Cyber security is now a business resilience issue, not just an IT issue.
A cyber incident can stop staff working, interrupt customer service, delay invoices, expose confidential information and damage trust. If personal data is involved, there may also be data protection responsibilities. The ICO provides specific guidance for small and medium organisations on data protection, information security and personal data breaches.
The most common attacks against small businesses are often opportunistic. Criminals use automated tools, phishing campaigns and leaked passwords to find easy targets. They are not always looking for a specific company. They are looking for a weakness.
That is why the basics matter. A small business with multi-factor authentication, updated devices, secure backups, good email protection and sensible access controls is much harder to compromise than one relying on passwords alone.
Many cyber security articles focus on sophisticated threats, but that is rarely where the biggest risks lie.
In our experience supporting UK SMEs, schools and growing organisations, most security improvements come from fixing relatively simple issues rather than deploying expensive security products.
The most common issues we encounter include:
Many organisations have enabled MFA for some users but not all users. Administrative accounts, shared accounts and older users are often excluded, creating security gaps that attackers can exploit.
It is surprisingly common to find organisations paying for Microsoft 365 Business Premium while making little or no use of the security tools already included in their licences.
Features such as Microsoft Defender for Business, Intune, Conditional Access and security baselines can significantly improve security when configured properly.
Accounts belonging to former employees are sometimes left active longer than they should be. Access permissions are often not reviewed when people change roles, creating unnecessary risk over time.
Many businesses believe they have backups until they need to restore data. A backup is only valuable if it can be restored successfully and within a timeframe the business can tolerate.
We frequently see organisations without properly configured SPF, DKIM and DMARC records. This leaves businesses more vulnerable to email spoofing, phishing attacks and domain impersonation.
The good news is that none of these issues require enterprise-sized budgets to fix. They're practical improvements that can significantly reduce cyber risk.
Good cybersecurity for small businesses is not about buying every security product available. It is about implementing the right controls consistently.
Here are the most important areas to focus on.
Multi-factor authentication, often shortened to MFA, should be one of the first controls every small business implements.
MFA makes it much harder for an attacker to access an account, even if they know the password. This is especially important for Microsoft 365, email, remote access, finance systems, HR systems and any system containing customer or employee information.
For Microsoft 365 environments, MFA should be enabled for all users, with particular attention given to administrator accounts. Admin accounts have higher privileges, so they should be protected more strongly than ordinary user accounts.
At a minimum, small businesses should use MFA for:
Cyber Essentials, the UK Government-backed cyber security scheme, is built around core technical controls designed to protect against common online threats. The NCSC describes Cyber Essentials as the minimum standard of cyber security recommended by the Government for organisations of all sizes.
Many attacks succeed because software is out of date.
Updates often include security fixes for known vulnerabilities. Once a vulnerability is public, attackers can actively scan for organisations that have not applied the update.
Small businesses should have a clear process for updating:
For many SMEs, device management tools such as Microsoft Intune can help enforce update policies, security baselines and compliance rules across company devices.
If devices are personally owned, the risk needs to be considered carefully. Bring Your Own Device setups can work, but they need clear policies, minimum security requirements and a way to protect company data.
Traditional antivirus is no longer enough on its own.
Small businesses should use modern endpoint protection that can detect malicious behaviour, suspicious files, ransomware activity and attempted compromise. Microsoft Defender for Business and Microsoft Defender for Endpoint are common options for organisations already using Microsoft 365.
Microsoft states that Microsoft 365 includes anti-malware protections and ransomware-related defences across services such as Exchange Online, SharePoint and OneDrive.
Endpoint protection should be deployed across:
It should also be monitored. Security software is far less useful if no one checks alerts, investigates warnings or responds to incidents.
Email remains one of the most common routes into a business.
Attackers use phishing emails to steal passwords, trick staff into paying fake invoices, deliver malware or convince users to approve sign-in prompts. Some attacks are obvious. Others are carefully written and look like normal business communication.
