Why London SMBs Are Being Targeted
UK small businesses experienced over 65,000 successful cyberattacks last year, according to Hiscox''s Cyber Readiness Report. The reason is simple: criminals know that small businesses often have weaker defences than enterprises, but still hold valuable data โ client records, payment information, and access to corporate email chains.
The good news: most attacks exploit basic, preventable vulnerabilities. Here''s your checklist.
Device & Network Security
โ
1. Enable full-disk encryption on all devices
Windows: BitLocker. Mac: FileVault. If a laptop is stolen, encrypted data is useless to the thief. This takes 30 minutes to set up and costs nothing.
โ
2. Keep a separate guest Wi-Fi network
Clients, visitors, and personal devices should never be on the same network as your business systems. A modern router does this in minutes. If your network isn''t segmented, a visitor''s infected phone could reach your file server.
โ
3. Patch everything within 48 hours of release
The majority of exploited vulnerabilities have patches available before the attack happens. Enable automatic updates for Windows/macOS, browsers, and your router firmware. Set a calendar reminder to check your router''s firmware monthly โ most businesses never update it.
Access Control
โ
4. Enable MFA on everything
Multi-factor authentication (MFA) blocks 99.9% of automated account-takeover attacks, according to Microsoft research. Enable it on Microsoft 365, Google Workspace, banking, and any cloud service that holds client data. Use an authenticator app (Google Authenticator or Authy) โ not SMS, which can be SIM-swapped.
โ
5. Remove access within 24 hours of staff leaving
Disgruntled ex-employees with active accounts are one of the most common causes of data breaches in small businesses. Document a leaver checklist: disable their Microsoft/Google account, remove from Slack, revoke VPN access, and reclaim company devices.
โ
6. Use a password manager
Reused passwords are the first thing attackers try. A business password manager (1Password Teams, Bitwarden for Business) generates and stores unique passwords for every service. Enforce it as company policy โ it costs ยฃ3โ5/user/month.
Data & Backups
โ
7. Follow the 3-2-1 backup rule
3 copies of your data, on 2 different media types, with 1 stored offsite (cloud). Test your backup restore at least quarterly โ a backup you''ve never tested is not a backup.
โ
8. Encrypt sensitive client data at rest
If you store client contracts, financial records, or personal data in cloud storage (OneDrive, Google Drive, Dropbox), ensure the files themselves are encrypted โ not just the storage account. Tools like Cryptomator add an additional layer of zero-knowledge encryption.
People & Process
โ
9. Run phishing simulations quarterly
Your weakest security link is human. Services like KnowBe4 or Proofpoint send simulated phishing emails to staff โ those who click get immediate training. Businesses that run quarterly simulations see click rates drop by over 70% within a year.
โ
10. Have a written incident response plan
If something goes wrong at 9pm on a Friday, does your team know what to do? A one-page plan covering: who to call, how to isolate affected devices, how to notify clients, and when to involve the ICO (required within 72 hours for UK GDPR breaches). Most SMBs don''t have this โ write one this week.
Not Sure Where You Stand?
TechSquad London offers a free IT Security Review for London businesses. We''ll assess your current setup against this checklist and give you a plain-English report โ no jargon, no hard sell.
Scott is CompTIA Security+ certified and has helped over 50 London businesses improve their security posture. Book your free review here.