What Cyber Security Does a Small Business Need?

Q: What Cyber Security Does a Small Business Need?

The essential cyber security every small business needs. No fluff, just what actually matters: MFA, patching, backup, email security, and awareness.

Quick Answer

MFA everywhere, current patching, proper backups, email security, and staff awareness. Get these five right and you've blocked most attacks.

Quick answer: MFA everywhere, current patching, proper backups, email security, and staff awareness. Get these five right and you've blocked most attacks.

The Non-Negotiables

1. Multi-Factor Authentication (MFA)

What: A second verification step beyond passwords—usually an app on your phone.

Where: Everywhere. Email, VPN, cloud services, admin accounts. Everything.

Why: MFA blocks the vast majority of account takeover attacks. Stolen passwords become useless without the second factor.

Cost: Free with most services. Just enable it.

2. Patching and Updates

What: Keep all software current—operating systems, applications, firmware.

Why: Most attacks exploit known vulnerabilities that patches fix. Unpatched systems are easy targets.

Reality: This sounds simple but is where most businesses fail. That server running Windows 2012. The firewall firmware from 2019. The software nobody uses but is still installed.

Cost: Free, but needs discipline and process.

3. Proper Backups

What: Regular backups of your data, stored somewhere ransomware can't reach.

Why: When (not if) something goes wrong—ransomware, accidental deletion, hardware failure—backups are your recovery path.

Critical: Backups must be offline or immutable. If ransomware can encrypt your backups, you don't have backups.

Cost: £5-15 per user per month for proper cloud backup.

4. Email Security

What: Protection against phishing, malware, and impersonation attacks.

Why: Most attacks arrive by email. Phishing is how credentials get stolen. Malicious attachments are how ransomware gets in.

Minimum: SPF, DKIM, DMARC configured. Spam filtering. Link and attachment scanning.

Better: Advanced threat protection with sandboxing and AI-based detection.

Cost: Basic is free (DMARC, built-in M365 filtering). Advanced is £2-5 per user per month.

5. Staff Awareness

What: Training your people to recognise and report threats.

Why: Technology catches most attacks, but some get through. Your people are the last line of defence—or the weakest link.

Reality: Annual compliance training isn't enough. Regular, short, relevant training works better.

Cost: £1-3 per user per month for training platforms.

The Next Level

Once you have the basics solid:

Endpoint Detection & Response (EDR): Better than traditional antivirus. Detects suspicious behaviour, not just known malware. £3-8 per device per month.

DNS Filtering: Blocks connections to known malicious sites before they load. Works everywhere—office, home, mobile. £1-2 per user per month.

Vulnerability Scanning: Automated scanning to find weaknesses before attackers do. £2-5 per device per month.

What You Don't Need (Yet)

Small businesses often get sold expensive tools they don't need:

SIEM - Useful for larger organisations, overkill for most SMEs unless compliance requires it
Penetration testing - Valuable, but fix the basics first
Security Operations Centre - Consider once you're past 50+ employees or have specific requirements

Our Approach

For smaller businesses, we focus on getting the fundamentals right. Our managed service includes:

MFA enforced across all accounts
Automated patching with compliance reporting
Microsoft 365 backup to UK data centres
Email security with impersonation protection
Regular security awareness training

The essentials, done properly. Add more as you need it.

---

for a security assessment.

---