Cybersecurity: Affordable ways to Protect Your Business in 2025

In today's digital landscape, cybersecurity is no longer a luxury, it's a necessity. Cyberattacks are becoming increasingly sophisticated, and small and medium-sized businesses (SMBs) are often seen as easy targets. But here's the good news: protecting your business from online threats doesn't have to break the bank. With a proactive approach and a few smart strategies, you can significantly enhance your cybersecurity posture without a massive budget.

Why Cybersecurity Matters for SMBs

You might think, "Why would a cybercriminal target my small business?" The reality is that SMBs are often more vulnerable than larger corporations. They may lack dedicated IT staff, have outdated security measures, and employees might not be fully aware of the risks. A successful attack can lead to:

• Financial Losses: Ransomware payments, data recovery costs, legal fees.
• Reputational Damage: Loss of customer trust and a tarnished brand image.
• Operational Disruptions: Downtime that impacts productivity and revenue.
• Data Breaches: Theft of sensitive customer or company information.

A Few ‘Close to Home’ Examples:

I have been asked to investigate a few cybersecurity breaches and here are some examples of what happened:

• The lady who looked after the payroll for a small business (30 staff), received an email from one of the managers asking if she would change the bank account his salary was paid into. He sat in the same office, a few desks away, and this was a perfectly reasonable request. On payday, he asked, “Where is my salary?”. It turned out that the email she received was from an external identity thief, who had spoofed his email address, (making an email look like it’s from somebody else is very easy to do) and the money was never recovered.

Always check the sender’s full email address. Bear in mind that identity thieves will sometimes use an email address that looks similar to the real address, but more often than not it’s a random Gmail or Hotmail address, but the Display Name usually look correct.

• A customer’s employee had his personal mobile number ported to a different SIM by an identify thief. He lost his mobile number, and access to his text messages. Then he lost access to his email and subsequently all his accounts that used MFA (Multifactor Authentication), including his bank accounts. It took months to resolve, he got his number back, but never got his money back.

Make sure your mobile provider enables the lock that prevents your number being ported without additional security measures.

• Another client was taking medication while recovering from major surgery. At 9pm he received a call from Barclays Bank. The call came up on his phone as “Barclays Bank”, which reassured him. They explained that he needed to update the app on his phone to maintain access to his bank account from his mobile, but before they could talk him through anything, they needed to confirm his identity, so they would send him a PIN that he needed to give back to them, which he did. The following morning, after the medication had worn off, he realised that call was suspicious and found that his account had been emptied. The callers had started to install the Barclays App on their own phone using some of his credentials, but to complete the identity verification, the app sends a PIN to your number.

A few months later, I received a call from my company credit company fraud department, telling me there had been several unusual transactions on my credit card. Before they would give any details, they said they would send a PIN to my mobile to confirm my identity. Because of this previous experience, I said no, at which point they hung up. I called my credit card’s fraud department, who had not called me and there was no suspicious activity. They sent me a new card and I reset my password. Had I given them the PIN, they could have maxed out my company credit card.

Cyber thieves are very clever and very resourceful, you or your staff cannot afford to be complacent and let your guard down, in business or at home.

According to the UK Government website, 50% of UK businesses reported a cyber-attack breach in the last 12 months, 81% of those were SMEs.

Affordable Cybersecurity Strategies for 2025

Here's how you can bolster your defences without spending a fortune:

1. Embrace Strong Passwords and Multi-Factor Authentication (MFA):

• Passwords: Enforce a strong password policy that requires a combination of uppercase and lowercase letters, numbers, and symbols. Encourage the use of passphrases (memorable sentences) instead of single words.
• MFA: This is arguably the single most effective security measure you can implement. MFA adds an extra layer of protection by requiring a second form of verification (like a code from a mobile app or a text message) in addition to a password. Many free or low-cost MFA options are available. MFA is better than a password alone, but make sure you protect your phone number by getting your mobile supplier to put a block on porting your number. The block can be lifted after several, more thorough security checks.
• Do not use the same username and password combinations on multiple sites. If one company is breached by cyber-hackers, they often sell your credentials on the dark web and the buyers will have software that tries your credentials on hundreds of common social, email and banking websites.

