We’ve all seen in the news recently all the doom and gloom regarding cyber security, but for a business, but remember IT is central to every function these days. Whilst you’d expect Amazon & Facebook to be on top of their game, every business has data you don’t want criminals getting hold of.
Years ago, someone would need to break into your offices to steal your server to get your data, now they can mount an attack without leaving their flat.
- 1 . Multi Factor Authentication (Free)
- 2. Regular Software Updates (Free)
- 3. Staff Training (Free)
- 4. Change Default Passwords (Free)
- 5. Check Permissions & Access Controls (Free)
- 6. Install Endpoint Protection (Free)
- 7. O365 Secure Score (Free)
- 8. Regular Backups & Tests
- 9. Create an Incident Response Plan (Free)
- 10. Penetration Testing
- Summary
I started working in IT over 20 years ago, and whilst Cyber Security was a ‘thing’, it’s not so prevalent as today. Back then, we didn’t hold our entire livelihoods on interconnected cloud services, and as time has gone on we’ve enjoyed the efficiencies and conveniences of technology and in doing so made cyber crime easier. Years ago, someone would need to break into your offices to steal your server to get your data, now they can mount an attack without leaving their flat.
So before we kick off, here are some examples of recent breaches where you do not want to be added to the list!
| Company | When | Data | Financial Impact |
|---|---|---|---|
| Marks & Spencer | April 2025 | Stolen customer data & sales disruption | c. £300m |
| Co-op | May 2025 | In-store systems crashed, leading to supply chain disruption | c £400m |
| Louis Vuitton | July 2025 | Names, contact details & purchase history | Unknown |
| Jaguar Land Rover | September 2025 | Production disruption | £1.7bn |
| Kido Nursery | September 2025 | Names, addresses, photographs, medical & safeguarding information for c. 8,000 children | Unknown |
Whilst in this day and age, everything connected to the internet is potentially subject to a cyber attack – there are a number of sensible precautions that need to be in place.
Most of these cost you and your business absolutely nothing to put in place.
1 . Multi Factor Authentication (Free)
You’ll most likely be aware of MFA already, where you’d previously put in a username and password – now you need another key to get in. These are usually in the form of an authenticator app, code, but can also come as hardware security keys.
The benefits of this are obvious, if someone were to know your password, they now need something else to prove they’re you – or your IT team. Multi factor, is like needing both a passport and a driving license to prove your ID.
Most enterprise level systems will have an MFA option, and from 1st October Microsoft will be requiring MFA their Azure platform – showing how important this is.
2. Regular Software Updates (Free)
Those annoying updates on your computer that keep on asking you to restart? They’re routine security updates. Software changes all the time, and every day companies launch something new, and then find vulnerabilities in their systems. Shortly afterwards, they’ll patch the vunerability.
By not installing updates, you are leaving your system open to known vulnerabilities. If you’re wondering how many of these vulnerabilities exist, there are currently 295,000 known on the central CVE (Common Vulnerabilities and Exposures) database – https://www.cve.org/.
If you’re in a larger organisation with managed devices, this is the reason your IT team are forcing updates and rebooting your PC for you!
3. Staff Training (Free)
Even with the best and cleverest IT team in the world, the weakest point of every system are the users. If your CEO decides to leave his password on a post-it you can see through a window, that might lead to someone walking past and they’ve now got the key they need to your systems.
Why not get your staff, and yourself, trained on some basic cyber security. It’s straightforward and free. If your company has cyber insurance, chances are they’re insisting all employees have at least basic training in place.
Here are some links to some free, UK based training.
- https://www.ncsc.gov.uk/information/top-tips-for-staff
- https://www.gov.uk/government/collections/cyber-security-training-for-business
- https://nbcc.police.uk/crime-prevention/cyber-and-fraud/free-cyber-security-training-for-staff
4. Change Default Passwords (Free)
If you’ve got an account or piece of hardware – change the default password! Now you might not think that’s applicable to a lot of businesses, but lets pretend I’m in a nice local coffee shop.