Small businesses should consider:
Exchange Online Protection is included with Microsoft 365 and scans incoming and outgoing email for known or suspected malware. Microsoft Defender for Office 365 can add further protection against phishing, malicious links and unsafe attachments.
Email security is especially important for organisations that regularly handle invoices, payroll, recruitment data, customer records or supplier payments.
Backups are one of the most important small business security measures because they support recovery.
If ransomware encrypts files, a staff member deletes important data or a cloud service is misconfigured, backups may be the difference between a difficult day and a serious business interruption.
The NCSC’s small organisation guidance highlights backing up data as a key cyber security action, and its ransomware guidance stresses the importance of having a recent offline backup of important files and data.
A good backup strategy should consider:
It is important to remember that Microsoft 365 is not the same as a full backup strategy. Microsoft 365 includes retention, versioning, recycle bin and recovery capabilities, but businesses still need to decide whether they require additional backup for Exchange, SharePoint, OneDrive and Teams data. Microsoft notes that SharePoint and OneDrive include versioning, recycle bin recovery and file restore capabilities that can support ransomware recovery.
Administrator accounts are high-value targets.
If an attacker compromises an ordinary user account, the damage may be limited. If they compromise an administrator account, they may be able to create new users, change security settings, access sensitive data, disable protections or hide their activity.
Small businesses should apply the principle of least privilege. This means users should only have the access they need to do their job.
Practical actions include:
Access control is not just a technical task. It is also a business process. Someone needs to own joiners, movers and leavers so that access is granted, changed and removed at the right time.
Remote and hybrid working can be secure, but it needs proper controls.
The risk increases when staff use unmanaged devices, weak home networks, shared family computers or personal cloud storage. A business does not need to ban flexible working, but it should set clear expectations.
Small businesses should consider:
Microsoft 365 environments can be configured to improve remote working security, especially when Microsoft Intune, Conditional Access and Defender are used together.
The aim is not to make work difficult. The aim is to let people work safely from different locations without exposing business data unnecessarily.
Many small businesses have some security controls, but no incident response plan.
That is a problem because the middle of an incident is the worst possible time to decide who does what.
The NCSC advises small and medium-sized organisations to plan for cyber incidents as part of general risk planning and provides response and recovery guidance for smaller organisations.
A simple incident response plan should answer:
In England, Wales and Northern Ireland, cyber crime and fraud can be reported through Report Fraud, which provides a route for reporting fraud and cyber crime to the police.
A response plan does not need to be complicated. A short, accurate, accessible plan is better than a long document nobody uses.
Some cyber security tasks can be handled internally. Others benefit from external support, especially where specialist configuration, assurance or ongoing monitoring is needed.
The most useful SME cybersecurity services usually include the following.
A Microsoft 365 security review checks whether your tenant is configured safely.
This can include:
This is often one of the highest-value activities for small businesses because Microsoft 365 contains email, files, Teams, identities and business data.
Cyber Essentials is a recognised UK baseline for cyber security. It focuses on core technical controls that help protect against common threats. The NCSC describes Cyber Essentials as suitable for organisations of all sizes and notes that it can help demonstrate that an organisation takes cyber security seriously.
Cyber Essentials can be useful for:
For many SMEs, the value is not just the certificate. It is the process of reviewing controls and fixing gaps.
An email security assessment looks at how well your organisation is protected from phishing, spoofing and malicious email.
This might include reviewing:
Email security is especially important because email is tightly connected to identity, finance, customer communication and internal approvals.
Endpoint management helps ensure business devices are secure, updated and configured consistently.
For Microsoft-focused organisations, this may involve Microsoft Intune, Defender and Windows security baselines.
Useful controls include:
This is particularly valuable for businesses with hybrid workers, multiple locations or staff using laptops outside the office.
Backup and disaster recovery services help a business recover from accidental deletion, ransomware, hardware failure or cloud data issues.
A good service should include:
The NCSC’s malware and ransomware guidance identifies regular backups as one of the key actions for reducing the impact of malware and ransomware attacks.