1. Keep Software Up to Date:

• Software updates often contain crucial security patches that fix known vulnerabilities. Enable automatic updates for your operating system, applications, and antivirus software and firewall. Don't ignore those update or subscription renewal prompts!

• While free antivirus options exist, consider investing in a reputable paid solution that offers more comprehensive protection, including real-time scanning, ransomware protection, and web filtering. Look for deals and bundles to get the best value or consult with an IT professional.
• Keep your antivirus and antimalware software up to date. If I had £1 for every PC I’ve seen with an expired antivirus subscription, I’d be a wealthy man!

• Regular security awareness training is crucial. Teach your team to:
• Recognise phishing emails and avoid clicking on suspicious links or attachments.
• Familiarity with social engineering tactics.
• Report any potential security incidents.
• Practice good password security. For example:

1. Nobody (even IT) should know anybody else’s password
2. Never write passwords down
3. Do not reuse the same password on different sites
4. Change passwords regularly
5. If you do need to keep a record of passwords, use a well trusted password vault app. Please do thorough research or ask an IT professional for advice on which password vault to use.

• Implement a robust backup strategy, ideally following the 3-2-1 rule:
• 3 copies of your data
• 2 different storage media (e.g., local hard drive and cloud storage)
• 1 offsite copy
• Automate backups to ensure they happen consistently.
• Regularly test your backups to make sure you can restore them in case of an emergency.
• Cloud backups are secure and can be fully automated, they do not require tapes or USB devices to be swapped and provide good reporting. They do cost money every month, but tapes, tape drives and USB devices are not free and neither is the time to swap devices.

• Change the default username and password on your router.
• Use strong encryption (WPA2 or WPA3).
• Consider creating a separate guest network for visitors to keep your main network secure.
• Don’t set all wireless access points to full power, you only need your wireless network to be accessible inside your own office space. Consider more access points on lower power.

• A firewall acts as a barrier between your network and the outside world, blocking unauthorized access. Most internet routers and operating systems have built-in firewalls, but you can also invest in a dedicated hardware firewall for added protection.
• A dedicated or upgraded firewall (upgraded from the ISP supplied router or operating system firewall) will usually provide:
• Better visibility of the settings
• Automatic updates
• Security alerts
• Advanced scanning and protection technologies
• Content filtering, to restrict staff access to certain types of websites

• Limit employee access to sensitive information on a "need-to-know" basis. Use strong passwords and user roles to restrict access to critical systems and files.
• Restrict staff ability to install programs on their PCs. If the staff cannot install software on their PCs, they cannot accidentally install viruses or malware.
• Most file storage solutions, including cloud storage, allow user level permissions.

• Even with the best security measures, breaches can still happen. Cyber liability insurance can help cover the costs associated with a data breach, such as legal fees, notification costs, and credit monitoring for affected individuals.

• Consider partnering with an IT support company, like Bishop Consultancy, for a one-time cybersecurity assessment. We can identify vulnerabilities in your systems and recommend affordable ways to strengthen your defences.

Conclusion:

Cybersecurity doesn't have to be an expensive or daunting task. By implementing these affordable strategies, you can create a strong security foundation and significantly reduce your risk of falling victim to cyberattacks. Remember that cybersecurity is an ongoing process, not a one-time fix. Stay informed about emerging threats, regularly review your security measures, and adapt your approach as needed. Investing in cybersecurity is investing in the future of your business.

Many Insurance Companies are now sending out cyber security questionnaires and may charge you more or refuse to insure you, if they are not confident in your cyber security measures.

Don't wait until it's too late. Take steps to protect your business today. If you're in the Southeast and need help improving your cybersecurity, contact Bishop Consultancy for expert advice and support. We can help you find affordable solutions tailored to your specific needs.

Kevin Bishop

Bishop Consultancy

07850 698170

kevinbishop@computer-consultant.co.uk

https://bishop-consultancy.co.uk