Guide Cybersecurity

The most common cybersecurity mistakes small and medium businesses make

Most small and medium businesses that suffer a cyber incident were not unlucky. They had one or more of the same seven gaps that attackers consistently exploit. This guide identifies each mistake, explains why it matters, and gives you the practical steps to close it.

CT
Cyvra Team
Cybersecurity
19 May 2026
7 min read
Key takeaways
  • Security is a continuous process, not a project with an end date
  • Multi-factor authentication blocks the majority of credential-based attacks
  • Unpatched software is the most common attack vector across all business sizes
  • Most breaches involve human error; technical controls without training leave a gap
  • Attackers do not target businesses by size; they target whoever has the weakest controls
43%
of cyber attacks target small businesses, not just large enterprises
80%+
of reported security incidents involve phishing as the initial entry point

1. Treating security as a one-time project

A common pattern in small business cybersecurity is the "project" mindset: a burst of activity, a set of tools installed, and then an assumption that the job is done. A firewall was configured two years ago. Antivirus is running. Passwords were changed after the last scare. These are useful steps at a fixed point in time. The environment around them changes constantly.

New vulnerabilities are discovered in software every week. New phishing techniques emerge as old ones are filtered by email gateways. The systems in your business change too: new staff join, new cloud services get added, old laptops are replaced without being properly decommissioned. Each of these changes can open a gap that did not exist when you last reviewed your security posture.

A defined review cycle handles this without a large team: a quarterly check of user accounts and access, a monthly confirmation that patches are being applied, and an annual review of your overall controls. Businesses that run these rhythms consistently outperform those that invest heavily once and then step back.

2. Relying on passwords alone

Passwords can be stolen, guessed, reused, and leaked without the account owner ever knowing. Credential dumps from unrelated breaches circulate online, and automated tools test stolen username and password combinations against business email platforms, cloud storage, and remote access systems within minutes of a dump being posted.

Multi-factor authentication (MFA) changes the equation entirely. Even when a password is completely correct, the attacker cannot proceed without also controlling the second factor, which is typically a phone or hardware token. Microsoft's own research has consistently found that MFA blocks over 99% of automated credential attacks. The technology is mature, free or very low cost on most major platforms, and takes less than an hour to enable across a small business environment.

Start with email accounts: email is the master key for most other services via password reset links. Remote access tools (VPNs, Remote Desktop), cloud file storage, and any financial or payroll platform should follow. The technical implementation is straightforward; the harder part is enforcing it for all accounts, including those belonging to senior staff who receive the most targeted attacks.

3. Ignoring software and firmware updates

Unpatched software is the single most exploited category of vulnerability in cyber incidents affecting businesses of all sizes. When a security patch is released, it comes with a description of what it fixes. That description is read by defenders and attackers alike. Attackers then scan for systems that have not yet applied the fix and exploit them at scale. The window between a patch being released and active exploitation being observed is now measured in days, sometimes hours.

Many SMEs run on software months or years behind on updates. Updates take time, sometimes break things, and there is rarely anyone whose explicit job covers patching. Deferring them opens a progressively wider exposure to known vulnerabilities for which working exploits are publicly available.

Firmware updates are often overlooked entirely. The software running on your router, your managed switches, and your firewall hardware receives security updates just as operating systems do. A router running firmware from 2021 almost certainly contains vulnerabilities that have since been disclosed and exploited. Checking your network hardware for firmware updates once per quarter, alongside your software patching, closes a category of exposure that most small businesses have never addressed.

4. Giving everyone administrator access

Important

Giving all staff administrator rights means a single compromised account gives an attacker full access to everything on that machine and potentially the broader network. Ransomware relies on this: it runs with whatever permissions the logged-in user has. If that user is an administrator, the ransomware can encrypt the entire system and spread to network shares. If the user has standard permissions, the damage is significantly contained.

