I talk to small business owners across East Sussex every week, and there is one thing I hear more than almost anything else: "We're too small to be a target." I understand why people think that. You picture hackers going after banks and big corporations, not a small outfit in Uckfield with five computers. But the reality is quite different, and it catches people out.

Small businesses are targeted precisely because they tend to have weaker defences. Attackers are not sitting in a dark room picking you out specifically. They use automated tools that scan thousands of businesses at once, looking for easy ways in. If your passwords are weak, your software is out of date, or you have no proper antivirus, you are low-hanging fruit. And the cost of dealing with an attack, whether it is ransomware, a data breach, or a compromised email account, can be devastating for a small operation.

The good news is that the basics are not complicated. Getting them right puts you ahead of the vast majority of small businesses. Here is what I recommend to every client.

Phishing Emails: The Number One Way In

Most cyberattacks start with an email. Not a sophisticated hack, just a convincing-looking email that tricks someone into clicking a link or opening an attachment. These are called phishing emails, and they have got very good in recent years.

Here are some of the most common ones I see:

  • "Your invoice is attached" from what looks like a supplier. The attachment contains malware
  • "Your Microsoft 365 password is expiring" with a link to a fake login page that captures your real password
  • "You have a new voicemail" with a link that installs malicious software
  • "Payment failed, update your details" pretending to be from your bank, PayPal, or a subscription service
  • "Shared document from a colleague" that asks you to log in to view it

The trick is to slow down. Before clicking anything, ask yourself: was I expecting this? Does the sender's actual email address (not just the display name) look right? Is it creating urgency to make me act without thinking? If in doubt, don't click. Call the person or company directly using a number you already have, not one from the email.

Passwords: The Boring Problem That Causes Most Damage

Password reuse is the single biggest risk I see in small businesses. People use the same password for their email, their bank, their accounting software, and half a dozen other services. When one of those services gets breached, and breaches happen constantly, attackers try that password everywhere else. It works more often than you would think.

There are three things that make a real difference:

  • Use a password manager. Tools like Bitwarden or 1Password generate and store unique, strong passwords for every account. You only need to remember one master password. It sounds like more work, but it actually makes life easier because you stop trying to remember dozens of passwords
  • Turn on two-factor authentication (2FA). This means that even if someone gets your password, they still need a second code, usually from your phone, to log in. Turn it on for email, banking, and any cloud services as a minimum. It is the single most effective thing you can do
  • Stop using personal details as passwords. Your dog's name, your birthday, your town. These are all easy to guess or find on social media

Updates: Not Just Annoying Popups

I know those Windows Update notifications feel like they always appear at the worst possible time. But those updates are not just adding features. Most of them are patching security holes that have been discovered since the last update. When you click "remind me later" for three months, you are leaving known vulnerabilities wide open.

The same goes for your web browser, your PDF reader, Java, and any other software you use regularly. Outdated software is one of the easiest ways for attackers to get in, because the vulnerabilities are publicly documented. They literally have a list of what is broken and how to exploit it.

My advice: set Windows to update automatically outside of working hours, and let your other software update when it asks. If you are worried about updates breaking things, that is exactly the kind of thing a managed IT plan can handle for you, testing and applying updates properly rather than ignoring them.

Backups: The 3-2-1 Rule in Plain English

If ransomware encrypts all your files and you have no backup, you are stuck. Either you pay the ransom (which I would never recommend, as there is no guarantee you will get your data back) or you lose everything. I have seen businesses lose years of records, accounts, and client information.

The 3-2-1 rule is simple:

  • 3 copies of your important data
  • 2 different types of storage (for example, your computer's hard drive and an external drive, or your computer and a cloud backup service)
  • 1 copy off-site or in the cloud, so that if your office floods, burns down, or is broken into, you have not lost everything

A USB drive on your desk is better than nothing, but it is not enough on its own. If ransomware hits and the drive is plugged in, it gets encrypted too. Cloud backup services that keep versioned copies are the most reliable option for most small businesses.

Antivirus: Why Windows Defender Is Not Enough for a Business

Windows Defender has improved a lot over the years, and for personal home use it does a reasonable job. But for a business, it has real limitations. It does not give you centralised management, so you have no way of knowing whether all your machines are protected and up to date. It does not alert anyone if something is detected. And its detection rates for more sophisticated threats are not as strong as dedicated business security products.

I use and recommend ESET for all my business clients. As an ESET authorised partner, I can deploy it across all your machines, manage it centrally, and see immediately if there is a threat on any device. It runs quietly in the background without slowing things down, and it catches things that Defender misses. If you want to know more about the options, have a look at the Antivirus & Security page.

Worth knowing: cyber insurance providers are increasingly asking whether you have proper endpoint protection in place. "We use Windows Defender" is often not enough to satisfy their requirements. Having a managed business antivirus like ESET can make the difference when it comes to getting covered.

Managed Security: Putting It All Together

Each of the things above helps on its own, but the real protection comes from having them all in place and actively monitored. That is what a managed security plan does. Instead of hoping everything is fine, someone is actually watching.

With GNL Protect, I monitor your systems continuously and know about problems before you do. That includes:

  • Antivirus monitoring across every machine, with alerts if anything is detected or if protection lapses
  • Patch management to keep Windows and key software updated without you having to think about it
  • Health checks that flag hardware issues, low disk space, and other risks before they cause downtime
  • Backup verification to make sure your backups are actually working, not just configured
  • A direct line to me when something goes wrong, with remote support included

It is the difference between hoping you are secure and knowing you are. For a small business, that peace of mind is worth a lot.

Frequently Asked Questions

Do small businesses really need cybersecurity?

Yes. Small businesses are actually targeted more often than large ones because attackers know they tend to have weaker defences. A single ransomware attack or data breach can cost thousands and cause serious disruption to a small operation.

Is Windows Defender enough to protect my business?

Windows Defender is a decent baseline for home users, but it lacks the centralised management, advanced threat detection and reporting that a business needs. A dedicated business antivirus like ESET gives you better protection and lets your IT support monitor threats across all your machines.

What is the 3-2-1 backup rule?

The 3-2-1 rule means keeping three copies of your data, on two different types of storage, with one copy stored off-site or in the cloud. This protects you against hardware failure, theft, fire and ransomware all at once.