The 5 Most Common Cyber Security Mistakes UK Small Businesses Make
Most successful cyber attacks on UK small businesses exploit the same handful of weaknesses. Here's what they are — and how to fix them without technical expertise or a big budget.
Most attacks exploit the same weaknesses
Cyber attacks on small businesses are rarely sophisticated. Attackers don't need to be — the most common weaknesses are so widespread and so easy to exploit that there's no need for anything more complex than automated scanning tools and well-crafted phishing emails.
The good news is that fixing the most common weaknesses is free or nearly free. Here are the five mistakes that come up most often.
1. Not using two-step verification on email and cloud services
This is the single biggest gap. Two-step verification — also called multi-factor authentication or 2FA — means that even if an attacker has your password, they still can't log in without a second verification step, usually a code sent to your phone.
Without it, a single leaked or guessed password gives an attacker full access to your email, your cloud storage, your accounting software — everything. Password leaks happen constantly; credentials from old breaches are sold and tried against business accounts every day.
The fix: Enable MFA on Microsoft 365 or Google Workspace today. It takes about 30 minutes and is free. This one change makes you significantly harder to attack than most small businesses.
Difficulty: Easy. Cost: Free.
2. Delaying software updates
Software updates aren't just new features — they fix security vulnerabilities. When a vulnerability is discovered, the software vendor releases a patch. When that patch is publicised, attackers immediately start scanning the internet for systems that haven't applied it yet.
The window between a patch being released and attackers actively exploiting unpatched systems has shrunk from weeks to days. Businesses that dismiss update notifications or turn off automatic updates are leaving known doors open.
The fix: Turn on automatic updates for Windows, Office, Chrome, and any other software your business uses. On Windows, go to Settings, then Windows Update, then turn on automatic updates. Takes five minutes per computer.
Difficulty: Easy. Cost: Free.
3. No separate backup
Ransomware encrypts your files and demands payment to restore them. If your only backup is on the same system that gets encrypted, you either pay the ransom or lose everything. If you have a recent backup stored separately — in a different cloud account, or on a drive kept offsite — you can recover without paying anything.
Many businesses think they're covered because their files are in OneDrive or Google Drive. Cloud sync is not a backup — if ransomware encrypts your local files, the encrypted versions sync to the cloud too.
The fix: Set up a separate cloud backup — Microsoft 365 Backup or a service like Backblaze — that stores versions of your files independently of your main system. Budget around £5-15 per month.
Difficulty: Easy. Cost: £5-15/month.
4. Using the default router password
Every broadband router ships with a default admin username and password — often printed on a sticker on the device. If you've never changed it, anyone who can access your router's admin page can change its settings, intercept your traffic, or use it as a base for attacking other systems.
This is a particularly common issue for businesses that have moved offices, inherited equipment, or simply never had anyone set things up properly. The default credentials for most routers are publicly available online.
The fix: Log into your router's admin page — usually by typing 192.168.1.1 into your browser — and change the admin password to something unique and strong. If you're unsure how to do this, your IT company or even your broadband provider can help.
Difficulty: Easy. Cost: Free.
5. Staff who can't recognise a phishing email
Phishing — fake emails designed to steal passwords or trick someone into transferring money — is responsible for the majority of successful cyber attacks on small businesses. Technical controls can catch many phishing emails, but not all. Staff who know what to look for are the last line of defence.
The most dangerous phishing emails are targeted ones — messages that appear to come from a known contact, reference a real project, and create a sense of urgency. These are harder to spot automatically and require human judgement.
The fix: Brief your staff on the warning signs: unexpected requests for passwords or payment, urgent tone, slightly wrong email addresses, links that don't match the sender's domain. Make it clear how to report suspicious emails internally. This doesn't require formal training — a 10-minute conversation covers the essentials.
Difficulty: Easy. Cost: Free.
Know where you stand
The five mistakes above are the most common, but they're not the only ones. Understanding your full security position — across all five Cyber Essentials control areas — is the most useful thing you can do before an insurance renewal or client due diligence request.
Our 10-minute assessment walks you through 30 plain-English questions and produces a professional report showing your current security posture, the gaps, and exactly what to fix first. At £49 it's the lowest-cost way to get a clear picture of where your business stands.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials — suitable for insurance applications and client due diligence.
Start Your Free Assessment →£49 for the full report · No account required