top of page

Guidance: Cyber Security for SME’s

How to Protect Against Key Threats


  • Update your operating system, browsers and plugins

  • Enable click-to-play plugins

  • Remove redundant or outdated software

  • Watch out for fake tech support numbers

  • Use strong passwords

  • Ensure you’re using trusted websites

  • Log out of websites and accounts when you’ve finished

  • Use firewall, anti-malware, anti-ransom ware and anti-exploit technology

  • Install anti-virus software and keep it up to date

  • Install a popup blocker

  • Never click on, open or download anything unless you know the sender, are expecting something from them or trust the website

  • Know the signs of a virus on your computer (e.g., slow performance, unexpected shutdowns and changes to your homepage)


  • Know the signs (unknown senders, strange email addresses and spelling and grammar mistakes)

  • Only open attachments, click on links or download files if you’re expecting them

  • Never give out personal or financial information

  • Use different passwords for each online account or website login

  • Enable two-factor authentication

Two-factor authentication

Two-factor authentication (2FA) is a multi-factor authentication or two-step verification where a user must provide two authentication factors to prove identity and gain access to an online network or user account.


  • Make sure employees are trained on how to spot the signs of a fake email

  • Have procedures in place to report suspicious emails

  • Back up your equipment regularly and keep software up to date

  • Use robust security software

  • Disable macros and Java and Flash Player

DDoS ( Distributed Denial of Service) attacks

  • Know the amount of bandwidth your site typically uses

  • Add more bandwidth if needed

  • Ensure updates are installed on all computers and devices

  • Secure your network infrastructure

  • Practice basic network security

  • Have a cloud-based DDoS mitigation system in place


  • Use strong passwords and have different passwords for all websites and logins

  • Use two-factor authentication

  • Choose an Internet Service Provider (ISP) that offers built-in security features

  • Keep anti-virus and anti-spyware software up to date

  • Install a network firewall

  • Encrypt customer data and sensitive information

  • Limit access to certain online information

  • Block high-risk sites from being viewed by employees

Data protection

As well as protecting your organisation, customers and employees, personal data protection is a legal requirement under GDPR and The Data Protection Act 2018. This checklist does not cover your legal obligations in controlling or processing personal data, although we have included links to valuable websites in the Helpful Resources section. The guidance below is aimed at the practical steps you can take to minimise the risk of loss of personal data.

Secure wireless networks

Manage your Preferred Network List (PNL), use a Virtual Private Network (VPN), disable auto-connection and Wireless Session Protocol (WPS) functionality and run regular wireless network penetration tests.

Keep your computer and software up to date

Install updates as soon as they’re available to fix security flaws.

Control access to personal data

Only allow employees access if they really need it to do their job.

Regularly back up data

Cloud solutions can be a popular choice.

Train employees

Make sure your staff know how to identify potential threats when it comes to data breaches.

Staff training

Regular and educational staff training is vital to your cyber security.

  • Implement a cyber security policy to set the standard for all your online activities

  • Hold regular training sessions to help employees stay alert and safe when browsing online, recognise the signs of cyber-attacks and know how to report them

  • Implement stricter controls and levels of access to online tools and data including removing access when an employee leaves the business.

  • Make sure your staff know how to identify potential personal data breaches and the steps to take. If you are obliged to report a personal data breach to the ICO, strict timelines apply.

Top tips


  • Avoid using obvious and common passwords that are based on personal information

  • Create long passwords with a mix of upper- and lower-case characters, numbers and symbols

  • Don’t use memorable keyboard paths, such as qwerty

  • Implement two-factor authentication on key accounts where you can

  • Use a password manager to store your passwords, generate secure ones and share login credentials safely

Browsing safely online

  • Ensure your Wi-Fi is password protected, change your default router login information to something more secure and turn off Wi-Fi Protected Setup (WPS) on your router

  • Think about using a Virtual Private Network (VPN) to mask your IP address and add an extra layer of security to your online activities

  • Ensure your third-party suppliers are GDPR compliant and you research their security measures to ensure data is stored and transferred securely

  • Run regular computer and software updates

Monitoring your small business cyber security

  • Monitor your logs for signs of unauthorised activities

  • Create a monitoring policy to help manage risk

  • Conduct a ‘lessons learned review’ by looking back at past successes and failures and identifying which security measures are working (and which aren’t working so well)

Working from home and mobile devices

  • Implement cyber security practices for remote working including setting policies around using public Wi-Fi, implementing two-factor authentication and ensuring mobile devices are also secured

  • Encrypt data on smartphones, ensure all mobile devices are set up with password, fingerprint or face verification and install software that allows you to wipe data remotely

  • Ensure all USB devices and portable hard drives are password protected, data is encrypted and backed up and they are securely stored

Responding to a cyber-attack or breach

  1. Contain the breach (disconnect your internet, disable remote access, review firewall settings, isolate devices from the internet and neighbouring devices/ networks, install any pending security updates and change passwords)

  2. When you’re sure your systems are safe again, use your backups to restore any data which was lost

  3. Conduct an investigation to learn how the attack happened

  4. Consider whether any personal data was included in the breach to identify any obligation to report the breach to the necessary regulators (e.g., the ICO)

  5. Identify and, where required, notify employees, customers and third-parties who have been impacted by the breach

  6. Manage announcements to the public and be ready to respond to feedback, comments and questions from customers

  7. Adjust and communicate your internal security protocols to reduce the risk of the same type of incident occurring again

Helpful resources


The information in this guide is for general guidance about cyber security good practice only and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at October 2020. However, Acorn HR Services does not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or failure to use any information contained in this guidance.

Recent Posts

See All


bottom of page