How to keep your small business safe online: 10 top cyber security tips

As cyber threats become ever more sophisticated, it's never been more important for small businesses to protect themselves online

Our experts

Startups was founded over 20 years ago by a serial entrepreneur. Today, our expert team of writers, researchers, and editors work to provide our 4 million readers with useful tips and information, as well as running award-winning campaigns. Our site is governed by the Startups editorial manifesto.
Written and reviewed by:
Henry Williams headshot
Robyn Summers-Emler Grow Online Editor
Direct to your inbox Email Newsletter viewed on a phone

Sign up to the Startups Weekly Newsletter

Stay informed on the top business stories with’s weekly email newsletter


Do you have robust and up-to-date measures in place to protect your small business from cyber security attacks?

If not, why not?

You wouldn’t leave the front door of your brick and mortar store wide open, so why would you leave your online presence unprotected? It’s an open invitation to cyber criminals.

According to the National Cyber Security Centre (NCSC), 39% of UK businesses have experienced a cyber security breach in the past 12 months, and the average cost of a cyber attack to a small business is £8,460.

But it’s not just money that you’ll lose – it’s trust. Atomik Research found that 33% of businesses that have suffered a cybersecurity breach lost customers as a result. And, according to research from PCI Pal, 41% of UK consumers say they will never return to a business post-breach.

What’s more, loss of customer data could put you in breach of GDPR regulation, which can carry a maximum fine of €20m or 4% of global turnover – whichever is greater.

We don’t mean to scaremonger. As long as you put adequate measures in place, and properly educate your staff, there’s no reason your business can’t stay safe online. But 2020 was the busiest year on record for cyber attacks on UK businesses, with a 20% rise in attacks on 2019 as hackers took advantage of the vulnerabilities of remote teams. That’s why there’s never been a better time to review your cyber security defences and procedures.

And you can start by following these top cyber security tips.

What is malware?

Malware (malicious software) is the name given to any kind of software that hackers use to infect a computer (or any other programmable device) in order to cause harm to systems and exploit your business.

This could be ransomware, which takes over your computer and forces the user to pay up to set it free, or spyware, which spies on the user and gathers data.

Think of malware like a vampire. It will use cunning and disguise to manipulate you into inviting it over the threshold – and once it’s in, it will wreak havoc.

Phishing emails are the most common method of entry for malware. So, as discussed above, educating your employees should still be the first line of defence.

But what do you do if it gets past that first line of defence? Fortunately, there are solutions.

Don’t get hooked by phishing emails

Phishing attacks are by far the most common type of cyber threat faced by small businesses, accounting for around half of all cyber attacks in the UK. Phishing emails try to trick or manipulate the recipient into handing over sensitive information, or clicking a dodgy link that could download malware onto their computer.

Phishing attacks can be targeted, but typically, scammers will send out thousands of emails with the hope of getting a handful of responses. Your email provider will scan for suspicious content, and automatically filter anything that looks like a scam or spam into your spam folder. These email filtering systems can sometimes be overzealous, so it’s good to check on them every now and again to see if anything important has been unfairly categorised.

But as phishing emails become increasingly sophisticated, you need to be able to spot the ones that slip through the net. Let’s take two examples:

An obvious phishing message

Do you notice anything suspicious about the above email?

Aside from the massive warning banner, there are some major red flags.

  • Firstly, it just doesn’t make any sense
  • Why is the recipient being debited for “2,383 plus fees today till 4PM” due to a customer complaint?
  • Why is the name in the email (Andrea.Randall) different from the email signature (Cher C Cruz)?
  • Why is an “outsource specialist” dealing with this customer complaint issue?
  • Why are the grammar and spelling so bad? “Past it” instead of “paste it”, “why you didn’t inform us about it?” instead of “why didn’t you inform us about it?”
  • Not to mention the fact that we know there’s no one called either Cher C Cruz or Andrea Randall in our organisation.

What happens if you ‘past’ the PDF into your browser? We don’t know, and we don’t want to find out.

Here’s another less obvious example.

Another phishing attempt

Spot the suspicious elements of this seemingly innocent request to beta test “a new application”?

