We had a client ring us last month in a panic. Someone had got into their email, sent invoices to three of their customers with different bank details, and walked off with just under twelve grand before anyone noticed. The business had seven employees. No IT department. No security budget to speak of. They thought they were too small to be worth targeting, and that’s exactly what made them easy.
They’re not unusual. The UK government’s 2025 Cyber Security Breaches Survey found that 43% of UK businesses experienced a cyber attack in the previous twelve months, with small businesses averaging around GBP 3,490 per incident. These aren’t headline-grabbing attacks on banks. They’re quiet, opportunistic hits on companies that left a door open.
I want to walk through the things we recommend to every small business we work with. None of this is expensive. Most of it is free.
Multi-Factor Authentication: the One I Always Push Hardest On
If I could only get a client to do one thing, it would be this. Multi-factor authentication (MFA) means that even if someone steals your password, they still can’t get in without a second verification, usually a code from an app on your phone.
We see password compromises constantly. Credentials from old data breaches get tested against thousands of login pages by automated tools. If your Xero password is the same one you used on a forum in 2019, you’re already exposed. MFA stops that dead.
Start with email. Whoever controls your email can reset passwords on everything else: your accounting software, your CRM, your supplier portals. Email is the master key to your entire business. Protect it like one.
Then work outward: banking, Microsoft 365 or Google Workspace, any system that holds customer data or financial information. Most services offer MFA now and it takes about ten minutes per account to set up.
Phishing is Smarter Than You Think
Last month a client forwarded us an email that looked exactly like a Xero invoice notification. Perfect branding, correct sender name, even referenced a real supplier. The only tell was the reply-to address was off by one character.
That’s the standard now. The days of dodgy grammar and Nigerian prince stories are mostly gone. Modern phishing emails are targeted, well-researched, and convincing. Criminals scrape LinkedIn to find out who your finance person is, then send them a message that looks like it’s from the managing director asking for an urgent bank transfer.
Train your team, but be realistic about it. No amount of awareness training makes people infallible. Layer your defences: use email filtering, enable SPF/DKIM/DMARC on your domain, and create a simple rule: if anyone asks for money or credentials by email, verify it by phone first. Every time, no exceptions.
Password Managers
You cannot remember fifty different strong passwords. Nobody can. Get a password manager (we usually recommend Bitwarden or 1Password) and generate unique passwords for everything. Your team members each get their own vault. It costs a few quid per person per month and eliminates password reuse overnight.
Back Up Everything, the Right Way
If ransomware encrypts your files, you need backups that aren’t connected to your network. Otherwise the ransom note becomes your only option.
Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite. That means your live system, a local backup, and a cloud backup. Automated daily. And critically, test your restores. We’ve seen businesses discover their backups were silently failing only when they needed them.
Keep Software Updated
Turn on automatic updates everywhere. Windows, macOS, your applications, your router firmware. Updates patch security holes that criminals actively scan for. This one is simple and boring and it matters.
Not Everyone Needs Admin Access
Give people the minimum access they need to do their job. When someone leaves, remove their access the same day. We see old accounts sitting active months after someone has moved on. Each one is a way in.
What to Do If You Think You’ve Been Breached
Don’t panic. Move through this in order:
- Isolate the affected systems from your network immediately.
- Ring your IT support. Get professional help before you start changing things.
- Change critical passwords (email, banking, accounting software) from a different, clean device.
- Check your backups to see what’s safe and what’s compromised.
- Notify your customers and relevant authorities if personal data was exposed. Transparency matters legally and for trust.
Don’t pay ransoms unless you’ve exhausted every other option, and even then, get professional advice first.
I’d start with MFA on your email accounts this afternoon. That single step blocks more attacks than anything else on this list. Then work through the rest over the coming weeks: password manager, backups, access review. It doesn’t have to happen all at once.
If you’re not sure where your gaps are, a quick audit of these basics will tell you more than any expensive security product.