Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Blog

17 April 2026

Cyber Security for Small Businesses: What Actually Matters

There's a myth that won't die: cyber criminals only care about big targets. Lockheed Martin. NHS trusts. The names that make the evening news. If you're running a 30-person accountancy firm in Livingston, you're fine. Right?

Wrong. The latest UK government survey says 39% of UK businesses got hit by a cyber attack last year. Small firms don't escape, if anything, they're the preferred targets, because they're easier to get into. The good news: the stuff that actually protects you is boring and cheap. You don't need a £40,000 threat-detection box. You need to do a handful of basic things properly, and keep doing them.

Turn on MFA. Everywhere.

If you only do one thing from this post, do this one. MFA blocks more than 99% of account compromise attacks. So when someone eventually figures out Dave's password, because Dave reused it on a gardening forum that got breached in 2019, they still can't get into his Microsoft 365.

Most of the businesses we audit have MFA on for admins and off for everyone else. Or on for email and off for the VPN. Attackers find the gap. Put it on everything: remote access, admin consoles, anything that matters.

Patch within a fortnight. Not "eventually"

The vulnerabilities behind real incidents are almost never zero-days. They're bugs with patches that have been available for months, sitting unapplied because nobody got around to it. Automated patching is cheap, runs overnight, and kills off the single most common way in.

Back up like you expect to be ransomwared

A backup plugged into the server is not a backup. A backup sitting on a shared drive is not a backup. Both are snacks for ransomware. You need offsite, ideally immutable, and tested quarterly. If you haven't actually restored a file in the last twelve months, you don't have a working backup. You have a hope.

Train people. Keep training them

Over 80% of incidents involve someone making a mistake. That's not because staff are careless. It's because modern phishing emails are indistinguishable from the real thing. Short, regular, simulated phishing campaigns are embarrassing the first couple of times and genuinely useful after that.

What's overhyped

Vendors want you to believe you need AI-powered XDR, threat intelligence feeds, and a 24/7 SOC. For a business under 200 people, that's overkill, and a lot of it is money set on fire. What you actually need:

  • A managed firewall
  • Proper endpoint protection everywhere (not consumer antivirus)
  • Patching
  • MFA
  • Tested backups
  • Trained staff

That's 90% of the risk, handled.

If that sounds like a lot, it isn't. It's a weekend of work to set up properly and a monthly bill in hundreds, not thousands. Do it once, keep it current, and you've taken yourself off the easy-target list.

If you want to see where your current setup stands, try our free cyber security assessment. Takes four minutes and gives you a prioritised action plan.