Administrator access allows software to be installed, system settings to be changed, and security controls to be modified. In a small business where everyone uses their own laptop and installs software freely, it feels like granting administrator rights is the path of least resistance. In practice, it means every piece of malware that runs on any machine in your business inherits the same level of access as if you had handed it the keys yourself.

The principle of least privilege is the correct approach: each account should have only the access it needs to do the job it is used for. Standard user accounts for day-to-day work, and a separate administrator account used only when elevated permissions are genuinely required. Most business software runs perfectly well under standard user permissions. The software that insists on administrator rights should prompt a question about whether it is actually needed.

Implementing this does not require complex infrastructure. In a Windows environment, creating standard user accounts and a separate local or domain administrator account takes under an hour. The reduction in blast radius when a staff member's account is compromised is immediate and substantial.

5. Having backups but never testing them

Almost every business that has been through a ransomware incident will tell you they had backups. The follow-up question is always the same: had they ever tested whether those backups actually restored successfully? In the majority of cases, the answer is no. Backup software runs quietly in the background, logs report completion, and no one checks whether the restored data is actually usable until a real recovery is needed.

Backup failures are more common than most people assume. Files backed up while they were open by another process are often corrupted in the backup. Cloud backup configurations that were set up once and never reviewed often exclude new folders, new drives, or new systems added since the initial setup. Backup media that was working fine twelve months ago may have failed silently without anyone noticing, because nobody tried to read from it.

The test to run is straightforward: pick a random selection of files from your backup, restore them to a test location, and confirm they open correctly. For a server or critical system, take this further and verify that a full system restore can actually bring the machine back to a working state. This exercise should be done at least quarterly. Documenting the result creates a record of due diligence that matters for insurance claims and, where relevant, regulatory purposes. The point of a backup is not the act of creating it. It is the ability to recover from it.

A backup you have never tested is a backup you do not actually have. Recovery is the only thing that matters, and recovery only gets tested when you deliberately test it.

6. Not training staff to recognise phishing

Phishing accounts for more than 80% of reported security incidents. The technique works because it targets people rather than systems. A well-crafted phishing email does not need to exploit a software vulnerability. It needs a staff member to click a link, open an attachment, or enter their credentials into a convincing fake login page. Technical defences filter out a large proportion of phishing attempts, but they do not catch everything, and the emails that make it through tend to be the most convincing ones.

Training is not a one-off event. A single annual session delivers some awareness, but it fades quickly. The most effective approach combines short, regular training with simulated phishing exercises: sending staff members test phishing emails and tracking who clicks. This is not about catching people out. It is about making the recognition of phishing cues into a reflex rather than a deliberate mental exercise. Staff who have clicked on a test phishing email once are significantly more vigilant afterwards than staff who have only attended a presentation about why they should not click.

The practical elements to cover in any phishing training are: how to inspect a sender's actual email address rather than just the display name, the signs of urgency and pressure tactics in phishing messages, how to verify a request by a different channel rather than replying to the email, and what to do when they suspect they have clicked something they should not have. That last point is critical. Staff who are afraid to report a mistake because they worry about consequences will stay silent, and a silent breach is a much more damaging one.

7. Assuming your size makes you an unlikely target

The belief that attackers focus on large enterprises is one of the most persistent and most dangerous misconceptions in small business cybersecurity. It is based on a misunderstanding of how most cyber attacks actually work. Large, targeted attacks against specific organisations do exist, but they represent a small proportion of total incidents. The majority of attacks affecting small businesses are opportunistic: automated tools scan IP ranges for exposed services, test common credentials against login pages, and send phishing campaigns to harvested email lists at massive scale. These tools do not check company size before proceeding.

The realistic picture is that a small business with weak controls is not less likely to be targeted than a large business with strong controls. It is considerably more likely to suffer an incident, because its weaknesses are easier to exploit and its detection capabilities are lower. Attackers operating at scale take the path of least resistance. A poorly secured small business is often that path.

