A seven-person business with no IT department and no security budget is exactly the kind of target that gets hit. Someone gets into an email account, sends invoices with different bank details to three customers, and walks off with thousands before anyone notices. It happens because these businesses assume they are too small to be worth targeting, which is precisely what makes them easy.
The UK government’s 2025 Cyber Security Breaches Survey found that 43% of UK businesses experienced a cyber attack in the previous twelve months, with the average cost for those that suffered financial loss coming in at around GBP 3,550 per incident. These are not headline attacks on banks. They are quiet, opportunistic hits on companies that left a door open.
None of what follows is expensive. Most of it is free.
Multi-factor authentication
MFA is the single most effective security measure a small business can implement.
Credentials from old data breaches get tested against thousands of login pages by automated tools constantly. If a Xero password is the same one used on a forum in 2019, that account is already exposed. MFA stops it dead. Compromised passwords become useless without the second factor.
Email is the master key. Whoever controls email can reset passwords on everything else: accounting software, CRM, supplier portals. Protecting email is the first priority, because it is the front door to everything.
Then work outward: banking, Microsoft 365 or Google Workspace, any system holding customer data or financial information. Most services offer MFA now and setup takes about ten minutes per account.
Phishing
Modern phishing is targeted, well-researched, and convincing. Perfect branding, correct sender names, references to real suppliers. The only tell might be a reply-to address off by one character.
Criminals scrape LinkedIn to identify finance staff, then send messages impersonating the managing director requesting urgent bank transfers. Training helps but does not make people infallible.
What works is layering defences: email filtering, SPF/DKIM/DMARC on the domain, and one simple rule that prevents real damage. If anyone asks for money or credentials by email, verify it by phone first. Every time, no exceptions.
Password managers
Nobody can remember fifty different strong passwords. A password manager (Bitwarden and 1Password are both solid options) generates unique passwords for everything. Each team member gets their own vault. The cost is a few pounds per person per month and eliminates password reuse overnight. Setup takes about three hours for a small team.
Backups
If ransomware encrypts files, backups that are not connected to the network are the only option besides paying the ransom.
The 3-2-1 rule works: three copies of data, on two different media types, with one copy offsite. That means the live system, a local backup, and a cloud backup. Automated daily. Critically, restores need regular testing. Businesses that discover their backups were silently failing only when they need them face a problem with no good solution.
Software updates
Automatic updates everywhere. Windows, macOS, applications, router firmware. Updates patch security holes that criminals actively scan for. The same unpatched vulnerability gets exploited across multiple networks because people delay patching. This one is simple and boring and it matters.
Access control
Everyone gets the minimum access needed to do their job. When someone leaves, their access is removed the same day. Contractor accounts sitting active for months after a person has moved on represent months of unnecessary exposure.
Device security
Lost or stolen laptops are a common breach vector that gets overlooked. Full disk encryption (BitLocker on Windows, FileVault on macOS) ensures that a stolen device does not mean stolen data. Both are built into the operating system and take minutes to enable.
Screen lock timeouts should be set to five minutes or less. Automatic locking when a laptop lid closes should be on by default. For teams with company-issued phones, a mobile device management policy covering PIN requirements and remote wipe capability is worth the small setup cost.
Remote and hybrid teams increase the exposure. Work devices connecting to home networks and coffee shop WiFi need the same protections as devices inside an office.
Traditional VPNs solve part of this problem by encrypting the connection, but they have a fundamental weakness: once a device connects, it gets network access regardless of its security state. An unpatched laptop with no disk encryption and a disabled firewall gets the same access as a fully secured machine.
Mesh overlay networks like Tailscale and NetBird take a different approach. Instead of routing all traffic through a central VPN server, they create encrypted peer-to-peer connections between devices using WireGuard. More importantly, they support posture checking before a device is allowed to connect. Tailscale can verify OS version, client version, and encryption status, and integrates with endpoint security platforms like CrowdStrike and Intune for deeper checks. NetBird offers checks on OS version, running processes (verifying antivirus or endpoint protection is active), geolocation, and network range. A device that fails those checks gets blocked until the issues are resolved. NetBird offers a free tier for up to 5 users, making it accessible to small teams. Tailscale’s free plan is limited to personal use, but their paid plans start at a reasonable per-user rate for businesses.
Next-generation firewalls from providers like Fortinet, Palo Alto, and Check Point address a different layer of the problem. Where mesh networks control which devices can connect, NGFWs inspect the traffic itself. They perform deep packet inspection at the application layer, integrate intrusion prevention, and use threat intelligence to detect malicious activity that encrypted tunnels alone cannot see. Many also enforce device compliance, checking patch levels, encryption status, and endpoint protection before granting access. For businesses with a physical office or on-premises systems, an NGFW provides network-level visibility and protection that overlay networks are not designed to replace. Entry-level appliances like the Fortinet FortiGate 40F make this accessible to smaller organisations without enterprise budgets.
These tools are complementary rather than competing. Mesh networks handle secure remote connectivity with device compliance. NGFWs handle traffic inspection and threat prevention at the network boundary. Together they cover more ground than either approach alone.
WiFi security
Default router admin passwords are published online for every major manufacturer. Changing them is the first step. Using WPA3 encryption (or WPA2 at minimum) is the second.
Guest networks should be separate from the business network. Visitors, personal devices, and IoT equipment (printers, smart speakers, security cameras) should connect to a guest network that cannot reach internal systems. Most business-grade routers support this out of the box.
For businesses with physical offices, a quarterly check of connected devices reveals surprises. Unauthorised devices on the network are more common than most teams expect.
Cyber essentials
Cyber Essentials is a UK government-backed certification that covers five core controls: firewalls, secure configuration, user access control, malware protection, and security update management. The self-assessment starts at GBP 320 plus VAT for the smallest organisations and provides a structured way to verify that the fundamentals are in place.
Some contracts, particularly with government or public sector organisations, require Cyber Essentials as a minimum. Beyond compliance, the process itself is useful. Working through the assessment identifies gaps that might otherwise go unnoticed.
Cyber Essentials Plus adds an independent technical audit and carries more weight with clients and partners who take security seriously.
Cyber insurance
Cyber insurance does not prevent attacks, but it reduces the financial impact when one succeeds. Policies typically cover incident response costs, data recovery, legal fees, and business interruption losses.
Premiums for small businesses are relatively modest, often a few hundred pounds per year. Many insurers offer discounts for businesses that can demonstrate basic security measures like MFA, backups, and Cyber Essentials certification.
Insurance is not a substitute for good security practices, but it is a sensible safety net for risks that cannot be fully eliminated.
If a breach happens
Move through this in order:
- Isolate affected systems from the network immediately.
- Contact IT support. Get professional help before changing things.
- Change critical passwords (email, banking, accounting software) from a different, clean device.
- Check backups to determine what is safe and what is compromised.
- Notify customers and relevant authorities if personal data was exposed. Transparency matters legally and for trust.
Do not pay ransoms unless every other option is exhausted, and get professional advice first.
Start with MFA on email accounts today. That single step blocks more attacks than anything else on this list. Then work through the rest over the coming weeks: password manager, backups, access review. It does not have to happen all at once.
If the gaps are unclear, a quick audit of these basics reveals more than any expensive security product. Get in touch for a hand with that.