› Services › Security
Cyber security for small business, without becoming an IT expert
Most cyber attacks on small UK businesses aren't sophisticated. They're someone trying your front door to see if it's unlocked. Good cyber security for a small business is mostly three practical habits: strong passwords, locked-down accounts, and a website that stays patched. None of it needs deep technical skill, and most of it can be sorted in an afternoon — in plain English.
Get a free security check · Start a project
We're a small UK business too. This page isn't a catalogue of worst-case scenarios. It is a straightforward walkthrough of what actually puts small firms at risk and the small number of things that fix most of it. The detail lives in three focused guides: Password safety, Account safety and Website safety. This page points you to the right one.
The reality, without the scare story
The risk is real, and the numbers are worth knowing. Not to frighten you, but so you can size it correctly.
- According to the UK government's Cyber Security Breaches Survey 2025/2026, 46% of small businesses (those with 10–49 employees) experienced a cyber breach or attack in the survey period. Across all UK businesses the figure was 43% (roughly 612,000 firms).
- The UK's National Cyber Security Centre (NCSC) puts it plainly: 1 in 2 small businesses suffer a cyber incident every year. There are around 5.5 million small organisations in the UK with between 0 and 49 employees, so this is the everyday reality for a huge number of firms.
- The dominant problem is phishing, meaning fraudulent emails, texts or calls designed to trick someone into handing over access or money. The same government survey found 38% of all businesses experienced phishing attacks, and among businesses that had any breach, 69% said phishing was the most disruptive type.
Small businesses are often targeted precisely because their defences tend to be thinner than a large company's, not because anyone has singled you out.
The good news: most of it is preventable
Here's the part that rarely makes the headlines. Most attacks are opportunistic, not targeted, and the basics stop the large majority of them.
The NCSC describes the typical attack as "the digital equivalent of a thief trying your front door to see if it's unlocked": automated, indiscriminate, looking for the easy way in. Lock the obvious doors and you stop being the easy target. The fixes are quick, too: the NCSC notes that many protective measures can be completed in as little as 5 minutes.
The gap between best practice and what most firms actually have is the real opportunity. The government's 2025/2026 survey found only 47% of UK businesses had two-factor authentication in place, and only 33% of small businesses had run any cyber-awareness training for staff (against 19% across all businesses). Closing that gap doesn't take a security team. It takes a short, ordered list of changes, which is exactly what we help you work through.
Three areas, three sets of simple actions
We split small-business security into three areas and tackle them in this order. Each has its own guide.
🔑 Password safety
One stolen, reused password is how a lot of break-ins start. The fix is unique passwords per account, kept in a password manager so nobody has to remember them, plus a safe way for the team to share logins. The NCSC now recommends passkeys wherever a service supports them, and a password manager with two-step verification everywhere else. Read Password safety →
🔐 Account safety
This is locking down the tools your business actually runs on (email, Shopify, Klaviyo, Google Workspace, your social accounts) with two-step verification, sensible access control, and a clean way to remove access when someone leaves. The NCSC is blunt about why email comes first: gaining access to a business inbox lets an attacker reach private information including banking details, and reset the passwords on all your other accounts. Turning on two-step verification (2SV — also called two-factor authentication, or 2FA) is one of the most effective things you can do. Read Account safety →
🛡️ Website safety
A quick health check plus the basics that keep a site standing: a valid SSL certificate (the padlock), reliable backups, and software that's kept up to date. This matters even if you don't sell anything online, because a brochure site can still be hijacked to host malware or spam, which damages your reputation and your search visibility. The most common cause is simply software that hasn't been updated. Read Website safety →
We help you work through these in the right order, without the jargon. Or we do the configuration for you and leave you with a written record of what was done and why.
Built on official UK guidance
Everything here is rooted in guidance from the NCSC — the National Cyber Security Centre, which is part of GCHQ and the UK's authoritative source on cyber security for small organisations. When we tell you to enable two-step verification on email first, or to keep two separate backups, that's the national standard.
If you'd rather read the source yourself, the NCSC's small-business guidance is free and well worth reading. We align our advice to it; we're not a government body, an assessor or an NCSC partner. We're a small team that follows the same playbook we'd want our own suppliers to follow.
