The essential cybersecurity checklist for UK small businesses

Cyber attacks have been ramping up in 2025, with high-profile businesses like M&S, Harrods and Co-op all being hit. According to the government’s 2025 Cyber Security Breaches Survey, just over four in 10 businesses reported a cyber attack in the 12 months prior to June.

If you’re running a small business, it’s tempting to think you might be too modest to be a target for cyber attacks, or you might just find the topic too daunting to address. But having strong cybersecurity is just as important to a business as adhering to GDPR compliance.

Smaller businesses can be an attractive target for cyber-criminals as they can lack the resources and IT infrastructure to effectively defend themselves. The effects of a cyber attack on an SME could be devastating, both financially and reputationally. That’s why we’ve devised our simple, easy-to-follow, cybersecurity checklist to ensure your business is fully prepared.

Why is cybersecurity awareness important?

It’s been noted that over 40% of SMEs have experienced cyber attacks. However, it’s not all doom and gloom, as encouragingly reported cyber breaches from small businesses have dipped this year, with the total figures dropping from 718,000 businesses in the UK in 2024, to 612,000 in 2025.

It’s important to note the reason for this fall though: small businesses are starting to polish up their cyber hygiene. This year has seen a marked increase in small businesses undertaking cybersecurity risk assessments, cyber insurance and continuity plans that specifically address cybersecurity.

So, the threats are still out there, it’s just that businesses are becoming more cybersecurity savvy: just don’t let yourself get left behind. It can be an often overlooked area when you’re starting your business, but one that you should consider and maintain consistently over time.

According to the BBC, the average cost of cyber breaches on UK businesses is £7,960 for micro/small businesses, and £12,560 for medium/large businesses. For many SMEs in the UK, already struggling to manage their overheads, a blow of this nature could potentially cripple them.

The actionable cybersecurity checklist

To make sure your business doesn’t end up as an unfortunate statistic on next year’s Cyber Security Survey, we’ve provided a breakdown of the three key areas that all small businesses should have in place:

• The human firewall: how to train your team and develop good habits.
• The digital defence: the technology that you need to be employing in your workflow.
• The safety net: your company’s data and how you can protect it.

We’ll break down what each one entails, and what you need to do, below.

The human firewall

A company’s security is only as strong as its staff. Even with top-tier online protection, human error can result in cataclysmic consequences. This is how you can create a well-trained staff and develop good cybersecurity habits.

Create strong passwords and have an efficient password manager

Weak passwords that can be easily guessed are a major vulnerability and can give malicious entities access to your data. So get rid of any Password123s, pet names or birthdays. Guidance from the National Cyber Security Centre (NCSC) suggests you should use three random words.

With multiple passwords for different accounts and devices, you should consider making things easier for your staff with a password manager – this a tool that allows you to store multiple passwords behind a master password.

Use multi-factor authentication (MFA)

Simply relying on a standard username and password as a login system is too weak, so you need to add a second “factor”, also known as two-step verification. This can be one of the most effective tools for preventing unauthorised access to your systems and is something all businesses should have in place.

You should be using it across all your business-related platforms, whether it’s bank accounts, social media or email.

Keep on top of access controls

Another key vulnerability that’s often overlooked: which of your employees have access to what? Make sure you have a comprehensive view of access controls and your staff are restricted to what they need.

Extra permissions should only be granted to staff who absolutely require it for their role.

Train your staff on cybersecurity

If your employees are not up to speed on cybersecurity awareness, they can easily fall prey to phishing scams and harmful links. Phishing emails are a type of scam where individuals are deceived into installing harmful malware or giving out data.

Make sure your staff are trained on spotting the signs of phishing emails, like poor grammar and urgent requests for money transfers. These types of scams are becoming increasingly more sophisticated, so make sure to regularly update your staff on what to look out for.

You’ll need to develop a full cybersecurity training module for your business and encourage a company culture of cyber-literacy. You can find guidance from the government on cybersecurity training for your business.

Encourage your staff to report security breaches

Don’t punish your staff for falling victim to a phishing scam. Anybody can fall prey to an online scam and its far more beneficial to your business to create an environment where staff can feel confident about reporting lapses in security.

Have a clear protocol in place, so staff know who to report to. If you believe a staff member was a victim of a phishing scam you should immediately change associated passwords and scan for malware.

The digital defence

Alongside having a well trained workforce and solid internal infrastructure in place, another line of defence against cybercrime should be reliable and up-to-date technology.

Always keep your software updated

Outdared software can leave you vulnerable to attacks and viruses. You need to make sure you’re regularly patching and updating all your software and systems.

