Cyber security basics for SMEs: 7 quick wins

Cyber security can feel overwhelming for busy SMEs, but it doesn’t have to be. You don’t need a huge budget or a dedicated IT team to reduce your risk – just a handful of sensible habits and checks.

This guide walks through seven practical “quick wins” you can put in place over the next week. They’re written in plain English and focused on the realities of running a small business, not enterprise jargon.

1. Turn on multi-factor authentication (MFA)

If there’s one thing you do after reading this guide, make it this. Multi-factor authentication (MFA) adds a second step – usually a code from an app or text message – when logging in.

• Enable MFA on email, cloud storage, accounting and CRM systems.
• Require it for all admin or “owner” accounts, not just staff logins.
• Use an authenticator app rather than SMS where possible.

2. Use strong, unique passwords (with a password manager)

Re-using the same password across systems is one of the biggest risks for SMEs. If one site is breached, attackers can try the same login everywhere.

• Move to a reputable password manager for the business.
• Use long, unique passwords (or passphrases) for every system.
• Make sure shared accounts (e.g. “info@…”) are stored securely.

3. Keep devices and software up to date

Out-of-date software often contains known security holes. Attackers actively scan the internet looking for unpatched systems.

• Turn on automatic updates for Windows/macOS, browsers and apps.
• Include mobiles and tablets used for work, not just laptops/PCs.
• Schedule a regular monthly check that updates are installing properly.

4. Back up your critical data (and test restoring it)

Backups are your safety net if you’re hit by ransomware, hardware failure or accidental deletion.

• Identify the data you can’t afford to lose (documents, CRM, finance).
• Use at least one backup that’s stored off-site or in a different cloud.
• Test restoring a file every few months so you know the backup works.

5. Train staff to spot phishing emails

Most attacks still start with someone clicking a malicious link. A short, practical briefing can make a big difference.

• Show real-world examples of phishing emails your team might see.
• Encourage staff to pause and ask if something feels “off”.
• Make it easy to report suspicious emails rather than blaming mistakes.

6. Lock down laptops, mobiles and shared PCs

Lost or stolen devices are a common source of data leaks, especially for teams working on site or from home.

• Require a PIN, password or biometric login on all devices.
• Turn on full-disk encryption where available.
• Set devices to auto-lock quickly when not in use.

7. Review who has access to what

Over time, old users and unused permissions build up. That creep in access rights can become a real risk.

• Remove logins for ex-employees and expired contractors.
• Give people the minimum access they need to do their job.
• Review “admin” or “owner” accounts at least twice a year.

Where bespoke systems fit in

If you rely on bespoke web or Android apps, they should follow the same principles: strong authentication, least-privilege access, secure data storage and regular updates. When we build or maintain systems for clients, security is treated as part of the core feature set, not an optional extra.

What to do next

You don’t need to fix everything at once. Pick two or three of the quick wins above and schedule time in the diary this week to tackle them. Small, consistent improvements are far better than a one-off “security sprint” that never gets revisited.

If you’d like a practical review of how these points apply to your own web or mobile systems, feel free to get in touch and we can walk through your current setup in plain English.