Trustpilot Score 4.5

Speak to an expert 03333 233 981

Speak to an expert 03333 233 981

How to Prevent Cyber Attacks: Security Tips for Small Businesses

Single Image

Cyberattacks are hitting UK businesses harder and more frequently than ever. According to the UK Government’s Cyber Security Breaches Survey 2025/2026, 43% of UK businesses experienced a cyber breach or attack in the last 12 months – that’s approximately 612,000 businesses.

The numbers also prove this isn’t just a big company problem. In the last 12 months, 41% of micro businesses and 50% of small businesses experienced a breach or attack. The difference for many smaller businesses is that they don’t have the defences, resources, and incident response plans in place that help larger organisations contain attacks quickly.

But the good news is that most cyberattacks succeed due to basic security gaps like weak passwords, missing multi-factor authentication (MFA), unpatched software, and untrained staff. That means if you fix these fundamentals, you can dramatically reduce your risk.

This guide walks you through practical steps you can take today to protect your business from cyber threats, and explains why getting this right matters more than ever.

What is a cyber attack?

A cyber attack is a deliberate attempt by criminals to damage, disrupt, or gain unauthorised access to your computer systems, networks, devices, or data.

Attackers have different goals depending on their motivation:

  • Stealing money – Direct fraud, ransomware demands, or selling your data on the dark web
  • Accessing sensitive data – Customer records, financial information, intellectual property, trade secrets
  • Disrupting operations – Taking your systems offline through denial-of-service attacks or sabotage
  • Espionage – Gathering intelligence for competitive advantage or state-sponsored purposes

The most common attack types UK businesses face include:

  • Phishing
  • Impersonation attacks
  • Ransomware
  • Malware and viruses
  • Denial-of-service attacks

For a detailed breakdown of each attack type and how to spot them, see our guide on cyber threats and what they are.

Why is it important to prevent cyber attacks?

The cost of getting hacked extends much further than the immediate breach. You’re looking at financial losses, operational disruption, reputational damage, regulatory fines, and lost customer trust. Which often happen all at once.

Financial impact

  • Average cost of a cyber breach for UK businesses: £1,600 per incident (£3,550 excluding those with no losses)
  • Average costs for medium-sized businesses are £10,830 per incident
  • True cost for UK SMEs often reaches £75,000 – a figure many small businesses can’t absorb
  • Recovery costs mount up: cyber security consultants, system restoration, legal fees, notification expenses, increased insurance premiums

(Cyber Security Breaches Survey 2025/2026)

Regulatory penalties

  • Data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours
  • Fines can reach £17.5 million or 4% of annual global turnover (whichever is higher)

Operational disruption

  • Ransomware can lock networks for days or weeks
  • Average time to identify and contain a breach: 241 days (over eight months)
  • Staff can’t access systems, complete transactions, or serve customers during downtime
  • Even hours of downtime translate to significant revenue loss

Reputational damage and lost customers

Hiscox’s 2024 Cyber Readiness Reports shows how much impact attacks had on businesses.

  % for 2024 % for 2023
More difficulty attracting new customers 47 20
Lost existing customers 43 21
Experienced bad publicity 38 25
Lost business partners 21 16


How to prevent cyber attacks for businesses: Seven steps to stay safe

1. Create a cyber action plan

You need a documented cyber security strategy that covers what you’re protecting, who’s responsible, and what happens when something goes wrong.

Your cyber action plan should include:

  • Asset inventory – List all systems, devices, and data that need protecting. You can’t defend what you don’t know you have.
  • Risk assessment – Identify your biggest vulnerabilities. Where’s your sensitive data stored? Which systems are critical for operations? What would hurt most if compromised?
  • Security policies – Document acceptable use policies, password requirements, remote working rules, and data handling procedures.
  • Incident response procedures – Define who does what when you discover a breach. Include contact details for your IT team, cyber security providers, legal advisors, and regulators.
  • Regular review schedule – Cyber threats evolve constantly. Review and update your plan at least annually, or whenever significant changes occur to your systems or operations.

Only 25% of UK businesses have a formal incident response plan in place, rising to 57% among medium businesses and 76% among large businesses.

Don’t overcomplicate it. Start with our basic cyber security checklist for quick wins that make an immediate difference, then build out from there.

2. Implement strong password policies

Weak passwords are still one of the easiest ways attackers breach your systems. Yet 74% of UK businesses have password policies in place, which means 26% still don’t.

What a strong password policy looks like:

  • Minimum length requirements – Aim for 12+ characters. Better yet, encourage passphrases – three or four random words strung together that are easy to remember but hard to crack.
  • Password managers for everyone – These tools generate and store complex unique passwords for every account. Staff won’t reuse the same password across multiple systems when the password manager does the work for them.
  • No password sharing – Each person gets their own login credentials. Shared accounts make it impossible to track who accessed what, when.
  • Regular password changes for privileged accounts – Admin accounts and other high-access roles should change passwords regularly (every 90 days at minimum).
  • Ban common passwords – Block easily guessed passwords like “Password123”, “Company2026”, or variations of your business name.