There is also a secondary targeting logic that affects many SMEs specifically. Small businesses often act as suppliers, contractors, or technology partners for larger organisations. Attackers who want access to a large target's systems will sometimes compromise a smaller supplier first, then use that foothold to reach the primary target. This supply chain attack pattern means the risk to a small business is not just about protecting its own data. It includes the risk of being used as a bridge into a much larger breach, with all the reputational and contractual consequences that follow.

Turning awareness into action

Reading a list of common mistakes is useful. Doing something about them before an incident forces your hand is what separates businesses that recover quickly from those that do not. The seven areas above are listed in rough order of how commonly they appear in post-incident reviews, but all of them are worth addressing regardless of where you think you stand.

A practical starting point is a self-assessment against these seven areas. For each one, ask whether you have a documented practice in place and whether that practice is being followed consistently today, not just in theory. Gaps between policy and reality are where incidents happen. If you find several gaps and are unsure where to start, MFA on email and cloud accounts is the single control that will deliver the most immediate risk reduction for the least effort and cost.

  • Enable MFA on email first. Email is the master key for most other services. This takes less than an hour to configure and immediately blocks the majority of automated credential attacks.
  • Apply outstanding security patches this week. Check your operating systems, your business software, and your router or firewall firmware. Set a monthly calendar reminder to repeat this check.
  • Review who has administrator rights. Remove them from any account that does not genuinely need them for day-to-day work. Create a separate admin account used only when elevated access is required.
  • Test your backups. Restore a sample of files today and confirm they open correctly. Schedule a quarterly reminder to repeat this test and document the result.
  • Run a phishing awareness session for all staff. Cover how to spot a suspicious email, how to verify a request through a different channel, and crucially, how to report a click without fear of blame.

None of these steps require a large budget or specialist infrastructure. They require time and consistency. Businesses that apply them reduce their exposure to the majority of the threats that affect SMEs today. The ones that do not are not protected by their size.

The NCSC publishes a practical cybersecurity baseline for small and medium businesses, covering the same foundational controls described in this guide. ENISA's cybersecurity best practice resources provide additional implementation detail for organisations building out their security programme.

Frequently asked questions

How do I know if my business has been breached?

Many breaches go undetected for weeks or months. Common indicators include unexpected password reset requests, accounts locked without explanation, unusual login activity from unfamiliar locations or times, slower network performance without a clear technical reason, and files that appear encrypted or renamed. Your staff may also report receiving responses to emails they never sent, which suggests an account has been compromised and used to send phishing messages. If you suspect a breach, isolate the affected systems, preserve logs before anything is overwritten, and contact a cybersecurity professional immediately. Do not attempt to clean up the environment before evidence has been collected.

What is the minimum cybersecurity baseline a small business should have?

A practical minimum baseline for a small business includes: multi-factor authentication on all accounts, especially email, cloud services, and any system accessible from outside the office; a patching routine that applies security updates within two weeks of release; offsite or cloud-based backups tested at least quarterly; an admin account structure that separates day-to-day user accounts from privileged administrator accounts; and at least one phishing awareness session per year for all staff. Beyond these five controls, a basic firewall configuration review and an inventory of which software and services you actually use will close a significant proportion of the gaps that attackers routinely exploit.

Is cyber insurance enough without security controls in place?

No. Cyber insurance is a financial recovery tool, not a prevention or detection tool. More importantly, most cyber insurance policies include security control requirements as part of the underwriting process. If a claim is submitted and the insurer's investigation reveals that basic controls were not in place at the time of the incident, the claim can be denied or significantly reduced. Policies commonly require MFA on email and remote access, regular backups, and up-to-date software as minimum conditions of coverage. Purchasing insurance without implementing the controls it assumes you have creates a false sense of security and may leave you without the payout you expected when you need it most.

Talk to Cyvra

Not sure where your gaps are?

We work with small and medium businesses across the Netherlands and UK to identify security weaknesses and build practical controls that actually get used.

Get in Touch Our Cybersecurity Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content. Readers should seek independent advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.