  • In what capacity does Ahsan Ronin “represent” Amazon? Because it’s certainly not an employee. In fact, the sender’s email address is ‘’. Who is Joseph Bruno? And what is There’s a, but not a
  • Why is Ahsan interested in the recipient’s “candidacy”? What makes him think they’d be suitable to be a tester? No information is given
  • What is this new application? Scam messages will often be vague
  • A free annual Amazon Prime subscription would be great, thank you. But grand promises like this are always a warning sign. Remember: if it sounds too good to be true, it probably is
  • Finally, why is Ahsan asking the recipient to message him on his personal Facebook account? The link on the word Amazon also goes to this Facebook account

So, if you see any emails like this, delete them immediately and don’t click on any links, even if it seems like it’s just to a Facebook account. It could download a virus onto your computer.

What do you do if you are the victim of a phishing attack?

As hard as you try to prevent phishing attacks, there may come a day when, in an idle moment, someone inadvertently clicks on a link or hands over information to a scammer.

  • Step 1: Act fast – change passwords, scan for malware and follow any instructions given, assess any damage, and make an internal announcement telling employees to avoid any similar emails
  • Step 2: Don’t punish the victim. Doing so will only discourage others from coming forward in the event of a future attack
  • Step 3: Alert Action Fraud, the UK’s national reporting centre for fraud and cybercrime. They’ll provide you with a police crime reference number, and can also offer help and advice over the phone on 0300 123 2040. You can also send any suspicious emails to the NSCS’s suspicious Email Reporting Service (SERS):

Choose a decent web hosting provider

If you don’t use a website builder and need to pay for web hosting separately, make sure you choose a respected supplier with good security credentials.

For example, Bluehost gives its customers up to 80% off the retail price of SiteLock’s products. SiteLock conducts daily security scans to protect your site – it includes automatic malware removal, alerts, and email notifications, and patches any vulnerabilities it detects. Check out Bluehost’s credentials as a hosting provider in the box below

Check out our pick of the best website hosting providers for small businesses here.

If you want to be extra secure, opt for VPS or dedicated hosting. They’re more expensive than shared hosting, but as your website data is stored on a private server rather than alongside other websites, they’re also far more secure.

4.6 out of 5
  • Types of hosting
  • Help and support
  • Features
  • Value for money
  • Up time performance

Install antivirus software (and turn it on!)

Strictly speaking, a virus is just one type of malware, but antivirus software is actually designed to track down and remove all manner of malware.

These days, all Windows or Mac operating systems include free antivirus software that will do the job just fine. They even automatically update themselves, so all you have to do is make sure that it’s turned on. As a small business, you shouldn’t need anything more sophisticated than that, but you could always download another antivirus software if you have different needs.

Update your software

Cyber criminals and those who wish to scupper them are locked in an eternal arms race. One thing you can do to stay ahead is make sure you have up to date software.

Software updates contain bug fixes and security patches that are designed to fix weaknesses. The sooner you update, the better, and although we know it can be tempting to ignore those constant update prompts from your devices, don’t. You can often set them to install overnight to avoid too much disruption to your working day.

Back up your data

Backing up your data is the best insurance policy you can have against a cyber attack.

During an attack, your data may be damaged, deleted, or even held to ransom. Having backups of your most important data mitigates this risk.

You can back up your data on an external hard drive, or in the cloud. If you’re using a hard drive, make sure that this hard drive isn’t permanently connected to the device you’re backing up the data from, either physically or over a local network connection.

Use strong passwords

Did you know that, if you only used letters and numbers, there are around 200 trillion possible eight character combinations?

But even those dizzying odds aren’t enough to stop hackers trying to break into your systems. And, if you don’t put adequate measures in place or enforce strong password practice, they just might succeed.

Hackers can use brute force, automatically trying billions of combinations of words, numbers, and symbols until the right one is found. They could install a keylogger on your device to track passwords on your keyboard, or, if you have passwords stored in documents, a data breach could result in your passwords being stolen.

