UK small businesses are common targets for cyber attacks, but a small number of practical measures sharply reduce the risk. This guide reviews the core cyber security steps recommended for small businesses, based on National Cyber Security Centre guidance and the Cyber Essentials scheme, and explains how they link to cyber insurance. It is editorial information, not security or financial advice. Kael Tripton does not provide quotes, does not route enquiries, and does not earn commission from any provider mentioned.
Key Facts
- The NCSC Small Business Guide sets out core steps including backups, protecting against malware, keeping devices safe, using strong passwords, and avoiding phishing (NCSC, accessed June 2026).
- Cyber Essentials is a government-backed scheme built on five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management (NCSC, accessed June 2026).
- The government's Cyber Security Breaches Survey tracks the scale of attacks on UK businesses each year (GOV.UK, accessed June 2026).
- Two-factor authentication adds significant protection to accounts for little extra effort (NCSC, accessed June 2026).
- Cyber security controls reduce the chance of a breach, while cyber insurance helps a business recover; insurers increasingly require baseline controls (ABI; NCSC, accessed June 2026).
How cyber security works for small businesses
Cyber security for a small business is less about expensive products and more about a set of basic, consistent controls. The National Cyber Security Centre, part of GCHQ, publishes a Small Business Guide whose core steps can each take only minutes to set up yet substantially reduce the chance of a successful attack. The same principles underpin the government-backed Cyber Essentials scheme, which certifies that five technical controls are in place.
These measures matter because small businesses are frequently targeted, as the government's annual Cyber Security Breaches Survey records. Attacks such as phishing, ransomware, and malware can halt trading, expose customer data, and trigger obligations under UK data protection law overseen by the Information Commissioner's Office. Strong basics make these incidents far less likely.
Security and insurance are complementary, not alternatives. Good controls reduce the chance of a breach; cyber insurance helps a business recover when one happens, funding incident response, business interruption, and liability. Increasingly, insurers require baseline controls such as multi-factor authentication and tested backups as a condition of cover, so improving security can also widen insurance options and improve terms.
Measures compared at a glance
| Measure | What it protects against | Effort | Cyber Essentials control |
|---|---|---|---|
| Regular backups | Data loss, ransomware | Low | Supports recovery |
| Malware protection | Viruses, ransomware | Low | Malware protection |
| Device and password security | Account and device compromise | Low | Secure configuration |
| Two-factor authentication | Stolen passwords | Low | User access control |
| Phishing awareness | Scam emails and fraud | Low | Supports all controls |
| Software updates | Exploited vulnerabilities | Low | Security update management |
| Firewalls | Unauthorised network access | Low | Firewalls |
This maps the NCSC small business steps to the five Cyber Essentials technical controls. The measures are inexpensive and largely a matter of configuration and habit rather than cost.
Regular backups
What it does
Backups keep a separate, recoverable copy of important data so a business can restore it after loss, theft, or a ransomware attack.
Why it matters
The NCSC advises all businesses, regardless of size, to take regular backups of important data. Tested backups are the single most effective defence against ransomware, because they let a business recover without paying a ransom.
How to start
Back up important data regularly, keep at least one copy disconnected from your network or in the cloud, and test that you can actually restore from it. Insurers commonly ask about backups when offering cyber cover.
Malware protection
What it does
Malware protection identifies and blocks viruses and other malicious software before it can spread or steal data.
Why it matters
Malware is a common route into small business systems. The NCSC notes that limiting administrator privileges, so staff do not browse the web or read email from admin accounts, reduces the damage malware can do.
How to start
Turn on built-in or reputable malware protection, keep it updated, and restrict administrator accounts. This aligns with the Cyber Essentials malware protection control.
Device and password security
What it does
Securing devices and using strong, unique passwords prevents unauthorised access to laptops, phones, and the accounts they reach.
Why it matters
The NCSC recommends device encryption with a PIN or password and strong passwords for accounts. Lost or stolen devices are a frequent cause of data exposure, and encryption protects the data if a device goes missing.
