The Cyber Security Gap Most Small Businesses Don't Know They Have

Ask most small business owners whether they take cyber security seriously and the answer is usually yes. They’ve got antivirus. They use strong passwords or at least, they think they do. Their IT company handles “all of that.”

And then something goes wrong.

The frustrating truth is that most cyber incidents affecting small and medium businesses don’t happen because the basics were completely ignored. They happen because of gaps, often overlooked weak spots that sit between “we think we’re covered” and “we actually are.”

This isn’t about pointing fingers, it should never be about that. These gaps are easy to miss, particularly when you’re running a business and cyber security is one of about forty things competing for your attention. But knowing where they usually are is genuinely useful.

Backups feel reassuring. “We back everything up” is a phrase I hear so often, and it is a phrase that has given many business owners a false sense of security during a cyber incident.

The problem is where the backup lives. If your backup is stored on a drive that’s permanently connected to your main computer or server, or if it sits on the same network, ransomware can find it and encrypt it alongside everything else. In fact, that is the very first thing most of them try and do. And when that happens, the backup isn’t a safety net any more, it’s just more encrypted files and you have just exponentially increased your problems.

The next big question is : When did you last test your backup? It’s only useful if it actually works and they fail more than any IT person is comfortable in telling you.

Good backup practice means having at least one copy of your critical data that is either completely offline, or stored in a cloud system that uses versioning (meaning you can restore from a point before the attack happened). Ideally both.

The test to run on your IT support provider: “If ransomware encrypted everything on our network right now, what would we be able to restore, and how quickly?” If the answer is uncertain, that tells you something useful.

When a member of staff leaves, even if it’s on good terms, how quickly do their accounts get disabled?

In small businesses, the honest answer is often “not immediately.” There’s a handover period. The person’s email might need to be checked for a while. Someone will “get round to it.” And sometimes, those accounts stay active for months.

Active accounts belonging to people who no longer work for you are open doors. Former employees who leave on bad terms have occasionally used this access deliberately. More commonly, those dormant accounts get compromised by attackers scanning for easy entry points, unused accounts with old passwords are exactly what they look for.

A simple process, disable accounts on the last day of employment, transfer access to what’s needed, remove the rest eliminates this risk almost entirely. It doesn’t require sophisticated technology. It requires someone being responsible for doing it.

Phishing, which is emails designed to trick staff into clicking malicious links or handing over login details, is the starting point for the majority of cyber attacks on small businesses.

Most staff aren’t careless. They’re busy. They’re processing a lot of information quickly. And phishing emails have become genuinely sophisticated, they arrive in convincing formats, from what appear to be legitimate senders, with plausible requests. Criminal gangs spend a lot of time trying to trick your staff into clicking these links.

Would your staff recognise an obviously suspicious email? Probably, but It’s whether they’d recognise a well-crafted one impersonating your bank, your CEO, or a regular supplier. That requires them to have been shown what to look for, not just once in an induction, but regularly enough that it stays fresh.

A 15-minute annual briefing isn’t enough. But it’s significantly better than nothing, and it’s somewhere to start.

Multi-factor authentication, usually shortened to MFA, is where after you enter your password, the system also sends a code to your phone (or uses an app) that you need to enter before you get access.

It sounds like a minor inconvenience. That’s because it is, genuinely, a minor inconvenience. It is also one of the single most effective things you can do to stop an attacker using stolen or guessed passwords to access your accounts.

Without MFA, a compromised password is a compromised account. With MFA, the attacker also needs physical access to your phone. The gap between those two scenarios is significant and important.

Most business software like Microsoft 365, Google Workspace, accounting packages, banking platforms etc supports MFA. On many of them, it’s free and takes about ten minutes to switch on. For email accounts especially, there is very little justification for not having it enabled. Email is the reset button for all of your accounts.

This is the gap that shows up most clearly under pressure. A cyber incident starts, things are confusing and stressful. The first fifteen minutes gets burned up trying to find out who the IT support company is, whether there’s a cyber insurance policy, and who actually has the authority to make decisions.

Having a short, printed document somewhere accessible, not just on a system that might be down, with key contact numbers, account numbers, and a simple list of first steps transforms those first fifteen minutes. This turns confusion into action.

It doesn’t need to be complicated. A single laminated sheet in a desk drawer is more useful than a comprehensive document saved in a folder on the server that nobody can access because the server is the problem.

This one gets less attention than the others, but it matters. If a supplier has access to your systems, your data, or your network, even indirectly, their security posture affects yours.

Do you know which suppliers and third parties have access to your systems or data? Have you checked that they have basic cyber security in place? Do your contracts with key suppliers include any security responsibilities?

A compromised supplier is a common way for attackers to reach businesses they couldn’t get to directly. It’s worth a simple conversation with your key partners about what protections they have in place.

What links all six of these gaps isn’t complexity or cost. It’s the fact that they’re easy to overlook when everything is going well. They only become visible when something goes wrong.

Addressing them doesn’t require a large investment or specialist expertise. It requires someone taking a clear, calm look at where things actually stand, not where you hope they stand and making a few deliberate decisions.

• NCSC Cyber Essentials scheme
• NCSC free small business guide
• What Actually Happens When a Small Business Gets Hacked
• What to Do in the First Hour of a Cyber Attack