Common cyber security mistakes made by UK SMEs

In the current digital landscape, the myth that "I’m too small to be a target" has become the most dangerous assumption a UK business owner can make. Cybercriminals are no longer just focused on multinational corporations with deep pockets; they are increasingly targeting UK SMEs precisely because these organisations often lack the robust, enterprise-grade security infrastructure of their larger counterparts. For a small business, a single successful ransomware attack or data breach isn't just an IT issue—it is an existential threat that can lead to catastrophic financial loss, permanent reputational damage, and severe regulatory penalties from the Information Commissioner’s Office (ICO). As a managed IT and cyber security provider, Black Sheep Support sees the same recurring patterns time and again. By understanding these common pitfalls, you can shift your posture from vulnerable to resilient.

1. The Myth of "Security by Obscurity"

Many business owners believe that if they keep a low profile, hackers will simply pass them by. This is a critical error. Cyberattacks are rarely targeted at specific individuals manually; instead, they are automated, indiscriminate scans of the internet. Bots continuously crawl for known vulnerabilities in software, outdated firewalls, and exposed remote access points.

Why obscurity fails

• Automated Scanning: Hackers use tools that scan the entire UK IP space for weak entry points.
• Credential Stuffing: If your staff reuse passwords across different platforms, a breach at a non-work site (like a retail store) can lead to a compromise of your business email or cloud storage.
• Supply Chain Attacks: You may not be the primary target, but you could be the gateway to one of your larger clients.

The goal is not to be invisible; it is to be a "hard target." By implementing basic hygiene—such as keeping software patched and ensuring your perimeter is secure—you force automated bots to move on to easier, less protected targets.

2. Neglecting the Human Firewall: Password and Access Management

The weakest link in any security chain is almost always the human element. Even the most expensive firewall in the world can be rendered useless if an employee inadvertently hands over their credentials to a phishing site.

The dangers of poor credential management

• Password Fatigue: When staff are forced to change passwords frequently, they often resort to simple, predictable patterns (e.g., Summer2024!).
• Lack of MFA: Multi-Factor Authentication (MFA) is the single most effective control against account takeover. If you do not have MFA enabled on your Microsoft 365 or Google Workspace, you are essentially leaving your front door unlocked.
• Over-Privileged Accounts: Many SMEs give every employee "Administrator" rights on their computers. If that user clicks a malicious link, the malware gains full system control instantly.

Practical Advice: Implement a Password Manager for your team to ensure unique, complex credentials for every service. More importantly, mandate MFA for every single business application. If a service doesn't support MFA, consider it a security liability and look for an alternative.

3. The "Set and Forget" Mentality Toward Backups

We frequently encounter clients who believe that because they have a cloud storage solution (like OneDrive or Dropbox), they have a backup strategy. This is a dangerous misconception. Cloud sync is not a backup; it is a convenience feature. If a piece of ransomware encrypts your files, those encrypted files will seamlessly sync to your cloud storage, effectively destroying your "backup" in the process.

The 3-2-1 Backup Rule

To ensure business continuity, you must adhere to the industry-standard 3-2-1 rule:

1. Three copies of your data.
2. Two different media types (e.g., local server and cloud).
3. One off-site, immutable copy (a backup that cannot be altered or deleted by ransomware).

In the UK, under the GDPR, you are legally required to ensure the availability and resilience of personal data. If you suffer a data breach and cannot restore your systems because your backups were also compromised, you face not only the loss of business but also significant regulatory fines for failing to protect your data.

4. Failing to Align with Cyber Essentials

Cyber Essentials is a UK government-backed scheme designed to help organisations protect themselves against common cyber threats. It is not just a badge of honour; it is a framework for fundamental security. Many SMEs view it as "too much paperwork," but in reality, it is a checklist for basic survival.

The five technical controls of Cyber Essentials:

• Boundary Firewalls: Ensuring your network is protected from unauthorised access.
• Secure Configuration: Removing default passwords and disabling unnecessary software features.
• Access Control: Limiting administrative privileges to only those who strictly need them.
• Malware Protection: Using antivirus and anti-malware software to stop malicious code.
• Patch Management: Ensuring your operating systems and applications are updated to the latest versions to close security loopholes.

Achieving Cyber Essentials certification demonstrates to your clients, partners, and insurers that you take data protection seriously. It is often a prerequisite for winning government contracts and is increasingly requested by larger firms as part of their own supply chain risk management.

5. Shadow IT and Unmanaged Devices

In a post-pandemic world, where remote and hybrid work is the norm, the "office perimeter" no longer exists. Employees are using personal laptops, tablets, and mobiles to access company data. This "Shadow IT"—the use of software or hardware without explicit IT department approval—is a massive security blind spot.

Managing the modern workspace

• Bring Your Own Device (BYOD) Policies: If you allow staff to use personal devices, you must have a Mobile Device Management (MDM) solution in place. This allows you to wipe company data from a device if it is lost, stolen, or if an employee leaves the company.
• Restricting Unauthorised Apps: Prevent staff from installing unapproved cloud storage or communication tools that fall outside of your security oversight.
• Regular Audits: Periodically review which devices have access to your internal resources. If a device hasn't been updated in six months, it should be quarantined from the network until it meets your security standards.

Key Takeaways

To summarise the path to a more secure UK SME, keep these core principles in mind:

• Stop relying on luck: Assume you are a target and build your defences accordingly.
• MFA is non-negotiable: If you only change one thing today, turn on Multi-Factor Authentication across all accounts.
• Backups require an "Air Gap": Ensure you have an immutable, off-site backup that ransomware cannot reach.
• Standardise your security: Use the Cyber Essentials framework to audit your current gaps and build a roadmap for improvement.
• Educate your team: Your staff are your first line of defence; ensure they understand how to spot a phishing attempt and why security policies exist.

Cyber security is not a one-time project; it is an ongoing process of assessment, adjustment, and vigilance. By addressing these common mistakes, you protect your livelihood, your employees' jobs, and your reputation in the marketplace.

To take the next step

Book a Discovery Call