Exploitative and dangerous malware is constantly evolving, so you need to make sure your system has the latest protections installed. Make sure to keep all company devices set to “automatically update” where available, and don’t use old hardware that’s no longer supported by current firmware.

Have anti-virus software and firewalls installed

Installing anti-virus software on all business devices is a non-negotiable. Most work equipment will come with anti-virus software pre-installed, but always check if this is case and make sure it’s been enabled.

You’ll also need a firewall installed. A firewall is a network security system that monitors all the incoming and outgoing traffic. It allows traffic based around certain rules and is a must-have for your systems.

Make sure you Wi-Fi network is secure

Make sure you have a unique password in place for your work Wi-Fi and use strong encryption like WPA3. Make sure your physical servers are also secure and kept in a locked area with permitted access.

Another key tip: make sure to change all the default settings and passwords upon setting up. You should also encourage your staff not to log on to public Wi-Fi hotspots. You can use the NCSC’s free cybersecurity checker tool to identify weaknesses in your IT.

Keep all company devices secure

Whether it be laptops, tablets or smartphones, you need to keep any hardware used for company purposes secured. You should do this by making sure all devices are password-protected, and all operating systems and downloaded apps are up to date.

You should also make sure you have a stolen device policy for your business, so your employees know what to do if a device is lost or stolen. Make sure you also have the ability to track devices, as well as remotely lock or erase the device if it falls into the wrong hands.

The safety net

Ensuring effective data protection for small business is critical. If you suffer a security breach and leak customer information, this could result in irrevocable reputational damage, and potentially legal repercussions and fines.

Use the “3-2-1” rule

One of the most effective strategies for backing up your data, the 3-2-1 backup rule means keeping three separate copies of your data. The three data copies should be kept on two different devices, with at least one of the devices kept off-site. This ensures that you will have access to crucial data in the event of cyber attacks or other technical problems.

Encrypt your data

With increasing focus on cloud-based and remote working, you need to make sure your data has been fully encrypted. Encryption means increased privacy and prevents third-party’s from accessing it. You can use encryption software like Windows BitLocker to protect your data.

Backup your data with cloud storage

Don’t just rely on having physical copies of your data. You should consider using cloud-based storage to back up your data. Just make sure you have selected a provider with strong security protocols in place and a good reputation. It’s worth looking at the government’s cloud security guidance before choosing a provider.

Be careful with USBs

USBs and other types of memory sticks and drives can be a convenient way of transferring data, but it only takes one malware infected drive to harm your entire network. You should encourage your staff to focus on sharing via cloud and email, and restrict use to only company-approved memory sticks.

Properly dispose of old equipment

When getting rid of old, unwanted devices from the workplace never just throw them in the bin. You need to make sure all data has been wiped from the device before disposing of it. You can use software to delete the data or consider hiring a specialist.

How to respond to a data breach

Before a data breach even occurs, the best thing is to have already created a clear, simple-to-follow action plan. Your plan should include step-by-step instructions, so you’re prepared for any type of data breach.

The NCSC provides detailed guidance on what to include in your plan. You can also visit Cyber Action Plan to get a free personalised action plan, to help prevent cyber attacks on your business.

If you’ve suffered a data breach, just remember to stay calm and don’t panic. First, you’ll need to identify the extent of the breach, then try to contain it. Determine what has happened, why you think you might have been (or still are being) attacked and assess the scope of the damage.

Once the incident is resolved, you will need to report it to the relevant authorities and stakeholders. With certain incidents you’re required by law to report your cyber attack to the Information Commissioner’s office (ICO) within 72 hours.

One action your business can take is to contact the Action Fraud website. This is the national fraud and cyber crime reporting centre and you can use their site to report the incident. They will be able to advise you on the next step to take.

If you’re suffering from a live cyberattack, you can also contact Action Fraud by phone on 0300 123 2040.

Summary

Having strong cybersecurity is more than just about downloading the right software. Rather than flipping on a switch, it’s an ongoing process of developing good habits over time, gaining better understanding of your IT system, and determining the weak spots and danger areas.

Get started today

While it might all feel a bit overwhelming, there are some immediate steps you can take to make sure you’re headed in the right direction. You should start by:

1. Enabling MFA on your primary email account.
2. Request your staff visit and complete the top tips section training from the NCSC.
3. Check that your laptop, smartphone, and tablet are all currently updated with the latest firmware.

Taking even these simple steps is an investment in the future of your business and is just as an important safety net as having the right business insurance. Cybersecurity might seem like a headache, but taking the right precautions now is far preferable to dealing with the fallout of an attack or data breach.