Cyber security for the small business: where to start

An honest start to a year-long series. What cyber security actually is, why small businesses are targeted, and the five things every small business has that attackers want.

_Part 1 of 12 in the Cyber security for the small business series._

If you run a small business — five staff or fifty, a high-street shop or a kitchen-table operation — you have almost certainly thought about locks on your doors, insurance on your stock, and perhaps even a burglar alarm. You have probably not spent the same amount of time thinking about your digital security. That is entirely understandable, and it is why I am writing this series.

Let me be upfront. This is not the kind of cyber writing that is designed to frighten you. The industry has, for too long, relied on fear to sell products. We have all seen the headlines — millions of records stolen, ransomware crippling hospitals, nation-state hackers in the shadows. Those stories are real, but they make cyber security feel like something only governments and global corporations need to worry about, and at the same time make it feel hopeless. Both impressions are wrong.

What cyber security actually is

Cyber security sounds technical. It sounds expensive. It sounds like something for people who understand what a firewall actually does. In reality, cyber security is simply the practice of protecting your business information and systems from people who should not have access to them. That is it. Everything else is detail.

You already practise physical security every day. You lock the office when you leave. You do not leave the company chequebook on a park bench. You probably shred sensitive documents rather than tossing them in the recycling. Cyber security is the digital equivalent of all those instincts you already have.

Why small businesses are targeted

There is a persistent myth that cyber criminals only target large organisations. It is a comforting thought, but it does not survive contact with reality. The UK Government's Cyber Security Breaches Survey consistently finds that around 38% of small businesses identify a breach or attack each year. The actual number is almost certainly higher, because many attacks go unnoticed.

The reason is straightforward economics. Attacking a large enterprise is like trying to rob a bank: high reward, heavy security, sophisticated detection, and a real chance of getting caught. Attacking a small business is more like finding an unlocked car with a laptop on the seat. The individual reward is smaller, but the effort is minimal and the success rate is high. When you can automate that and try thousands of unlocked cars simultaneously, the numbers add up quickly.

The five things every small business has that attackers want

You might think your business holds nothing of value to a criminal. Consider what you actually have.

Money. Whether it sits in your bank account, in invoices that can be redirected, or in payment card details from customers, your business handles money. That is inherently attractive.

Data. Customer names, email addresses, phone numbers, purchase histories. Employee records including National Insurance numbers and bank details. Supplier contracts and pricing. All of this has resale value.

Access. Your business email, your cloud accounts, your website. These can be used to attack your customers and your suppliers, or simply to send spam. A compromised business email account is worth significantly more on the criminal market than a compromised personal one.

Reputation. If an attacker can impersonate your business, they can defraud people who trust you. Your good name is an asset that criminals can exploit.

Computing resources. Even the humble office computer has processing power and an internet connection. Compromised machines get recruited into botnets, used for cryptocurrency mining, or used as stepping stones to other targets.

Security as operational quality, not insurance

Most security advice frames everything as risk avoidance: spend money now, or bad things will happen later. This is the logic of insurance, and whilst insurance is important, it is not particularly motivating.

A better frame is operational quality. A business that handles data carefully, communicates securely, and can recover quickly from disruption is simply a better-run business. Customers trust it more. Suppliers prefer working with it. Staff do not waste days dealing with the aftermath of incidents. In an era where data breaches make the news, being the business that takes this seriously is a genuine competitive advantage.

This is not about spending a fortune. Most of what this series will recommend costs nothing or very little. It is about habits, awareness, and a handful of straightforward technical measures. If you can manage a rota, you can manage your cyber security.

Cyber Essentials, and where this series will end up

The series will, by the end of the year, have walked you through everything required to meet Cyber Essentials, the UK Government's certification scheme for baseline cyber security. The scheme defines five controls every organisation should have in place: firewalls, secure configuration, user access control, malware protection, and security update management. If you do nothing else, getting these five right will defeat the great majority of opportunistic attacks. We will cover all of them over the coming months.

What January looks like

If you want to do one thing this month before next month's instalment, write down the answer to a single question on a single sheet of paper: what would my business lose if our email account was taken over tomorrow morning? Money in the bank account? Customer data? Supplier relationships? A specific contract that depends on us being responsive?

You do not need to act on the answer yet. You need only to have it written down. The rest of the year, in many ways, is the practical answer to the question.

Where we go next

Next month we look at what the attackers actually do — phishing, ransomware, business email compromise, the lot — in plain English and without the dramatic language. Knowing what we are defending against is the first step in defending against it.

This series is for the business owner who wants to do this properly without becoming a security professional. Read one post a month for the year. Act on the small monthly checklist. By December, you will have a more resilient business than 90% of the firms on your street.

That is the offer. See you in February.