Cyber security breaches are a familiar part of our daily life. We see them in the news headlines; we get weird messages in our inboxes and chat apps; and we regularly hear from friends and family that have had email or social media hacked. These are the outward signs of a threat that is increasing in significance and sophistication – thanks in large part to the rise of AI and increasing geo-political instability.

For businesses, the real impact is not so obvious. With no central record of cyber breaches and no requirement for businesses to report, the extent of the problem is difficult to gauge. That makes it hard for business decision-makers to examine the real-world risk, in order to allocate appropriate resources to protect themselves.

I like to look at the recent (2025) government figures because they are not driven by a commercial imperative, or subject to sensationalism. And, the fact that the stats are self-reported means that this is likely to be a best case view.

In that study, 43% of UK businesses reported suffering a cyber breach. Of these, 46% (or 20% of all UK businesses) became the victim of a cyber crime. The average cost for small firms was between £5.9k and £10k per incident.

Those are concerning numbers but remember that this is probably the best case. And the direct monetary cost of a breach is only part of the impact on a small business. Our experience and ongoing analysis of cyber incidents, gives us a deeper understanding.

  • Operational disruption erodes productivity, delays cashflow, leads to missed opportunities
  • Reputational damage reduces trust impacting medium-term revenue and stakeholder value
  • Psychological impact on staff and colleagues can be personally devastating

So what do you do about this if you are concerned about the cyber security of your organisation? The commercially mature approach is to embed responsibility at the highest level within the leadership team; conduct a review of risk and implement appropriate mitigations; and regularly review your approach to ensure it stays robust and current.

That is beyond the resources of many small business, however, who often simply want a generic checklist of fundamental measures that will give them the most ‘bang for their buck’. So here is my take on this.

Cyber Security Checklist

Step 1 Keep the hackers out:

Firewall Management

  • A robust firewall is your first barrier. It needs to be robustly configured, have its default password changed; have its firmware kept up to date and be checked regularly.

Manage System Access

  • Create user accounts with minimal permissions, remove unnecessary user accounts, enforce MFA, implement a password policy, consolidate logins, securely configure your most sensitive systems

Diligent System Maintenance

  • Keep operating systems, applications, and firmware fully patched. Ensure local disks are encrypted. Reboot everything regularly.

Step 2 Toughen the Internals

Malware & Web Protection

  • Equip all devices with modern endpoint protection and web filtering to block malware and limit access to risky sites.

Patch Management

  • Establish a formal patch cycle; prioritize high- & critical-severity patches and deploy promptly across all systems.

Proactive Maintenance

  • Schedule regular health checks of all devices with access to data. Maintain an asset list. Regularly double-check that your processes are being followed.

Security Awareness Training

  • Train staff to spot phishing, use strong passwords and report threats.

Step 3 Detect and Respond

Proactive Monitoring & Detection

  • Deploy alerting tools to monitor logs, network anomalies, and endpoint behaviour—early detection can stop breaches before impact escalates.

Respond to System Alerting

  • Assign clear roles to triage alerts, and automate escalation for critical threats. 

Step 4 Recover to Stay Operational

Managed Backups

  • Implement automated, secure backups—stored offsite or in the cloud.
  • Check that your backups are running and fix them as soon as they fail.

Cyber security is no longer optional—it’s a fundamental part of running a resilient business. While the threat landscape continues to evolve, the steps outlined above provide a practical foundation for small businesses to reduce risk without overwhelming resources. By combining basic technical safeguards with a culture of awareness and regular review, you can significantly lower the chances of disruption and protect the trust your customers place in you. Start with the essentials today—because in cyber security, prevention is always less costly than recovery.

Related news & insights

View all news articles

Blog

Cyber Security Requirements for SME Financial Services Suppliers

Blog

Why Is Financial Services a Target for Cyber Attacks?

Blog

What is the Difference Between a Virtual CIO (vCIO) and an MSP?

Ready to Stay One Step Ahead?

Get in touch and our team will show you how we keep businesses secure, efficient, and evolving.

Main no: 020-8939-8481

Tech support: 020-8939-8480

enquiries@helloevolve.co.uk