Cyber security: the basics

Computers and the internet drive how businesses trade and operate. The vast majority of small businesses use digital devices, systems and software to trade and administer their business, which means cyber security must be treated as a priority.

In this section

  1. 1. Why is cyber security so important?
  2. 2. Understanding cyber security
  3. 3. First steps to building your cyber security
  4. 4. Cyber Essentials certification
  5. 5. Cyber Essentials Plus certification
  6. Next steps

Guide

1. Why is cyber security so important?

Cyber security is increasingly important for small businesses, because while the evolution of technology brings convenience and opportunities, it also creates new threats from criminals implementing cyber attacks. These can impact every element of day-to-day operations and even destroy the viability of the business. Risks include:

  • financial - from disrupted operations and production, lost data and intellectual property, as well as increasing insurance costs

  • legal and regulatory - from breaches of personal or sensitive commercial data

  • reputational - from failed delivery to customers, inability to pay suppliers, or loss of competitive advantage.

Data from the UK Government’s Cyber Security Breaches Survey, indicates that in the previous year, around half of small businesses identified a cyber attack, and around a quarter experienced a cyber crime. As a small business, you might think you have nothing worth stealing but imagine the impact of:

  • temporary loss of access to files or networks

  • software or systems corrupted or damaged

  • website or online services taken down or slowed

  • permanent loss of files

  • money stolen

  • personal data altered, destroyed or taken

  • theft of intellectual property.

No business is too small to be attacked, therefore cyber security is vital to help protect and defend your business. Good security has many layers of defence.

2. Understanding cyber security

Cyber security is the act of protecting your computer equipment, systems, networks and digital assets from cyber attacks and malicious access.

You wouldn’t think twice about using various methods to secure your physical premises. For example:

  • protecting your boundaries with fencing, windows or doors

  • ensuring the correct standard of locks, CCTV and alarm are set up and they can’t be compromised

  • restricting access to keys to specific people

  • implementing routine maintenance and updates to security equipment

The same should go for your cyber security. The cyber equivalent of these will help you to defend against most cyber attacks and includes:

  • firewalls - security systems that protect your networks from unauthorised and malicious access

  • secure configuration of systems - correctly using the available security settings on the systems and equipment you use

  • user access control - limiting access to key systems only to people who need it

  • security update management - implementing all updates available on the systems and platforms you use so you’re using the latest, most secure version

  • malware (malicious software) protection - including anti-virus

You may also have processes to back up your data which is the equivalent of building and contents insurance. 

For many small businesses, a proportionate standard of cyber security can be achieved using free or low cost tools, and educating employees. 

Behaviour and routine processes are just as important as technology when implementing these core pillars. For example:

  • Are you confident staff will recognise suspicious emails? 

  • Do they open links and attachments only if they recognise the sender? 

  • Will they change customer and supplier details only if the request comes from existing contact details?

Basic but effective security measures include locking computer screens when leaving desks and avoiding conducting business over public Wi-Fi.

3. First steps to building your cyber security

National Cyber Security Centre (NCSC)

The National Cyber Security Centre (NCSC) and the UK Government have produced a free Cyber Action Toolkit for small businesses to identify clear, bite-sized actions to protect themselves from cyber criminals.

It uses a short survey to provide personalised actions, according to the size and type of your business. Then the actions help you build layers of protection.

  • Foundation layer: can be implemented in one to two weeks covering securing your email accounts, managing passwords, securing online accounts, updating software on your devices, managing app updates and removals, and securing devices.

  • Improver layer: can be implemented in two to three weeks and involves removing unnecessary user accounts, backing up work and data, separating administrator and user accounts, spotting cyber attacks, and checking anti-virus protection and firewalls.

  • Enhanced layer: can be implemented in three weeks and covers planning how you respond to a cyber attack, ensuring your administrator accounts are only used for system changes and not daily work, reviewing your digital footprint and how much information you publish about your organisation that can inform cyber criminals, and how to move towards Cyber Essentials certification.

Each layer includes simple and clear template communications you can send to staff, and has progress tracking with built-in gamification.