Staff training helps people recognise suspicious emails, unusual payment requests, fake login pages and unsafe links.
Training does not need to shame users or turn every mistake into a disciplinary issue. The goal is to create a culture where staff feel comfortable reporting concerns quickly.
Good training should be:
Managed IT support can help small businesses maintain security over time.
One-off projects are useful, but cyber security also needs ongoing attention. Users join and leave, devices age, licences change, threats evolve and Microsoft 365 settings are updated regularly.
A managed support provider can help with:
For most SMEs, the best approach is a combination of good internal ownership and reliable external support.
Ransomware prevention should be a priority for every small business.
Ransomware is a type of malware that prevents access to devices or data, often by encrypting files and demanding payment for recovery. The NCSC warns that paying a ransom does not guarantee access will be restored and that law enforcement does not encourage, endorse or condone paying ransom demands.
The most effective ransomware prevention measures are practical and achievable.
MFA reduces the chance that stolen passwords can be used to access systems.
Prioritise Microsoft 365, remote access, administrator accounts, finance systems and backup platforms.
Attackers often exploit known vulnerabilities.
Patch operating systems, browsers, firewall firmware, remote access systems and business applications.
Many ransomware incidents begin with phishing.
Use strong email filtering, block malicious attachments where possible, and train staff to report suspicious messages quickly.
Modern endpoint protection can help detect malware, ransomware behaviour and other suspicious activity.
For Microsoft 365 customers, Microsoft Defender products may already be available depending on licensing.
Ransomware can do more damage when users have excessive permissions.
Restrict admin access, use separate admin accounts and regularly review permissions.
Backups should be protected from the same attack that affects your live systems.
This means considering offline, immutable or separately protected backups, and testing restores regularly.
Know what you will do if ransomware is suspected.
This should include isolating affected devices, contacting IT support, preserving evidence, checking backups, communicating with stakeholders and considering reporting obligations.
Cyber security risk management does not need to be complicated.
For most small businesses, a simple four-step model works well.
Start by understanding what you need to protect.
Ask:
This helps you focus on the areas that matter most.
Put sensible controls in place.
This includes MFA, patching, endpoint protection, email security, backups, access control and staff training.
Make sure someone will notice if something goes wrong.
This could include Microsoft 365 alerts, Defender alerts, backup failure alerts, sign-in monitoring and user reporting processes.
Plan how you will restore services.
Recovery includes backups, documentation, supplier contacts, communication templates and decision-making responsibilities.
The NCSC recommends that organisations plan for cyber incidents before they happen, because cyber attacks can significantly impact businesses of any size or sector.
Many small businesses run on Microsoft 365, but Microsoft 365 is only as secure as its configuration.
A secure Microsoft 365 environment should usually include:
Microsoft 365 includes ransomware-related protections in services such as Exchange Online, SharePoint, OneDrive and Teams, including email protection, versioning, recycle bin recovery and file restore capabilities.
However, these features still need to be reviewed and configured around the needs of the business. A default setup is not always the same as a secure setup.
One of the most surprising things we find when reviewing Microsoft 365 environments is that many organisations already own powerful security tools they are not actively using.
This is particularly true for businesses licensed on Microsoft 365 Business Premium.
Rather than purchasing additional products immediately, many SMEs can improve their security posture by making better use of tools they already have access to.
Provides business-grade endpoint protection, threat detection and security monitoring across Windows devices.
Allows organisations to manage devices, enforce security settings, deploy applications and protect company data on laptops, desktops and mobile devices.
Helps control who can access business data, from where, on what device and under what conditions.
Provides built-in malware and spam filtering for Microsoft 365 email environments.
Enable stronger identity protection, user risk monitoring and reduced opportunities for account compromise.
In many cases, improving security is less about buying more tools and more about ensuring existing tools have been configured appropriately.
If you're already paying for Business Premium, it's worth understanding exactly which security capabilities are included in your licence and whether they are being fully utilised.