They’ve got free Wi-Fi, and I’ve connected up. I see they’ve got a Draytek router, and I know the default password for Draytek routers. I logon to their router, and can now see all connected devices (including their EPOs, staff mobiles, and anyone else in the shop) and setup forwarding to my laptop – now I’ve got a log of everything going on attached to that Wi-Fi, just because it has a default password, easily findable online.
5. Check Permissions & Access Controls (Free)
If you’re a smaller company, or a sole trader – you’ll have access to everything. The bigger the business is, no one single person should have the keys to your kingdom. The sweet spot here for hackers are businesses that are growing (think £20m to £250m turnover). Big enough they’re worth trying to hack for reward, but not big enough to have a large IT department.
You’ll probably be able to log onto their LinkedIn, find a photo of their Head of IT, and assume they’ve got the keys to everything in the business. So they start their hacking with what they think is their account as a starter.
As companies grow, you probably won’t have thought about reviewing permissions, but if someone in your MSP (Managed Service Provider) has keys to administer all your systems, they’ve got the keys to break everything. If a hacker has those keys…. guess what!
Now you apply the Principle of Least Privilege. Does your FD need to create user accounts? No, take that permission off and make sure a couple of other people can. Does Shirley in Operations need access to the HR share any more? Work through these, and restrict access to different people where possible.
6. Install Endpoint Protection (Free)
This one’s an easy one, on your devices install protection and make sure it’s switched on. If you have a Windows laptop, you’ll have Microsoft Defender already, make sure it’s automatically kept up to date, and always turned on and scanning.
The 295,000 vulnerabilities I mentioned earlier? It won’t find all of these, but a free tool that’ll probably help? Use it!
7. O365 Secure Score (Free)
Are you one of the over 400 million users on Microsoft 365? If you have a tenant, no matter how small, check your Secure Score every now & again.
It’s a free tool Microsoft offer that is worth it’s weight in gold. You get a per-company score, and a list of actions you can do to improve.
Have a look for the Current License Score, as some features will require extra licenses. If you’re on Business Premium licensing (which is an absolute bargain), there’s a lot you can do to protect your business using just this tool – even for bigger companies.
8. Regular Backups & Tests
Ideally, your business will be working to a 3-2-1 backup system. 3 copies of data, 2 different storage mediums, 1 offsite.
This doesn’t need to be complex, but make sure you’ve got a backup, and test it works occasionally. Should you get hacked, and your files are held to ransom, with a good backup solution you’ll already have the files elsewhere you can use.
In itself this is a huge subject, so I’m only going so far as to say, take regular backups and test them.
9. Create an Incident Response Plan (Free)
No-one wants to get hacked, but if you do – you need a plan. This doesn’t need to be a 100 page document, but think about it in advance and see what would be the issues if you were to get hacked.
AI is a good place to start with this, ask it to “Write me an incident response plan for my factory, I use Microsoft 365 and my website is on Wix”.
Have a read of the resulting output, and if you don’t understand any of this – do some research or partner with someone that does.
10. Penetration Testing
The final point I’m going to include is a little more costly, and more applicable to larger businesses. But if you have public facing IP addresses – regularly scan them.
Tools like https://www.intruder.io/ are fantastic, they’ll scan your office fixed IP addresses and let you know about any vulnerabilities (remember the 295,000 above) and help with some remediation.
Summary
Hopefully you’ve found this helpful, at least in highlighting how important IT security is to every business, and what actions you can take now with no cost to you. Not all of these are applicable to all businesses, but any business of a reasonable size should try to hit 100%.
Of course, if some of this goes over your head, it might be time to get an IT advisor on board for the business. A lot of smaller businesses work with quality MSP’s (Managed Service Providers) who look after their IT systems and look after all the technical bits so you can concentrate on your core business.
If you implement the above, you’ve got a good baseline of security in place. But don’t forget, the threat is constant – all you’re doing is putting in place the basics, and security is ongoing. The above the is the equivalent of making sure you lock your windows and doors before you go out, do the basics, and keep learning.