Here’s some password best practice…

  • Don’t use personal details that are publicly accessible – birthdays, names of family members or pets etc.
  • Don’t write passwords down and store them anywhere – especially not on a sticky note on your screen, or anywhere else near a device
  • Do use a unique and random selection of wordssymbols!?numbers123,,CAPITALSandlowercase
  • Do use two-factor authentication – this usually requires you to use a one-time verification code as well as your password, which will be sent to your device
  • Encourage periodic changing of passwords

The best way to implement secure passwords is to use a password manager.

Password managers can create infinitely more complex passwords than you could conceive and remember on your own. They can then encrypt, store, and manage passwords for all your applications and online services, all in one place.

Our number one password manager is 1Password. It’s affordable, scalable, and super secure. Check out our in-depth guide to the best password managers here.

Two-factor authentication

We’d recommend switching on two-factor authentication for your email accounts to make them extra safe.

This second factor is an extra check on the identity of whoever is trying to access the account. It usually takes the form of a unique code that’s sent to you via text.

Don’t neglect your firmware

Firmware circuit boardAs the BBC reported on in April, firmware attacks are on the rise, with 80% of global companies experiencing at least one firmware attack in the past two years. Despite this, many organisations don’t spend nearly enough time and resources protecting against these kinds of attacks.

Essentially, firmware is a type of simple software stored on your computer that instructs its hardware how to operate correctly. Unlike software, it cannot be changed or deleted by the end user, but providers can roll out mass firmware updates to fix bugs, deliver security patches, or add new features to their users’ devices.

In a firmware attack, a hacker will deliver malicious code into your device in order to gain control of it. This can be done remotely, through Wi-Fi or Bluetooth, or through an infected USB. What makes firmware attacks so dangerous is that they can be so hard to detect – and once in, they can spy on you, mine your data, or remotely control your device.

How do you protect yourself against a firmware attack?

Most of the work to protect firmware needs to be done by hardware manufacturers. Microsoft, Intel, and Dell have all recently launched new device security requirements to address longstanding vulnerabilities in their devices.

But you can still do your bit to protect yourself by:

  • Purchasing hardware that has advanced firmware protection built into it
  • Updating your firmware regularly (don’t ignore all those notifications to turn off your device for an update)
  • Avoiding using USB devices that you can’t identify

Don’t make your business an easy target

You should review the information about you and your business that you think needs to be publicly available online.

Criminals can use this information to create convincing phishing emails. They could masquerade as a senior person in your organisation by using very personal details to make it believable. This information is often freely available on social media accounts, such as the names of pets, and nicknames, which football club someone supports, and where they live.

For example, a cyber criminal might see that you have a personal relationship with a colleague by looking at your social media presence. They can see that your colleague calls you Big Dennis from a public post. They also learn that your dog’s name is Ralph, that Ralph has been unwell recently, and that you support Chelsea.

Then they send an email with a disguised email address that says:

Hey Big Dennis, 

Shocking result for Chelsea last night wasn’t it?

How’s Ralph doing? Recovered from his paw injury?

Because of this, it makes sense to keep your social media accounts private and think about what you post publicly.

Educate your employees

The best defence against phishing is education. Ensure you and your employees complete an accredited training course on cyber security. The National Cyber Security Centre (NCSC) has just launched a new free e-learning package for SMEs that you can download and integrate into your training platform.

Alternatively, you could try one of the following:

Have an incident response plan in place

Even if you follow the above steps to the letter, there’s no guarantee that your business will be safe from cyber attacks.

That’s why you need to have a proper procedure in place for when there’s a breach, and you need to communicate that plan to all relevant people in your organisation.

Here’s a three step incident plan for small businesses to follow in the event of a cyber security attack:

1. Diagnose

In order to correctly respond to the problem, you need to identify what has happened and assess the severity of the incident.

These questions will allow you to quickly gather crucial information that will inform an appropriate response.

  • Who reported the problem?
  • When did the incident happen, or when was it first reported?
  • What systems/software/hardware has been affected?
  • What is the likely impact on your organisation?
  • Who is affected by the incident?
  • Who is aware of the incident?

Assemble your cybersecurity incident response team

The answer to these questions will determine who you need to assemble from your incident response team. That could include (but is not limited to) senior management, department leads, IT, legal, PR, and HR. There should also be an incident and recovery manager, who will be responsible for ensuring all actions are effectively communicated and carried out.

