You’ve realised cyber threats are real. Congratulations, you’re already ahead of the businesses still using “Password123” and hoping for the best. Now comes the slightly less glamorous part: actually doing something about it. Start Here: The UK’s Official Free Guidance (Yes, Free Still Exists) The gold standard starting point Begin with the National Cyber Security Centre Small Business Guide:https://www.ncsc.gov.uk/collection/small-business-guide It’s: Free Written in plain English Actually practical (rare, I know) Expert insight “Basic cyber hygiene can prevent the vast majority of attacks.”— National Cyber Security Centre Translation: you don’t need to turn your office into MI5. You just need to stop doing the obvious risky things. Step 1: Lock Down Your Accounts Properly Use strong, unique passwords One password per system Use a password manager (not a sticky note under the keyboard) Turn on Multi-Factor Authentication (MFA) Adds a second layer (usually your phone) Stops most automated attacks instantly Guidance:https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services Step 2: Protect Your Devices (The Boring but Critical Bit) Keep everything updated Turn on automatic updates This includes laptops, phones, routers, and software Unpatched systems are basically an open invitation. Install reputable security software Antivirus / endpoint protection Firewall (usually built-in, just don’t disable it) Lock devices when not in use Yes, even in the office “It’s just colleagues here” is how breaches start Step 3: Train Your Staff (Your Biggest Risk and Your Best Defence) Focus on phishing awareness Teach staff to: Spot suspicious emails Avoid clicking unknown links Verify payment requests Run simple drills Simulated phishing emails: Cost little Save a lot Expert insight “Human error is involved in the majority of breaches.”— Verizon So yes, Dave in accounts clicking everything is a bigger threat than most hackers. Step 4: Back Up Your Data (Before You Need It) Follow the 3-2-1 rule 3 copies of data 2 different storage types 1 offsite (cloud or offline) Test your backups Most businesses: Back up data Never check if it works That discovery usually happens during a crisis. Not ideal. Step 5: Control Who Has Access to What Apply the “least privilege” rule Staff only access what they need Not everything “just in case” Remove access immediately when staff leave Former employees with active logins are not a charming quirk. They’re a liability. Step 6: Secure Your Email and Payments Verify payment requests Always confirm changes to bank details Use a known phone number, not the one in the email Use email filtering Most modern systems: Block spam and phishing But not all of it Assume some will get through. Step 7: Follow a Recognised UK Standard Cyber Essentials (Recommended) https://www.ncsc.gov.uk/cyberessentials/overview Benefits: Government-backed certification Covers the basics properly Builds trust with customers Cost: Typically from £300–£500 for certification Step 8: Know What to Do If Something Goes Wrong Have a simple incident plan Who to contact What systems to isolate How to recover data Report serious incidents Information Commissioner’s Officehttps://ico.org.uk/ NCSC incident supporthttps://www.ncsc.gov.uk/section/about-this-website/report-scam-website What This Actually Costs (Realistically) AreaTypical Cost (UK)Antivirus / endpoint protection£20–£60 per device/yearPassword manager£3–£6 per user/monthStaff training£10–£50 per user/yearBackup solutions£5–£20 per monthCyber Essentials£300–£500 annually You’ve probably spent more on office biscuits. Final Thought Cyber security isn’t about becoming unhackable. That’s a fantasy sold by people who charge consultancy fees with too many zeros. It’s about: Not being the easiest target Reducing obvious risks Recovering quickly when something does go wrong Start with the basics. Do them properly. Most businesses don’t, which is why attackers keep winning. A slightly organised small business is already miles ahead of a careless one. That’s the bar. Low, but surprisingly effective. Post navigation Protecting Customer Data in a UK Business: Stay Compliant Without Losing Your Sanity Will Cyber Security Slow Down Your UK Business — Or Quietly Save It?