Basic cybersecurity for SMEs: 10-point checklist
60% of cyberattacks target small businesses. This guide explains how to protect yourself without being a tech expert.
Why SMEs are hackers' favourite target
There is a dangerous myth among small business owners: "nobody will attack me, I am too small to matter". It is exactly the opposite.
Hackers attack SMEs precisely because they are small. They have less protection, less security budget and their employees receive less training. They are easy targets.
According to recent studies, 60% of cyberattacks target small and medium businesses. And 60% of attacked SMEs close within 6 months of the attack.
The good news: 95% of cyberattacks on SMEs could be prevented with basic security measures. You don't need to be an expert. You need good habits and the right tools.
The 5 most common attack types on SMEs
1. Phishing
An apparently legitimate email (from your bank, HMRC, Royal Mail) asks you to click a link or enter your details. It is the most common and most effective attack because it doesn't exploit technology โ it exploits human trust.
2. Ransomware
A malicious program encrypts all your files and demands a ransom to recover them. Clinics, law firms and shops are frequent targets because their data is critical to operate.
3. Password theft
Through fake websites, keyloggers or leaked databases, attackers obtain your passwords and gain access to your email, online banking or management systems.
4. Website attacks
Code injections, unauthorised access to the admin panel, malware installation on your website. Can result in theft of customer data or being blacklisted by Google.
5. Social engineering
Someone calls pretending to be tech support, your bank or a supplier. They convince an employee to reveal information or install malicious software.
The 10-point checklist to protect your business
Basic cybersecurity checklist
- Unique and strong passwords. Each account must have a different password with at least 12 characters. Use a password manager such as Bitwarden (free) or 1Password.
- Two-factor authentication (2FA). Enable it on email, online banking and any critical tool. If your password is stolen, they still need your phone to get in.
- Updated antivirus on all devices. Not the one that came pre-installed. A managed corporate antivirus that monitors in real time.
- Automatic cloud backups. Daily, automatic and stored in a different location to your devices. If hit by ransomware, you restore from the backup.
- Business WiFi separate from customer WiFi. Never on the same network. Customer WiFi must be isolated from your internal systems.
- Automatic updates enabled. 85% of attacks exploit already-patched vulnerabilities. Keep Windows, applications and plugins updated.
- Basic team training. An employee who can spot a phishing email is worth more than any antivirus. A 1-hour session can prevent a disaster.
- Role-based access control. Each employee should only access what they need for their job. If an employee falls for a scam, the damage stays limited.
- Incident response protocol. What does your team do if they think they've been attacked? They must know who to call and what NOT to do (such as turning off the computer if they suspect ransomware).
- Basic GDPR compliance. If you store customer data (name, email, phone), you have legal obligations. Privacy policy on the website, processing register and minimum security measures.
How much does protecting an SME cost?
Less than you think, and much less than suffering an attack. Basic protection for a 1โ10 person business can cost between ยฃ50โ150/month and include managed antivirus, automatic backup, password management and basic monitoring.
The average cost of recovering from a cyberattack for an SME ranges between ยฃ3,000 and ยฃ50,000 in lost data, downtime, system recovery and potential fines for customer data breaches.
Where to start today
If you have no active security measures, start with these three steps this week:
Step 1: Install Bitwarden (free) and change the passwords for your email, banking and main tools to unique, strong passwords.
Step 2: Enable two-factor authentication on your email and online banking. It's free and takes 5 minutes.
Step 3: Get an automatic cloud backup service for your critical files. iDrive or Backblaze cost less than ยฃ10/month.
With these three steps you are already better protected than 70% of SMEs around you.