Our cybersecurity checklist for small businesses

H2 – How to protect your small business from cyberattacks

Although it might seem complex, establishing and maintaining cybersecurity for a small business is relatively simple and cost-effective – provided you put the necessary measures in place to keep information secure, and ensure employees understand the importance of following your cybersecurity plan.

Here are our key steps that every small business cybersecurity plan should include to protect its data and operations from cyber criminals:

H3 – 1. Use secure passwords for all accounts

As with your personal computer and online accounts, it’s very important to ensure all your business accounts and systems have different passwords. Otherwise, a criminal who has access to one account may also be able to access every other account. Worse still, they may be able to change the passwords on your other accounts by using the ‘forgot my password’ option, locking you out.

A strong password should be made up of three random words at a minimum, as well as several numbers, capital letters and unique characters. However, regardless of word combination, it’s not recommended that you use:

• your partner’s name
• your child’s name
• a family member’s name
• your pet’s name
• your place of birth
• your favourite holiday destination
• something related to your favourite sports team.

If you have employees, you should inform them of the need to create strong passwords and put measures in place to prevent the use of weaker ones.

H3 – 2. Use two-factor authentication

Two-factor authentication, or 2FA, is a security measure that requires you to prove your identity via a second method, alongside your password, in order to log in. For example, you might be sent an additional code or be required to log into an authenticator app that provides a temporary code.

When you enter the code, it proves it’s you logging in, rather than someone who’s stolen your password. 2FAtakes only minutes to set up, but it can quickly become an essential way of protecting your company from unintentional password breaches.

H3 – 3. Always back up your data

While you can do a lot to prevent your business from being affected by a cyberattack, in some cases, it may be unavoidable. That’s why it’s always smart to back up all your data so you can bounce back quickly.

Consider what data is essential to the running of your business, such as core documents, photos, emails, contacts and calendars. Make sure all this is regularly backed up using external hard drives, physical filing and online cloud storage, with two-factor authentication and automatic backup switched on.

H3 – 4. Keep all your devices up to date

Software weaknesses are the main way cybercriminals attempt to breach devices, making it crucial to keep software for phones, laptops, computers and tablets up to date.

Download software updates as soon as you can when they become available, provided they come from the device’s operating system and not from any other source.

For more information on applying updates, refer to the NCSC's guidance on vulnerability management.

H3 – 5. Don’t rely on outdated machines and software

It’s a good idea to use modern devices and software for all your work to ensure you can access the latest security updates.

Eventually, manufacturers will stop providing updates for older devices and operating systems, leaving you vulnerable to criminals who exploit any remaining weaknesses in the older software. 

When you do buy new devices, make sure you do the following with them before anything else:

• Switch on your firewall and enable your device’s antivirus software.
• Set up a Pin, password, fingerprint or face ID to access your device.
• Set devices to auto-lock after a period of inactivity to prevent unauthorised access.

If your business has employees, ensure that everyone has these security devices installed and activated before they begin work. Check out the Which? guide to antivirus software to find out more.

H3 – 6. Train all employees in proper cybersecurity

In some cases, it may not be a download that causes a cybersecurity breach for your company, but an employee’s unintentional actions, such as accidentally replying to a phishing email.

Therefore, to avoid phishing and other common cyberattacks, ensure that you and your employees:

• are regularly trained on cybersecurity risks
• have the lowest level of user rights and access possible to do your jobs
• never browse the web or check emails from an account with administrator privileges
• use two-factor authentication on all accounts
• follow the safe password practices outlined above
• check all email addresses from unknown users for legitimacy by ringing up a company or individual using an independently sourced number
• never click on any links sent from unfamiliar emails
• never offer up any information unless you’re sure a source is legitimate
• know what to do if you receive unusual requests, and immediately raise suspicions of fraudulent activity
• report all attacks that do occur.

We’d also recommend using the National Protective Security Authority’s digital footprint campaign for advice on reducing the information you share online to help minimise any accidental leaks outside of work.

H3 – 7. Control who has access to sensitive data

It should go without saying, but not everyone needs access to sensitive business data. For example, things such as bank details or company security information should all be password-protected and access restricted for anyone who doesn’t need to use them.

