- TL;DR: Most cyber threats don’t sneak in through clever hacking. They walk straight through the front door you forgot to lock. These 9 gaps trip up small businesses. We’ll show you how to fix them, fast.
A quick story…
A local resturant in Milton Keynes clicked a fake Microsoft 365 invoice. They paid it before the ovens had even warmed up and watched their bank account empty in real time.
They’re not alone. 43% of cyber-attacks now target small businesses. Not because hackers are super clever, but because the basics are getting missed.
The good news? Most of these are easy to fix.
Boil the kettle. You’ll be protected before it clicks off.
1. Patch it now. Fix 57% of threats
Why it matters:
Most breaches aren’t cutting-edge. They’re just lazy. 57% happen after a patch is already available but not installed (ServiceNow).
Quick fixes:
Nominate someone to check monthly
This closes known security holes fast
Turn on automatic updates
For apps, operating systems, and firmware
2. Passwords doing all the heavy lifting
Why it matters:
61% of breaches involve weak or stolen passwords (NinjaOne). Relying on them alone? Risky business.
Quick fixes:
- Add multi-factor authentication (MFA) using an app, not SMS
- Ban Excel password lists. Use a secure password manager
- Encourage passphrases (e.g. ThreeRandomWords)
3. Ignoring firmware and hardware security
Why it matters:
Software gets the attention. But 79% of IT leaders say their hardware and firmware are behind (HP).
Quick fixes:
- Use devices that need a password to turn on
- Stop unauthorised access right from the start
- Turn on firmware checks to catch anything dodgy at boot-up
- Ditch any old kit that’s no longer supported, it’s a risk waiting to happen
4. Mythical backups that don’t actually work
Why it matters:
19,000 UK businesses faced ransomware last year (Gov.uk). Having backups you’ve never tested is like having a fire alarm with no batteries.
Quick fixes:
- Follow the 3-2-1 rule: 3 copies, 2 types of media, 1 off-site or offline
- Run file-level and full restore tests every quarter
- Keep at least one backup immutable (object-lock or tape)
5. “We ran training in 2022…”
Why it matters:
95% of breaches come down to human error (World Economic Forum). Clicking dodgy links isn’t a tech issue. It’s a people issue.
Quick fixes:
- Monthly micro-training beats once-a-year workshops
- Use simulated phishing to reward the catchers, not shame the clickers
- Teach, don’t shame
- Create a positive security culture
6. Out-of-date incident plans
Why it matters:
28% of businesses know their incident response (IR) plan is stale. If things go wrong, who grabs the wheel?
Quick fixes:
- Create a one-pager: who to call, how to isolate devices, which lawyer to ring
- Save a printed copy and a secure cloud version
7. “Just give Bob admin, it’s easier”
Why it matters:
80% of successful attacks abuse admin or elevated access (CyberArk). Oversharing access is a hacker’s dream.
Quick fixes:
Only give people access to what they actually need
Fewer privileges = fewer risks
Review who has access every few months
Keep an eye out for privilege creep
Protect key tools with MFA
Add MFA to tools like finance and CRM, they’re prime targets
8. Unknown apps and risky suppliers
Why it matters:
Only 11% of UK businesses check their suppliers’ cyber hygiene (IASME). If your app or vendor goes rogue, it’s your mess to clean up.
Quick fixes:
- Keep a live list of devices, software, and cloud tools
- Ask new suppliers for Cyber Essentials
- Let staff request new tools so they don’t sneak in shadow IT
9. Skipping Cyber Essentials basics
Why it matters:
Fewer than 1% of UK businesses are Cyber Essentials certified (CyberTec). But the framework covers most common threats.
Quick fixes:
- Use the free readiness tool to see where you stand
- Even without certification, follow the five key controls
- Review and refresh every 12 months. Cyber threats don’t sit still
Want help closing the gaps?
At Cloud & More, we’re obsessed with keeping your business protected without the jargon, drama, or downtime. Whether you’re due a password tidy-up or ready for full cyber security training, we’ll help you tick off your to-do list one smart fix at a time.
✅ Key takeaways
- Most threats target the basics: passwords, patches, backups
- Human error is the biggest risk, and easiest to fix with training
- Your suppliers and devices can be entry points too
- A few tweaks can slash your risk and boost peace of mind
How cyber resilient is your business
Take our 2-minute cyber resilience assessment to find out how prepared your business or organisation really is.
See what our clients have to say
Not sure how secure your business really is?
Let’s take a look. Book your free cyber security check and get practical, jargon-free advice from a team that genuinely care