Your password policy only works if everyone actually follows it. Enforce it through your systems rather than relying on people to remember the rules.

3. Enable multi-factor authentication

MFA provides a critical second barrier even when attackers steal passwords through phishing.

MFA requires users to provide two or more verification factors to access systems through something they know (like a password), something they have (such as a phone or security key), or something they are (for example, a fingerprint or face recognition).

47% of UK businesses require multi-factor authentication, so it’s definitely a good place to start.

Where to enable MFA immediately:

  • Email accounts (especially admin accounts)
  • Banking and financial systems
  • Payroll platforms
  • Cloud storage services
  • Customer relationship management systems
  • Any system containing sensitive data

The NCSC strongly recommends phishing-resistant MFA using FIDO2 security keys or passkeys for administrative and privileged accounts. Most major platforms now support MFA as a standard feature. The setup takes minutes per user and the protection lasts indefinitely.

4. Keep your software up to date

The easiest option for attackers is to exploit known vulnerabilities in outdated software. Patches and security updates are built and exist to close these holes. But they only protect you if you actually install them.

Only 34% of UK businesses have a policy to apply software security updates within 14 days, according to the Cyber Security Breaches Survey 2025/2026.

What you need to update regularly:

  • Operating systems – Windows, macOS, Linux updates often include critical security patches
  • Applications and software – Email clients, web browsers, productivity tools, accounting software
  • Security software – Antivirus, firewalls, endpoint protection tools
  • Network equipment – Routers, switches, firewalls, access points
  • Mobile devices – Phones and tablets used for work

Turn on automatic updates wherever possible. For systems that can’t auto-update, create a schedule and stick to it. Aim to install critical security patches within 14 days maximum, but sooner for systems exposed to the internet.

Outdated software is one of the most common entry points for attackers. Don’t give them an open door.

5. Train your staff on cyber threats

Your employees have the potential to be either your weakest link or your strongest defence. Attackers know this, which is why 38% of UK businesses experienced phishing attacks in the last 12 months.

However, only 19% of UK businesses provided cyber security training or awareness raising in the same time period. And among micro businesses, that drops to just 14%.

What effective training covers:

  • Recognising phishing emails – Teach staff to spot suspicious sender addresses, urgent language, unexpected attachments, and requests for sensitive information or credentials – and to trust their gut if something feels wrong.
  • Safe browsing practices – How to identify secure websites, avoid clicking unknown links, and verify URLs before entering credentials.
  • Password hygiene – Why unique passwords or passphrases matter, how to use password managers, and never sharing credentials.
  • Physical security – Locking screens when away from desks, not leaving devices unattended, disposing of sensitive documents securely.
  • Reporting procedures – How to report suspicious emails or potential security incidents without worrying about blame.

Regular, engaging sessions work better than annual marathon training days. Run controlled phishing simulations that help employees practice spotting scams without real consequences.

Citation Cyber’s Employee Awareness Training service provides comprehensive training that builds genuine security awareness. We also explore strategies for getting started in our guide on introducing cyber security for your staff.

6. Apply a ‘Zero Trust’ policy

Zero Trust is a security model based on the principle “never trust, always verify”. You assume that threats could come from anywhere inside or outside your network. And you verify every access request regardless of where it originates.

Key Zero Trust principles:

  • Verify explicitly – Authenticate and authorise every user, device, and connection based on all available data points
  • Use least privilege access – Grant users only the minimum access required for their roles. A marketing coordinator doesn’t need access to financial systems. The warehouse team doesn’t require access to customer databases.
  • Assume breach – Minimise blast radius by segmenting access and monitoring continuously. If attackers compromise one account or system, they shouldn’t automatically gain access to everything.
  • Continuous monitoring – Monitor user activity, network traffic, and system behaviour for anomalies. Flag unusual access patterns, data transfers, or login attempts immediately.

Only 73% of UK businesses restrict IT admin and access rights to specific users. (Cyber Security Breaches Survey 2025/2026)

Start by auditing current user permissions across all systems. Remove unnecessary access rights. Implement role-based access control. Require additional authentication for sensitive operations. Regularly review and update permissions, especially when roles change or employees leave.

7. Store your data securely 

Where and how you store data determines how easily attackers can access or destroy it.

Backup strategy:

  • The 3-2-1 rule – Three copies of your data, on two different media types, with one copy stored offsite
    Automatic daily backups – Manual backups get forgotten. Automation guarantees consistency.
    Cloud and offline storage – Cloud backups provide quick recovery and offsite protection. Keep critical backups on a separate device or offline storage that’s disconnected from your network.
    Test restores regularly – A backup you haven’t tested isn’t a backup. Verify every few months that you can restore from your backups.
  • Encrypt sensitive data – In transit and at rest. Only 14% of UK businesses hold unprotected personal data, which means 86% are taking steps to encrypt or anonymise it.