If you're unsure whether your Microsoft 365 environment is configured securely, the following warning signs are worth investigating:
You do not necessarily need to solve every issue immediately. However, if several of the points above apply to your organisation, a security review could identify quick wins and reduce overall cyber risk.
If you're feeling overwhelmed by the number of security recommendations available, start small.
The goal is progress, not perfection.
Focus on identity protection.
Focus on endpoints.
Focus on recovery.
Focus on resilience.
By the end of 30 days, most SMEs will have made meaningful improvements to their security posture without major disruption to day-to-day operations.
Use this checklist as a quick self-assessment.
✅ MFA enabled for all users
✅ Separate administrator accounts in use
✅ No unused accounts remaining
✅ Password manager implemented
✅ Devices receive security updates automatically
✅ Endpoint protection deployed
✅ Device encryption enabled
✅ Business devices managed appropriately
✅ SPF configured
✅ DKIM configured
✅ DMARC configured
✅ Anti-phishing protection enabled
✅ Critical systems identified
✅ Backups monitored
✅ Backup restores tested
✅ Microsoft 365 retention reviewed
✅ Security responsibilities documented
✅ Leaver process documented
✅ Incident response plan created
✅ Key supplier contacts recorded
16-20 checks: Strong foundation
11-15 checks: Good progress, but improvements recommended
6-10 checks: Significant gaps likely exist
0-5 checks: Cyber security should be prioritised urgently
Cybersecurity for small businesses is not about fear. It is about resilience.
Most SMEs do not need an enterprise security operation from day one. They need the fundamentals implemented properly, reviewed regularly and supported by clear processes.
If you are not sure where to start, focus on these priorities:
These measures reduce the risk of common attacks, improve ransomware prevention and give your business a stronger foundation for growth.
If your business uses Microsoft 365 and you are unsure whether your current setup is secure, a practical security review is often the best first step.
The most important cyber security measures for small businesses are multi-factor authentication, regular software updates, endpoint protection, secure email filtering, reliable backups, access control and staff awareness training. The NCSC’s guidance for small organisations focuses on practical areas such as backups, devices, accounts and phishing.
A small business can reduce ransomware risk by enabling MFA, keeping systems updated, protecting email, using endpoint protection, limiting administrator privileges and maintaining protected backups. The NCSC recommends regular backups and steps to prevent malware from being delivered, spreading and running on devices.
The most important SME cybersecurity services usually include Microsoft 365 security reviews, Cyber Essentials support, email security assessments, endpoint management, backup and disaster recovery, staff awareness training and managed IT support. Cyber Essentials is the UK Government-backed scheme designed to help organisations protect themselves against common online threats.
Microsoft 365 includes strong security capabilities, but they need to be configured correctly. Features such as MFA, Defender, Exchange Online Protection, SharePoint versioning, OneDrive recovery and retention settings can all improve protection, but organisations should review their setup regularly.
Cyber Essentials is not mandatory for every small business, but it is a useful security baseline and may be required for some contracts or supply chains. It can also help demonstrate to customers and suppliers that your organisation takes cyber security seriously.
No. Ransomware can affect organisations of any size. The NCSC provides ransomware guidance for private and public sector organisations and recommends that smaller organisations also follow its Small Business Guide.
A small business should isolate affected systems, contact its IT support provider, preserve evidence, check backups, reset compromised credentials and consider reporting obligations. In England, Wales and Northern Ireland, cyber crime and fraud can be reported through Report Fraud.
NCSC: Small organisations guide to cyber security
NCSC: Cyber security advice for small to medium sized organisations
NCSC: Cyber Essentials overview
NCSC: Mitigating malware and ransomware attacks
NCSC: Ransomware guidance
Microsoft Learn: Ransomware protection in Microsoft 365
Microsoft Learn: Malware protection in Microsoft 365
ICO: Advice for small and medium organisations
GOV.UK: Cyber Essentials scheme overview
Report Fraud: UK cyber crime and fraud reporting