We also strongly advise that you do the following to minimise potential access by unwanted third parties to essential business areas:

• Train staff so they understand proper data handling and the importance of maintaining good cybersecurity.
• Make sure devices can be tracked, locked or wiped remotely if they are ever lost or stolen.
• Control how USB drives (and memory cards) can be used in your business so viruses can’t be physically inserted or important information downloaded offline, either by employees or criminals.

H3 – 8. Use government training programmes

As part of a wider plan to help businesses properly implement cybersecurity, the UK government provides a range of free online training courses.

We suggest starting with the Cyber Essentials scheme, which teaches you how to increase and maintain cybersecurity throughout your business, before following up with these other essential courses and resources:

• Cyber Aware – Simple advice to help small businesses stay safe online.
• Cyber Action Plan - Provides sole traders and small businesses with a personalised ‘to-do’ list to boost cybersecurity.
• The Small Business Guide – Shows you how to improve cybersecurity within your organisation quickly, easily and at low cost.
• Check your cybersecurity – Tells you how to quickly test, check and fix vulnerabilities in your IT systems.
• Free Online Training - Top Tips for Staff – Helps you and your staff take practical steps to protect against fraud and cybercrime.
• Small Business Guide to Response and Recovery – Helps SMEs prepare their response to, and recovery from, cyber incidents.

For more courses and education, visit the government’s cybersecurity training for businesses page, which has a handy list of free e-learning courses.

H3 – 9. Put a cybersecurity disaster-recovery plan in place

Finally, it’s always a good idea to put a backup cybersecurity disaster plan in place in the event that your IT systems go down or your data system is breached by an unknown source.

This should include everything from how to restart your systems to who to contact in the event of a data breach. Such a plan will help your business get back on its feet quickly should a cybercriminal get past all your defences.

Again, the UK government has issued specific guidance on cybersecurity risk management for small businesses, which can help with your planning.

H2 – What to do if you’re the victim of a cyberattack

Even the best-prepared organisation can be the victim of a cybersecurity breach, and a cybersecurity issue is often a question of when, not if. That’s why it’s important to know what to do if you suspect your business has been the victim of a security breach.

Common signs can include:

• computers running slowly
• users being locked out of accounts
• users being unable to access documents
• messages demanding a ransom for the release of your files
• people informing you about strange emails coming from your domain
• redirected internet searches
• requests for unauthorised payments
• unusual account activity.

From here, if you suspect you’ve had a cybersecurity breach, answer the following 10 questions to work out exactly what’s happened:

1. What problem has been reported, and by whom?
2. What services, programs and/or hardware aren’t working?
3. Are there any signs that data has been lost? For example, have you received ransom requests, or has any of your data been posted on the internet?
4. What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
5. Have your customers noticed any problems? Can they use your services?
6. Who designed the affected system, and who maintains it?
7. When did the problem occur or first come to your attention?
8. What is the scope of the problem? What areas of your organisation are affected?
9. Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
10. What is the potential business impact of the incident?

Next, run your antivirus software to find out more information about the attack, and look for advice online from Action Fraud, police websites and the government. If your IT is managed externally, contact your providers. If you manage your IT internally, activate your incident plans straight away.

Finally, after the incident has been fully resolved, review everything that’s happened, learn from any mistakes and put policies in place to try to prevent the same thing from happening again.

H3 – Legal requirements for cybersecurity breaches

Depending on the nature of the incident, you may have a legal requirement to inform the Information Commissioner’s Office (ICO) of a cybersecurity breach – check the ICO website to see which incidents it requires you to report.

For example, you must alert all internal and external stakeholders – including your staff and customers – to make them aware of this incident. If customer data has been compromised, they need to know, and failing to do so could lead to legal repercussions.

Under the UK Data Protection Act, your business is also required to protect any data you hold and process about your customers, suppliers and staff. This includes all personal information and any other information that could be used to identify individuals.

Therefore, to meet the regulatory standard, you must do the following:

• Collect only the information you need for a specific business purpose.
• Keep this data properly secured as per government guidelines.
• Keep all data relevant and up to date.
• Hold only as much information as you need for each user, and only for as long as you need it.
• Allow the subject of the information to see it on request.

For more information, the ICO has a guide for small businesses on how to properly protect customer data.