As well as the toolkit, NCSC offers:

They provide micro exercises and tabletop exercises to help you focus on cyber security, including:

  • using passwords and password managers

  • securing cloud-based tools and platforms

  • connecting securely

  • home and remote working

Cyber and Fraud Centre Scotland

The Cyber and Fraud Centre Scotland is a social enterprise that offers a cost effective Cyber MOT to help you evaluate your current cyber security position and time with ethical hackers to assess your organisation’s cyber resilience, followed by a tailored report.

They also run a Cyber Skills Academy to help businesses looking for cyber education, advanced fraud prevention strategies and hands-on exercises. 

  • Executive training is provided for executive and non-executive board members and key decision makers to help them manage cyber risk, build incident response plans and understand how to lead with confidence when facing a cyber incident. 

  • Cross department training is provided for all your staff covering how to recognise threats and adopt secure behaviours.

The centre delivers a range of services suitable for small businesses wanting to:

  • test for vulnerabilities

  • simulate cyber attacks with phishing exercises and penetration testing

  • or produce tailored cyber awareness training. 

These can be especially useful for organisations too small to have a full time specialist Chief Information Security Officer.

Information Commissioner’s Office (ICO)

The ICO provides a checklist of cyber security tips for small businesses to consider to help them comply with data protection regulations.

4. Cyber Essentials certification

If you have achieved the actions in the NCSC’s Cyber Action Toolkit, or the Cyber Fraud Centre Scotland’s Cyber MOT (or completed the Cyber Essentials Readiness tool) you can build on this with Cyber Essentials certification, which can be useful for small businesses that want to implement a robust cyber security framework.

This is a UK Government-backed certification that defines the minimum proven standard of cyber security against the most common threats. It is an independently verified self-assessment, delivered by cyber security certification company IASME, which is an official partner of the NCSC. If you wish to achieve the higher Cyber Essentials Plus certification, you will need to obtain this first.

The cost of going through the process and assessment will vary depending on the size of your business and is priced with the intention of ensuring the benefits are greater than the cost such as:

  • reduced risk from strengthened defences

  • reputational benefits from building trust with customers and suppliers

  • eligibility to bid for contracts that require certification

  • access to insurance products that require certification and potentially access to free insurance (if eligible).

The certification covers five core cyber security controls:

  • user access control - ensure only those who should have access, have access at the appropriate level

  • secure configuration - ensure all elements are set up in the most secure way

  • security update management - ensure all updates are being applied

  • firewalls - ensure they are in place and set up properly to be effective

  • malware protection - ensuring this is installed and up to date

There are two routes through the certification:

  • self-guided by using IASME’s free resources and guidance

  • supported with assistance from a cyber security consultant.

To obtain the certificate, you upload information about your cyber security arrangements through a secure assessment platform and one of your board members will need to validate it is true, prior to submitting them for marking.

You can download all the requirements and questions before paying, so you can prepare properly.

Your responses will be assessed within a few days. Once you have passed the assessment, you will need to renew your certificate annually to remain on the certified organisation list.

5. Cyber Essentials Plus certification

If your business handles personal or sensitive information, or if you wish to apply for contracts with organisations such as public sector bodies, Cyber Essentials Plus may be useful to your business.

Cyber Essentials Plus is a progression from the basic Cyber Essentials self-assessment certification and involves a technical audit of your IT systems, and may include a site visit to verify your controls.

The audit covers devices, internet gateways and servers and needs to be completed within three months of your latest Cyber Essentials certification.

You can obtain a quote from three different certification bodies through the IASME website, which will be tailored to your business size and complexity of your network. Certification bodies aim to minimise cost for your business.

For more information on rough costs, go to the FAQ page.

As with Cyber Essentials, once you have passed the assessment, you will need to renew your Cyber Essentials Plus certification annually to remain on the certified organisation list.

Next steps

Cyber security is the first element of an organisation’s cyber resilience strategy to prevent and defend against cyber attacks. 

The next steps include:  

As technology rapidly evolves, so do the techniques used by cybercriminals, which increases their ability to attack at scale and in more sophisticated ways. Likewise, as your business grows the threats you will face will change.

Therefore, your approach to cyber security must be regularly reviewed and updated, and every member of staff must understand their responsibilities.

Staff may also benefit from understanding more about how they implement cyber security and respond to cyber incidents outside of the workplace. The Cyber and Fraud Hub provide a range of resources to raise awareness of how to prevent and respond to scams and attacks.

Last updated: 13/11/2025