2. Respond

Now you’ve gathered all the essential people, you can manage and respond to the incident.

It’s also important to track, document, and correlate any tasks, findings, and communications that arise during the incident response. This is important for a number of reasons – for starters, it ensures there’s a record of your procedures for future reference, and will be invaluable in the event of legal or regulatory action.

There are three steps to the response stage:

  • Analyse: This involves a technical analysis of any corrupted systems to determine the damage, as well as a review of any public reaction to the incident (if indeed there has been any). For example, if there’s been a leak of customer data, you’ll need to limit reputational damage and you could be in breach of GDPR
  • Contain: Now it’s time to limit the impact of the incident, and prevent it spreading and causing further damage. This could involve disconnecting affected systems and devices, resetting passwords, accounts, and access credentials, and – if necessary – even shutting down a core business system. PR may also need to prepare a media response
  • Eradicate: Once you’ve contained the threat, you can remove it from your network and systems. All traces of malware should be identified and securely removed, while software and systems should be secured, patched, and updated

3. Recover

Now the threat has been eliminated, it’s time to return to business as usual. You can restore any affected systems and reintroduce them to your business operations, and take any final actions to address legal or PR issues.

4. Learn

The incident might be over, but there’s one final step in the incident response plan. You should hold a post-incident review to determine what lessons can be taken from this incident that can be applied to future incidents.

  • Were there any security steps you could have taken to prevent the incident from happening?
  • Was the response effective?
  • Was there anything that could have been done better during the response?

Advice from an expert

Here, Misah Maragh, senior compliance manager at MVF, explains which cybersecurity measures small businesses can put in place to protect themselves.

What can startups do to provide cyber security for staff who are working remotely?

“Comms, comms and more comms. Stay connected with your employee(s) to keep them up to date with some of the cyber risks that they may face when home-working. 

“I find that by making your comms personal to the employee (i.e. not just about protecting the company), it ensures that the message resonates and can be applied easily. If you change the way they handle their own personal data, they will handle the company’s data the same way. 

Which cyber security tips would you offer to small businesses during coronavirus specifically?

“Watch out for phishing emails. With more people working from home this is an ideal time for cyber scammers to target individuals. They are using emotive subjects such as tax rebates and charity donations for nurses to get people to click. 

“Take your time when reading emails, verify that you know the person who is emailing you, and finally, don’t click links.” 

Are there any myths about cyber security that you’d like to bust?

“That it is technical and only a space for tech experts. Cyber security is something we all need to understand and can understand. 

“As a compliance professional, translating complex jargon into easy and simple language is important. There are a number of government sites that can help you to do this if you need the content.” 

Describe the state of cyber security in the UK. What are your predictions for it?

“Cyber security is an ongoing war. As individuals move more of their life online it presents significant risks that individuals, businesses, government and ethical hackers need to stay abreast off. 

“It is ever-changing and cyber security options need to be continuously revisited. The rule is to not get complacent, as the hackers are always looking for new and interesting ways to gain access to our systems, data and money.” 

Next steps

Cyber attacks are an ever present threat for small businesses, and can come with a reputational as well as a financial cost. And while you should do everything you can to minimise your business’s exposure to risk online, you should know that, according to the government’s latest Cyber Security Breaches Survey, breaches are far more common among medium and large businesses.

Just 37% of microbusinesses and 39% of small businesses identified a cyber attack in the last year, compared to 65% of medium firms, and 64% of large ones.

Gov cyber security statsSource:

Be sensible, be vigilant, educate your staff, and follow the steps above, and there’s no reason your business shouldn’t be able to confidently operate in the online world.

Written by:
Henry Williams headshot
Henry has been writing for since 2015, covering everything from business finance and web builders to tax and red tape. He’s also acted as project lead on many of our industry-renowned annual indexes, including Startups 100 and Business Ideas, and created a number of the site’s popular how to guides.

Leave a comment

Leave a reply

We value your comments but kindly requests all posts are on topic, constructive and respectful. Please review our commenting policy.

Back to Top