A note on Cyber Essentials. Cyber Essentials is the UK government's baseline certification, covering five core technical controls: secure configuration, user access control, malware protection, security update management, and firewalls. It starts from £320 +VAT. UK businesses with turnover under £20m that certify their whole organisation can opt in to £25,000 of cyber-liability insurance at no extra cost, arranged through IASME (the scheme's delivery partner), including a 24/7 incident-response helpline. Certification isn't compulsory for most businesses, but it's increasingly expected for government supply contracts and is a credible signal to clients. Take-up is still low: only 12% of small businesses held it in 2025/2026, up from 5% the year before. We can help you work towards it. We'll always be clear about our own status rather than display a badge we don't hold.
We hold our own systems to a higher standard
We don't sell you habits we don't keep ourselves. Internally, True Noise manages secrets with Infisical, runs CrowdSec for threat intelligence, and puts every code change through Codacy static analysis before it ships. We're a small business too, so the tools and habits we recommend to you are the ones running our own operation.
That's also why we build differently. Plenty of agencies still hand small businesses a website that needs constant patching to stay safe, then bill for the privilege. We build on modern, maintained platforms and patch them properly, so security is part of the build rather than a worry you're left carrying. If you're stuck on a platform that's become a maintenance burden, moving to a stack that's secure by default is something we do. See Website safety.
Frequently asked questions
Do I really need to worry about cyber security if I'm a small business?
Yes. As the figures above show, around half of small businesses suffer an incident every year, and smaller firms are targeted precisely because their defences tend to be weaker. The practical response is the three areas above: start with Password safety and Account safety.
What's the most common cyber threat to small businesses in the UK?
Phishing, meaning fraudulent emails, texts or calls designed to trick someone into handing over access or money. The government's 2025/2026 survey found 38% of businesses experienced phishing attacks, and 69% of those that had any breach said phishing was the most disruptive type. The main defence is locking down your accounts so a stolen password isn't enough on its own. See Account safety.
Do I need technical skills to improve my security?
No. The NCSC notes that many protective measures can be completed in as little as 5 minutes, and most are settings changes in tools you already use: your email, Google Workspace, Shopify or social accounts. We walk you through each step in plain English, or do the configuration for you.
What is two-step verification, and do I actually need it?
Two-step verification (2SV — also called two-factor authentication, or 2FA) means that even if someone steals your password, they still can't get into your account without a second check, usually a code on your phone or an authenticator app. The NCSC calls it one of the most effective ways to protect your email account, yet most UK businesses still don't have it switched on. Account safety covers where to turn it on first.
What are passkeys, and should I be using them?
Passkeys are a newer, more secure alternative to passwords. They're resistant to phishing (you can't be tricked into sharing one) and faster to use. In April 2026 the NCSC began recommending passkeys wherever a service supports them; Google, eBay and PayPal already do. Where a service doesn't yet support passkeys, the NCSC recommends a password manager plus two-step verification instead. Password safety explains how to start.
What is Cyber Essentials, and do we need to be certified?
Cyber Essentials is the UK government's baseline cyber security certification, covering five practical controls that protect against the most common internet-based attacks. It starts from £320 +VAT, and UK businesses with turnover under £20m that certify their whole organisation can opt in to £25,000 of cyber-liability insurance at no extra cost (arranged through IASME). It isn't compulsory for most businesses, but it's increasingly required for government supply contracts and reassures clients. We can help you work towards it, and we'll be clear about our own status.
What happens if a staff member leaves — how do I stop them accessing our systems?
This is one of the most overlooked gaps. The NCSC recommends a "Joiners, Movers and Leavers" process: access to email, Shopify, Klaviyo, social accounts and any other tool should be granted automatically when someone starts an appropriate role, and disabled automatically when they leave that role or the organisation. Any shared passwords they knew need changing. Account safety covers clean offboarding.
Is my website at risk even if I don't sell anything online?
Yes. Websites can be compromised to host malware, send spam, or harvest visitor data, even simple brochure sites. The usual causes are outdated software, weak admin passwords and no backups. A hacked site damages your reputation and can hurt your Google ranking. Website safety covers the basics that prevent it.
Not sure where to start?
Most small businesses are closer to "secure enough" than they think. They just need a clear look and a short, ordered list. We'll give you both.
Get a free security check — a no-pressure look at where you stand and what to fix first. Start a project — when you'd like us to lock it all down properly and keep it that way.
Prefer to start on your own? The NCSC's free Small Organisations Guide to Cyber Security is an excellent place to begin.