRC, Companies House, suppliers, banks, Microsoft, BT) with high visual fidelity.

Business email compromise (BEC) is a particularly costly variant where attackers either compromise a real email account or send emails convincingly impersonating a senior executive, supplier, or client to request fraudulent payments.

Ransomware

Ransomware encrypts your files and demands payment for the decryption key. It is typically deployed after initial access is gained through phishing, exploitation of unpatched software, or remote desktop protocol (RDP) attacks. For small businesses without proper backups, a ransomware attack can be catastrophic — and even with backups, recovery takes time and costs money.

Software Exploitation

Unpatched vulnerabilities in operating systems, web browsers, email clients, and other software are exploited by attackers who can scan the internet for vulnerable systems at scale. A business running Windows 7 (now past end of support) or an unpatched version of Windows 10 or 11 is exposing known vulnerabilities that have published exploit code freely available online.

Foundational Defences

1. Keep Software Updated

Software updates, particularly security patches, are the single most important thing you can do to reduce your attack surface. The vast majority of successful exploitation attacks target vulnerabilities for which patches already exist — attackers take advantage of organisations that have not applied available fixes.

On Windows 11 Professional, configure Windows Update to install security updates automatically. Enable updates for all installed software, including browsers, Office, and any other applications. Many applications have auto-update settings that are off by default — turn them on, or create a regular schedule for manual checking.

Running current, supported versions of your operating system is fundamental. Windows 11 Professional is currently supported and receives regular security updates. Using a supported operating system is not optional from a security perspective — it is foundational.

2. Use Strong, Unique Passwords with a Password Manager

Weak passwords are the second most common entry point for attackers, behind phishing. Password attacks (brute force and credential stuffing using leaked password lists) are fully automated and run continuously against any internet-facing login.

The solution is strong, unique passwords for every account, managed through a password manager. Strong means long (16+ characters), random, and not based on dictionary words or predictable patterns. Unique means every service gets a different password — if one service is breached and your password is exposed, attackers will try that password on other services, and if you reuse passwords, they will succeed.

Password managers like Bitwarden (free, open source), 1Password, or Dashlane generate and store complex passwords so you only need to remember one master password. This is not a compromise — using a password manager is more secure than trying to remember passwords manually, because human-chosen passwords are almost always weaker than machine-generated ones.

3. Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) requires a second verification step — typically a code from an authenticator app, a hardware key, or a biometric — in addition to a password. Even if an attacker obtains your password (through phishing or a data breach), they cannot access your account without the second factor.

Enable MFA on: email (this is the most critical — access to email allows resetting passwords on virtually everything else), Microsoft accounts, Google accounts, banking and financial services, domain registrars, hosting providers, and any cloud service containing important data or systems. Time-based one-time passwords (TOTP) from apps like Microsoft Authenticator or Authy are free and widely supported.

4. Regular, Tested Backups

Backups are your insurance policy against ransomware, hardware failure, accidental deletion, and any other data loss event. Backups that are not regularly tested may fail when you need them most — test your backup restoration procedure at least quarterly.

The 3-2-1 backup rule is a useful framework: three copies of your data, on two different types of storage, with one copy off-site (or in a separate cloud account). For a small business, this might mean: working data on your main machine, backed up to an external drive in the office, plus an automated backup to a cloud service (Backblaze, Wasabi, or similar).

Critical: your backup must not be accessible from the same machine and credentials as your primary data. Ransomware routinely deletes or encrypts backup drives connected to infected machines, and it will access cloud backups if the credentials are saved in a browser on the infected machine. Use separate credentials for cloud backups and keep external drives disconnected when not backing up.

5. Use Windows 11’s Built-in Security Features

Windows 11 Professional includes a comprehensive set of security features that many small businesses leave in default or disabled states:

• Microsoft Defender Antivirus — enabled by default on Windows 11. It is a genuinely capable free antivirus that consistently scores well in independent testing. Ensure it is kept updated and not disabled by incompatible third-party security software.
• Windows Defender Firewall — the built-in firewall should be enabled and blocking inbound connections by default. Review any exceptions that have been added over time and remove those that are not needed.
• BitLocker Drive Encryption — available in Windows 11 Pro, BitLocker encrypts the entire drive so that data is protected if a laptop is lost or stolen. Enable it on all mobile devices and consider it for desktop machines containing sensitive data. Store your BitLocker recovery key in a safe location separate from the device.
• Windows Hello — biometric and PIN-based login that is more secure than a simple password for device access
• SmartScreen — helps block malicious websites and downloads

6. Email Security

Email is the primary attack vector for most small business attacks. Practical email security measures include:

• Enable MFA on all email accounts (as discussed above)
• Configure SPF, DKIM, and DMARC DNS records for your domain — these prevent attackers from spoofing your email domain, and signal to other mail systems that emails are sent from your authorised servers
• Be suspicious of unexpected emails asking for action — particularly those claiming urgency, involving financial transactions, or requesting credentials
• Verify payment requests and account changes through a separate communication channel (phone call to a known number, not a number in the suspicious email)
• Avoid clicking links in emails when you can navigate directly to the site instead

7. Manage Remote Access Carefully

Remote Desktop Protocol (RDP) attacks are a significant and growing threat to small businesses. RDP allows remote access to Windows machines and is extremely useful for IT support and remote working, but if exposed to the internet with weak credentials, it is routinely exploited.

