Why small businesses are increasingly in the crosshairs — and the practical steps that make the biggest difference without requiring an enterprise budget.
Somewhere along the way, small businesses convinced themselves that cyber security was a big-company problem.
That hackers were after banks and multinationals — not a ten-person firm in Essex trying to get through its invoicing before Friday. It’s a comforting thought. It’s also one of the most dangerous assumptions a business owner can make in 2026.
Cybercrime has industrialised. Attacks are automated, scalable, and indiscriminate. The question attackers ask isn’t “is this company worth targeting?” It’s “is this company easy to get into?” And small businesses, statistically, are easier to get into than large ones.
This week we’re laying out exactly why that is, what good security actually looks like for an SMB, and the practical steps — many of them free — that make the biggest difference.
Why small businesses are actively targeted
The idea that cybercriminals only go after big targets made more sense when attacks required significant manual effort. Today, the economics are completely different.
Automated tools allow attackers to scan millions of systems simultaneously, testing for known vulnerabilities, weak passwords, and unpatched software. Size doesn’t factor into that equation. What factors in is how easy a target you are — and small businesses are, on average, significantly easier than enterprises.
There are a few reasons for this. Smaller businesses typically have fewer dedicated security resources, less rigorous patching schedules, and staff who haven’t received formal security awareness training. They also tend to be connected to larger organisations as suppliers, contractors, or partners — which makes them an attractive side door into a bigger target.
The Cyber Security Breaches Survey, published annually by the UK government, consistently shows that around a third of small businesses report a cyber incident each year. The real figure is likely higher, given how many go undetected or unreported.
Being small is not a shield. It never was.
The five security basics every SMB should have in place
Good security doesn’t require an enterprise budget. The following five measures cover the vast majority of risk facing a typical small business — and most of them cost nothing beyond the time to implement them.
Multi-factor authentication
Enabling MFA on your Microsoft 365 accounts blocks 99.9% of automated account attacks, according to Microsoft’s own research. It’s included with every M365 plan, takes around 20 minutes to enable across a whole team, and is the single highest-impact security action most small businesses can take right now.
If your team isn’t using MFA, this is the place to start.
Software patching and device management
Unpatched software is one of the most common entry points for attackers. Most businesses know updates matter — the challenge is making them happen consistently across every device. Microsoft Intune, included with Microsoft 365 Business Premium, solves this by letting you centrally manage and automatically push updates to every device in the business. No more “remind me later.” No more forgotten laptops running six-month-old software.
If you’re currently on Business Basic or Standard, it’s worth understanding that Business Premium brings a significant step up in security capability — including Intune, advanced threat protection, and conditional access policies.
Staff awareness training
Studies consistently show that over 80% of cyber incidents involve human error. Your team is your biggest vulnerability — and your biggest asset, if they’re trained properly. Regular, short security awareness sessions (even 30 minutes a quarter) make a meaningful difference. Staff should be able to recognise a phishing email, understand why password reuse is risky, and know exactly what to do if something feels wrong.
Access controls
Not everyone in your business needs access to everything. Applying the principle of least privilege — giving staff access only to the systems and data they need for their role — limits the damage if an account is ever compromised. Review who has admin rights, and remove access promptly when staff leave.
Backups
A reliable, tested backup is the difference between a bad day and a catastrophic one. Backups should be automated, stored separately from your main systems (including offsite or in the cloud), and tested regularly to confirm they actually restore correctly. If you’ve never tested a restore, you don’t know if your backup is working.
What to do if something goes wrong
Prevention matters — but the businesses that recover fastest from a security incident aren’t necessarily the ones with the best defences. They’re the ones with a clear response plan in place before anything happens.
Here’s a plain-English framework for the first steps after a suspected breach:
1. Don’t panic — but act quickly. The instinct to ignore or downplay a potential incident is understandable. Resist it. The sooner you act, the less damage is done.
2. Isolate the affected device or account. Disconnect the affected machine from the network if possible, and suspend the compromised account. This limits how far an attacker can move through your systems.
3. Call your IT provider. This is not the moment to try and diagnose the issue yourself. Your IT provider should have an incident response process — if they don’t, that’s a conversation worth having before something goes wrong.
4. Preserve evidence. Don’t wipe or reset anything before the incident has been assessed. Evidence of how the attack happened is important both for containment and, if required, for any regulatory reporting.
5. Consider your reporting obligations. Under UK GDPR, if personal data has been compromised, you may be required to report the incident to the ICO within 72 hours. This catches many businesses off guard — it’s worth knowing your obligations before you’re in a situation where the clock is ticking.
Having these five steps written down and accessible to the right people in your business takes about an hour. That hour could save you weeks of recovery time.
A note from Via Wire
At Via Wire, we help Essex businesses get the security fundamentals right; from setting up MFA and managing devices with Microsoft Intune, to ensuring your team is on the right Microsoft 365 licence for the protection they need. If any of this week’s article raised questions about your own setup, we’d love to hear from you.
0 Comments