How to start
Enable built-in encryption, set screen locks, and use long, unique passwords, ideally with a password manager. This supports the Cyber Essentials secure configuration control.
Two-factor authentication
What it does
Two-factor authentication, also called multi-factor authentication, requires a second proof of identity beyond a password to access an account.
Why it matters
The NCSC states that using two-factor authentication adds a large amount of security for little extra effort. It protects accounts even if a password is stolen or guessed, and many cyber insurers now require it.
How to start
Turn on two-factor authentication for email, banking, cloud, and admin accounts first. This supports the Cyber Essentials user access control.
Phishing awareness
What it does
Phishing awareness helps staff spot and avoid scam emails and messages designed to steal credentials or money.
Why it matters
The NCSC notes that every business will receive phishing attacks at some point. Many breaches begin with a single staff member clicking a malicious link, so awareness is a frontline defence.
How to start
Train staff to check sender addresses, avoid clicking unexpected links, and verify payment requests independently. Encourage reporting of suspicious messages without blame.
Software updates
What it does
Applying software and security updates closes known vulnerabilities that attackers exploit.
Why it matters
Unpatched software is a common entry point. Keeping operating systems, applications, and devices up to date removes weaknesses that criminals actively target.
How to start
Turn on automatic updates where possible and apply security updates promptly. This is the Cyber Essentials security update management control.
Firewalls
What it does
A firewall creates a security barrier between your network or devices and the internet, controlling what traffic is allowed.
Why it matters
Firewalls help prevent unauthorised access to systems. Cyber Essentials describes them as a security filter between the internet and your network, one of the five core controls.
How to start
Use the firewall built into your router and devices, and configure it rather than leaving defaults. For larger setups, a dedicated firewall may be appropriate.
How cyber security and cyber insurance work together
A layered approach combines security measures that reduce the likelihood of an incident with insurance that helps recover from those that still occur. Controls such as backups, multi-factor authentication, and patching reduce both the likelihood and the impact of an attack, while a cyber policy funds incident response, business interruption, and liability when prevention is not enough.
The two are increasingly linked commercially. Many insurers now require baseline controls as a condition of cover or of paying certain claims, and some offer better terms to businesses that hold Cyber Essentials. Improving security is therefore not only sensible protection but can also make cyber insurance easier to obtain and more affordable. Before buying cover, verify any insurer on the FCA Register and read the security conditions in the policy.
Frequently asked questions
What are the most important cyber security steps for a small business?
The NCSC Small Business Guide highlights regular backups, protecting against malware, keeping devices safe, using strong passwords, and avoiding phishing. These low-cost steps substantially reduce the risk of an attack.
What is Cyber Essentials?
Cyber Essentials is a government-backed certification scheme based on five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. It demonstrates to clients that a business takes security seriously.
Does cyber security replace the need for cyber insurance?
No. Security controls reduce the chance and impact of an attack, while cyber insurance helps a business recover from incidents that still happen. They are complementary, and insurers increasingly require baseline controls.
Why do insurers ask about my security controls?
Because controls such as multi-factor authentication and tested backups lower the risk of a claim. Many cyber insurers require them as a condition of cover or of paying certain claims, and meeting them can improve terms.
Is two-factor authentication really necessary?
The NCSC describes it as adding a large amount of security for little extra effort. It protects accounts even if a password is stolen, which is why it is widely recommended and often required by insurers.
Where can I get trusted cyber security guidance?
The National Cyber Security Centre publishes free guidance for small businesses, including the Small Business Guide and Cyber Essentials. The government's Cyber Security Breaches Survey provides data on the threat landscape.
Related Guides
Sources
- Small organisations guide to cyber security, National Cyber Security Centre, 2026
- Cyber Essentials overview, National Cyber Security Centre, 2026
- Cyber Security Breaches Survey 2025, GOV.UK
- What does cyber insurance cover, Association of British Insurers, 2026
- Data protection for organisations, ICO, 2026
- Financial Ombudsman Service, 2026
- Financial Services Register, Financial Conduct Authority, accessed 2026
Last reviewed: June 2026
