5 security mistakes small businesses make (and how to fix them)

After 500+ projects, we see the same mistakes everywhere. Not because small businesses don't care about security — but because nobody told them what to prioritise.

Here are the five most common ones and how to fix them.

1. No multi-factor authentication

This is the single biggest gap we find. Email accounts, VPNs, admin panels, cloud dashboards — all protected by a password alone.

Passwords get stolen constantly. Data breaches, phishing, credential stuffing. If your email password appears in a breach dump and there's no MFA, an attacker can log in as you in seconds.

The fix: Enable MFA on everything. Start with email and any admin accounts. Use app-based authentication (Microsoft Authenticator, Google Authenticator), not SMS. It takes an afternoon to set up and blocks the majority of account compromise attacks.

2. No one's looking at the logs

Your firewall, email platform, and endpoints generate security logs. Almost nobody reads them.

This means an attacker could be brute-forcing your VPN, exfiltrating data, or moving laterally through your network — and you wouldn't know until something breaks or a client tells you.

The fix: At minimum, enable logging on your firewall and review it monthly. If you want proper visibility, set up a managed SIEM that monitors your logs 24/7 and alerts on suspicious activity.

3. Flat network with no segmentation

Many small businesses have a single network where everything sits together — the receptionist's laptop, the file server, the CCTV system, the point-of-sale terminal.

If an attacker compromises any one device, they can reach everything else. A phishing email to one employee can lead to full access to your most sensitive systems.

The fix: Segment your network. Put IoT devices, guest Wi-Fi, servers, and workstations on separate VLANs. Your managed switch and firewall almost certainly support this. If you're not sure how, we can help.

4. Backups that haven't been tested

"We have backups" is something we hear in every assessment. "We've tested restoring from them" is something we almost never hear.

Backups that don't work are worse than no backups because they give you false confidence. Ransomware gangs know this — they specifically target backup systems before encrypting your data.

The fix: Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one off-site (or offline). Then test a restore at least once a quarter. Actually bring a system back from backup and verify the data is intact.

5. No security policies

When we ask "what's your password policy?" or "what happens if someone reports a phishing email?" the answer is usually a shrug.

Without documented policies, security depends entirely on individual judgment. People reuse passwords because nobody told them not to. Incidents go unreported because there's no process.

The fix: You don't need a 200-page security manual. Start with these four:

• Acceptable use policy — what employees can and can't do with company devices and accounts
• Password policy — minimum requirements, no reuse, password manager recommended
• Incident response plan — who to call, what to do, how to contain a breach
• BYOD policy — rules for personal devices accessing company data

We include policy templates in our SMB Security Bundle. They're ready to customise, not generic boilerplate.

The common thread

None of these mistakes are exotic. They're all basic controls that get overlooked because they're not urgent — until they are.

The good news is they're all fixable. Most of them can be addressed in a week. And fixing them puts you ahead of the majority of small businesses in the UK.

Want to know where your business stands? Book a free assessment. We'll tell you what's working, what's not, and what to fix first.