Do not expose RDP directly to the internet. If remote access is needed, use a VPN (the remote user connects to the VPN first, then accesses the machine through the VPN tunnel) or Windows 11 Pro’s Remote Desktop behind an RDP gateway. Use strong passwords and MFA on any remote access solution.

Employee Security Awareness

Technical controls can be circumvented by a single employee clicking a phishing link or responding to a social engineering call. Security awareness training is essential. This does not need to be expensive — NCSC Cyber Aware (free from the UK National Cyber Security Centre), simulated phishing campaigns, and regular internal briefings all build the human firewall alongside the technical one.

The NCSC also offers the Cyber Essentials certification scheme, a UK government-backed baseline cybersecurity standard that small businesses can achieve at reasonable cost and which demonstrates a credible security posture to clients and partners. It is worth investigating if your business handles sensitive client data or wants to tender for government contracts.

Conclusion

Effective small business cybersecurity does not require enterprise budgets or specialist expertise. Patched software, strong unique passwords managed through a password manager, MFA on all critical accounts, tested backups with off-site copies, and Windows 11’s built-in security features activated and configured correctly provide a solid foundation that will prevent the vast majority of attacks that target small businesses. The investment is modest; the potential cost of a successful attack — in lost data, operational disruption, reputational damage, and potential regulatory consequences — is far greater.

Physical Security: The Overlooked Layer

Digital security measures can all be bypassed by physical access. An attacker who can sit at an unlocked, logged-in machine, or who can walk out with an unencrypted hard drive, has bypassed every piece of security software you have installed. Physical security basics include:

• Screen lock on inactivity — Windows 11 can be configured to lock the screen after a defined idle period (Settings, then Accounts, then Sign-in Options, then Lock). Set this to five or ten minutes maximum. Train staff to lock their screens manually (Win+L) when leaving their desk, even briefly.
• Visitor access control — visitors to your office should not be left unattended near computers or server equipment. It takes seconds to insert a USB drive with malicious software.
• Laptop physical security — laptops taken to client sites and public spaces should either be kept in sight at all times or physically secured. Kensington lock slots on laptops can be used with a cable lock in fixed locations.
• Server room access — if you have on-premises servers, the room or rack they are housed in should be physically secured with access restricted to those who have a business reason to be there.

Software Inventory and Update Management

Maintaining a complete inventory of installed software on all business machines is a cybersecurity measure as much as a licence management measure. Software that is installed but not used is still a potential attack surface if it contains vulnerabilities and is not being updated. Regularly reviewing installed software and removing applications that are no longer needed reduces the attack surface without any other effort.

Pay particular attention to:

• Browser extensions and plugins — these have broad access to browser data and are a common vector for malicious code. Review and remove any that are not actively needed.
• Remote access tools — tools like TeamViewer, AnyDesk, and similar that may have been installed for a specific purpose and forgotten provide a persistent access route to your machines.
• Java and Flash runtimes — these have historically been among the most frequently exploited components. If you do not actively use them, remove them.

Incident Response: What to Do When Something Goes Wrong

Despite best efforts, security incidents do occur. Having a basic incident response plan before an incident happens significantly reduces the damage:

1. Isolate the affected machine — disconnect it from the network immediately (unplug the Ethernet cable and disable Wi-Fi) to prevent the spread of any malware to other machines or your network shares.
2. Do not pay ransomware demands — payment does not guarantee decryption and funds further criminal activity. Contact the National Cyber Security Centre (NCSC) at ncsc.gov.uk for guidance. Restore from backup.
3. Document what happened — keep a log of what was observed, when, and what actions were taken. This is needed for insurance claims and potentially for reporting to the Information Commissioner’s Office (ICO) under GDPR.
4. GDPR reporting obligations — if a security incident involves personal data of employees, customers, or other individuals, you may be legally required to report it to the ICO within 72 hours. Take this obligation seriously — failure to report can compound the legal consequences.
5. Review and improve — after recovery, understand how the incident occurred and what change would have prevented it. Implement that change.

The NCSC’s small business guidance at ncsc.gov.uk/section/small-medium-organisations is free, practical, and authoritative. It is well worth reading in its entirety — it covers exactly the threats and defences most relevant to small UK businesses.