While around 88% of UK businesses maintain data backups, that still leaves 12% dangerously exposed.

For more guidance on data protection best practices, see our article on storing data securely.

Cyber security mistakes: what not to do

Even businesses that invest in cyber security and have plans in place sometimes undermine their own defences through common mistakes. Some mistakes you should avoid are:

Using insecure Wi-Fi networks

You see public Wi-Fi available in cafes, airports, and hotels, and while it’s convenient, it’s also dangerous. Attackers can intercept data transmitted over unsecured networks, capturing passwords, emails, and sensitive information.

Use a VPN that encrypts all internet traffic when working remotely. Only 36% of UK businesses provide VPNs for remote access. Nobody should access banking, payroll, or sensitive systems over public Wi-Fi without VPN protection.

Remote workers using personal devices

Personal devices often lack security controls, monitoring, and management. They may be running outdated software, missing antivirus protection, or shared with family members.

Only 66% of UK businesses restrict access to company-owned devices. If staff have to use personal devices, put in place a BYOD policy covering minimum security requirements: mandatory updates, screen locks, password protection, and antivirus software.

For more information, see our guide on working from home securely.

Outdated software leaving you open to attacks

Delaying updates because “everything’s working fine” leaves known vulnerabilities unpatched. Attackers actively scan for outdated systems they can exploit.

Major ransomware attacks have succeeded because organisations failed to install available security patches. WannaCry exploited a Windows vulnerability Microsoft had already patched, but thousands hadn’t installed the update.

Install security updates within 14 days maximum. For critical patches, install immediately.

No business continuity plan

Only 33% of UK businesses have a business continuity plan covering cyber security. When disaster strikes, you need to know exactly how your business will continue operating. Your plan should cover critical systems, recovery procedures, alternative work arrangements, and contact details for key suppliers. Test your plan annually because a plan that hasn’t been tested is just a document.

If you’re unsure where to start, learn what to include in your business continuity plan.

Only reacting to attacks after they happen

If you think you’ll never face an attack, remember 43% of UK businesses did in the last 12 months. Waiting for something to happen costs more and protects less than proactive prevention. The best thing you can do is invest in tools that make it harder to attack you and easier for you to know if you have been attacked.

Consider investing in security monitor tools, penetration testing staff training, and building an incident response plan. At a minimum, you need an incident response line, so you know who to call if you think something’s wrong.

How the Cyber Essentials certification can help

Cyber Essentials is a UK Government-backed certification scheme that demonstrates you’ve implemented five critical technical controls proven to prevent around 80% of common cyber attacks.

The five Cyber Essentials controls

  1. Boundary firewalls and internet gateways – Protect your network perimeter from unauthorised access
  2. Secure configuration – Make sure systems are configured securely and unnecessary functionality is removed
  3. User access control – Control who can access what data and services
  4. Malware protection – Defend against viruses, ransomware, and other malicious software
  5. Security update management – Keep software and firmware up to date with the latest security patches

Benefits of Cyber Essentials certification

  • Proven protection – The five controls address the most common attack vectors affecting UK businesses
  • Competitive advantage – Increasingly required for government contracts, tenders, and by cyber insurance providers
  • Customer confidence – Demonstrates your commitment to protecting customer data and business security
  • Insurance benefits – Many insurers offer reduced premiums or require Cyber Essentials for affordable cyber insurance policies

Clear framework – Provides straightforward, achievable security standards for businesses of any size

The certification process identifies security gaps you didn’t know existed and provides a clear roadmap for addressing them. Even if you don’t pursue formal certification immediately, using the Cyber Essentials framework to assess your current security posture is valuable.

Citation Cyber’s Cyber Essentials service guides you through certification, making sure you’ve implemented the five critical controls correctly. For evidence of Cyber Essentials’ real-world impact, see the ‘Cyber Essentials impact evaluation’ guide.

Key takeaways

Preventing cyber attacks isn’t about getting it perfect, it’s about making your business a harder target than the one next door. Attackers look for easy wins: weak passwords, missing MFA, unpatched software, untrained staff. Start with the basics: strong passwords, multi-factor authentication, regular updates, staff training, and secure backups. These fundamentals block the majority of attacks.

Test your defences with Citation Cyber

Even with strong preventive measures in place, you need to know whether they work. Citation Cyber’s Penetration Testing service identifies vulnerabilities before attackers exploit them, providing actionable insights to strengthen your defences.

Our accredited testers simulate real-world attacks against your systems, applications, and staff. You discover exactly where your weaknesses are and receive clear guidance on fixing them.

Contact Citation Cyber today to assess your current security posture and build defences that actually protect your business.