Five cyber security checks every small business should review
Cyber security is often seen as something only large companies need to worry about. In reality, small and medium-sized businesses are regularly targeted because attackers know they may not have large IT teams, strict security controls or the time to review every technical detail.
Many cyber incidents do not begin with advanced hacking. They often start with a simple email, a weak password, an old device, a missing backup or an account that has too much access. The good news is that many of these risks can be reduced by reviewing a few key areas.
Here are five cyber security checks every small business should consider.
1. Review multi-factor authentication
Multi-factor authentication, often called MFA, adds an extra layer of protection when someone signs in to an account. Instead of relying only on a password, the user may also need to approve a sign-in through an app, text message or security key.
For businesses using Microsoft 365, Google Workspace or other cloud services, MFA should be enabled wherever possible, especially for email, finance systems, cloud storage and administrator accounts.
Businesses should also check whether MFA is actually enforced for all users. In some cases, it may be available but not fully enabled. It is also important to review old accounts, shared accounts and accounts belonging to people who have left the business.
A useful question to ask is: if a staff member’s password was stolen today, would the attacker still be able to access the account?
2. Check email security and phishing protection
Email remains one of the most common ways criminals target businesses. Phishing emails can be designed to steal passwords, trick staff into paying fake invoices or persuade someone to click on a harmful link.
Businesses should review whether their email system has suitable protection in place. This can include spam filtering, phishing protection, safe link scanning, attachment scanning and rules to reduce spoofing, where someone pretends to send an email from your domain.
It is also worth checking for unusual mailbox rules. Attackers who gain access to an inbox sometimes create hidden forwarding rules so that emails are silently sent to an external address. This can allow them to monitor conversations, intercept invoices or gather sensitive information.
Staff awareness is also important. Employees should feel comfortable reporting suspicious emails quickly, without fear of blame. The faster a suspicious email is reported, the easier it is to reduce the risk.
3. Review backups and recovery
A backup is only useful if it can actually be restored when needed. Many businesses believe they are backed up, but have never tested the recovery process.
Businesses should review what is being backed up, how often backups run, where the backups are stored and who has access to them. It is also important to check whether cloud data is protected. Some businesses assume that Microsoft 365 or other cloud platforms automatically protect everything forever, but this is not always the same as having a separate backup and recovery plan.
A good backup review should answer these questions:
• What data is critical to the business?
• How quickly could it be restored?
• Are backups protected from ransomware?
• Has a restore test been completed recently?
• Who is responsible for checking backups are working?
Without reliable backups, a small incident can quickly become a major business disruption.
4. Check devices and endpoint protection
Every laptop, desktop, phone and server connected to a business network can create risk if it is not properly managed. Devices should be kept updated, protected with suitable antivirus or endpoint protection, and secured with strong login controls.
Businesses should check whether devices are still receiving security updates and whether old equipment is still being used. Unsupported operating systems or outdated software can create easy opportunities for attackers.
It is also important to consider what happens if a laptop is lost or stolen. Devices containing business data should use encryption where appropriate, and businesses should know whether they can remotely lock or wipe a device if necessary.
For companies where staff use personal devices for work email or documents, there should be clear rules around access, screenshots, downloads and data storage. Business data should not be left unmanaged on personal devices without proper controls.
5. Review administrator access
Administrator accounts are powerful because they can make major changes to systems, users, devices and security settings. If an administrator account is compromised, the damage can be much greater than with a normal user account.
Businesses should regularly review who has administrator access and whether they still need it. In many cases, too many people have high-level access simply because it was convenient at the time.
Administrator accounts should have strong passwords, MFA enabled, and should not be used for everyday email or web browsing. Where possible, businesses should separate normal user accounts from administrator accounts.
A simple rule is that users should only have the access they need to do their job. This reduces the risk if an account is compromised.
Why regular checks matter
Cyber security is not a one-time project. Businesses change over time. Staff join and leave, new software is introduced, devices are replaced, and cloud systems are updated. What was secure last year may not be secure today.
Regular reviews help businesses spot gaps before they become serious problems. They also help with cyber insurance, customer confidence and general business resilience.
Small businesses do not need to overcomplicate cyber security. The most important step is to understand the current risks and take practical action. By reviewing MFA, email security, backups, devices and administrator access, businesses can significantly reduce their exposure to common cyber threats.
Express Networks provides managed IT support and cyber security services for small and growing businesses across Birmingham and the West Midlands.
For more information, visit: https://expressnetworks.co.uk