Business news

Business Cyber Security – are your staff the weakest link?

Business Cyber Security

With industry giants like Boots, BA and the BBC being hit by hackers recently, you have to ask yourself, how easy is it for hackers to get into your devices?

The answer is, it’s too easy. And this means we need to not only be well prepared in terms of security software but also, be eternally on our guard. The hackers are savvy, so we must be too.

Focusing specifically on business cyber security, regardless of the size of your business, it’s imperative that you take steps to ensure your IT system is secure.

This means having a business email set up that includes spam and malware filters. With 95% of phishing attacks occurring via email i.e. someone – a person – having to physically click on an attachment or link, this means business email security should be a priority. Deploying an email security solution is one thing. However, training staff to spot malicious emails is another. Are your staff as cyber-aware when they’re at work as they are when using personal devices?

Having staff that are aware of what to look out for is a vital part of the cyber-security process. You cannot rely on software alone to do the job for you.

We recommend having cyber-awareness days for staff to help train them on how to spot phishing emails and what to avoid clicking on.

When it comes to cyber security, there is a substantial tick list that every business should go through to mitigate any risk. It can be overwhelming. However, there are experts out there who can assist you.

The first thing on the list should be a cyber security health check to assess what you currently use against what you need. Even the most cyber-savvy of us misses things and it’s amazing what gets picked up by an independent set of eyes. It allows you to immediately act upon anything that gets flagged up and puts your mind at ease.

There are many security products out there and it’s not always the best idea to use the basic packages that come with your software. Third-party ones, developed specifically for purpose, often do a better job, and a good IT provider will advise you about this.

MF Telecom Services, a leading IT support company based in Kent, has produced a five-step guide on free actions your business can take today to mitigate the risk of a cyber attack from Phishing emails.

With modern hybrid working practices, it is even more critical to have full security on your data and ensure staff understand the need to protect their devices by keeping them password-protected and only using secure Wi-Fi.

Backing up your data, avoiding phishing emails and smishing texts is an ongoing process. We have to try to remain one step ahead of the hackers who get more savvy by the day. It’s a huge headache for all business owners, regardless of the size of your organisation. Large or small, it doesn’t matter to the hackers. If they can get in, they will. By any means possible. They’ll steal passwords, clone emails, and get bank details and data. Having said that, you are not alone. Business IT providers are working harder than ever against this threat.

Why Small and Medium-Sized Businesses Are Now Prime Targets

There’s a persistent myth among smaller firms that hackers only pursue household names. The reality is very different. According to the Government’s official Cyber Security Breaches Survey 2025/2026, 43% of UK businesses identified a cyber security breach or attack in the last twelve months, and phishing remains by far the most prevalent threat, experienced by 38% of businesses. Crucially, these figures only capture the incidents organisations actually spotted. The true number is almost certainly higher.

Why do attackers bother with smaller businesses? Because the attacks are automated. Criminals don’t sit down and choose their victims one by one; they run software that scans thousands of networks and inboxes at a time, probing for weak passwords, unpatched systems and staff who’ll click without thinking. A small accountancy practice in Kent is just as visible to that software as a multinational, and often far less well defended. Smaller firms also make attractive stepping stones: compromise a supplier’s email account and you can launch convincing attacks on every one of their larger customers.

Building a Layered Defence

No single product will keep your business safe. Effective protection comes from layers, so that if one control fails, another catches the threat. For most businesses, those layers should include:

Multi-factor authentication (MFA). A stolen password on its own should never be enough to access your email, cloud storage or accounting software. MFA adds a second check, typically a code on a mobile app, and blocks the vast majority of account-takeover attempts. Yet adoption remains patchy: the Government survey found fewer than half of UK businesses have deployed two-factor authentication. If you do only one thing after reading this article, switch on MFA everywhere it’s offered.

Patching and updates. Many successful attacks exploit vulnerabilities for which a fix already existed. Set operating systems, browsers and business applications to update automatically, and retire software that no longer receives security support.

Endpoint protection. Modern endpoint detection tools go far beyond traditional antivirus, monitoring devices for suspicious behaviour and isolating a compromised laptop before an infection spreads across your network.

Tested backups. Follow the 3-2-1 principle: three copies of your data, on two different types of media, with one held off-site or in the cloud, disconnected from your main network. A backup that ransomware can encrypt alongside your live files is no backup at all. And test your restores regularly; the worst time to discover a backup doesn’t work is the morning after an attack.

Least-privilege access. Staff should only have access to the systems and data their role requires. When someone leaves, their accounts should be closed the same day.

Have a Plan Before You Need One

Perhaps the most worrying finding in the Government’s latest survey is that only a quarter of UK businesses have a formal incident response plan. That means most firms hit by an attack are improvising under pressure, and improvisation is when costly mistakes happen.

Your plan doesn’t need to run to fifty pages. It should set out who takes charge in an incident, how you isolate affected systems, how you contact staff and customers if email is down, where your backups are and who can restore them, and who your external support contacts are, including your IT provider, insurer and bank.

It should also cover your legal obligations. If a breach involves personal data and poses a risk to individuals, UK GDPR requires you to report it to the Information Commissioner’s Office within 72 hours of becoming aware of it. That clock ticks over weekends and bank holidays, which is another reason to have your response mapped out in advance rather than working it out in the middle of a crisis.

Once written, rehearse the plan. A one-hour tabletop exercise, walking through a simulated ransomware or invoice-fraud scenario with your key people, will expose gaps that look invisible on paper.

Cyber Essentials: A Recognised Benchmark to Aim For

If you want a structured, affordable way to get the fundamentals right, look at Cyber Essentials, the Government-backed certification scheme run by the National Cyber Security Centre. It focuses on five core technical controls: firewalls, secure configuration, access control, malware protection and security update management, and it’s designed to protect organisations against the most common internet-based attacks.

Certification does more than tighten your defences. It signals to customers, partners and insurers that you take security seriously, and it’s increasingly a requirement when bidding for contracts, particularly in the public sector. The enhanced Cyber Essentials Plus level adds independent hands-on testing of your systems for further assurance. As a Cyber Essentials Plus certified provider ourselves, MF Telecom Services can guide your business through the certification process from initial gap analysis to final assessment.

The Value of a Proactive IT Partner

For most small and medium-sized businesses, building an in-house security team simply isn’t realistic. This is where a managed IT partner earns its keep: 24/7 monitoring that spots unusual activity at 3am, patches applied before vulnerabilities are exploited, backups verified rather than assumed, and staff training refreshed as new scams emerge.

When choosing a provider, ask direct questions. Do they hold recognised certifications? Will you deal with a named engineer or a call centre? How quickly do they respond to a suspected breach? Can they demonstrate how they protect their own systems? A good partner will welcome that scrutiny.

Where to Start Today

Cyber security can feel overwhelming, but momentum matters more than perfection. Start with the quick wins: switch on multi-factor authentication, check your backups actually restore, and brief your team on the latest phishing tactics. Then take stock properly. Our free cyber security health check will benchmark your current defences against best practice and give you a clear, prioritised list of actions, without jargon and without obligation.

The hackers aren’t slowing down, and neither should you. Whether you need a one-off audit, help achieving Cyber Essentials or fully managed business cyber security, our Kent-based team is here to help. 

Comments

TechBullion

FinTech News and Information

Copyright © 2026 TechBullion. All Rights Reserved.

To Top

Pin It on Pinterest

Share This