Skip to content

Nettsider · · 4 min read

Basic data security for small businesses

Most security breaches at small businesses come from simple things, not advanced attacks. Here are the habits that cover most of the risk, jargon-free.

By Mediseo

Data security sounds like something that needs its own department and a big budget. For a small business, most of it comes down to a few habits. They aren't hard — they just tend to be forgotten.

The key insight first

The vast majority of security breaches at small businesses don't happen through advanced hacking. They happen because a password was weak, because someone clicked a fake email, or because an old account was left open. In other words: the attacks target people, not machines.

That's good news. It means the most effective measures are within anyone's reach — you don't need to be technical to take them.

Passwords you can actually rely on

A good password is long and used in only one place. That's the whole secret. A long password is hard to guess, and when it's used in only one place, everything else stays safe if it leaks.

  • Length beats complexity. A long phrase is safer and easier to remember than a short tangle of characters.
  • Reuse is the big trap. Use the same password everywhere and one leaked password opens every door.
  • A password manager makes this painless. It creates and remembers unique passwords for you, so you don't have to.

This one move — unique passwords, ideally through a password manager — removes a large share of the risk on its own.

Two-factor: the simplest strong measure

Two-factor authentication means logging in requires the password and a one-time code, usually from your phone. Even if the password leaks, nobody gets in without your phone too.

Switch it on everywhere it's offered — email, website admin, your bank, cloud services. It takes a couple of minutes to set up and is perhaps the single most effective thing you can do.

Access: give people only what they need

A common, overlooked risk is old accounts and access that's too broad.

  • Give each person their own account. Shared logins make it impossible to see who did what, and hard to shut out one individual.
  • Grant only the access the job requires. Not everyone needs to be an administrator.
  • Remove access when someone leaves. An open account belonging to a former employee or supplier is a door left ajar.

Think of it like keys to premises: you don't hand everyone the master key, and you ask for the key back when someone leaves.

Fake emails: spot the attempt

Phishing is fake emails or messages that trick you into giving up a password or clicking something harmful. It's the most common route into trouble, precisely because it targets people.

The signs recur:

  • An unexpected urgency — "your account will be closed today".
  • A sender address that's almost, but not quite, right.
  • A link asking you to log in somewhere you didn't ask to visit.

The best line of defence is that you and your staff know what a fake email looks like. If in doubt, don't click — go to the service directly in your browser instead.

Backups: the net beneath you

Even with everything in place, something can go wrong — an accident, a mistake, an infected file. A recent backup is the difference between a bad day and a disaster.

Check that copies are taken automatically, that they're stored somewhere other than the original, and that you actually know how to restore them. A backup you've never tested is just a hope.

How much should a small business worry?

A sensible amount. You don't need a security department, and most small businesses aren't a chosen target. But the basics should be in place: unique passwords, two-factor, tidy access, a dose of healthy scepticism towards email, and backups.

What we tend to remind businesses is that security isn't one big project, but a handful of small habits. Get them in place once and keep them up, and you're safer than most — without it eating into your time.

Frequently asked questions

Is a small business really a target for attacks?

Rarely a chosen target, but often a random one. Much of what hits small businesses is automated and catches anyone with a weakness — a reused password, an old open account. The basics cover exactly this.

Do I need to pay for a password manager?

Not necessarily. There are good free versions that cover a small business's needs perfectly well. The important thing is that you actually use one, so you stop reusing passwords.

What do I do if an employee has clicked a suspicious link?

Change the password on the affected accounts straight away, and switch on two-factor if it isn't already. Keep an eye out for unusual activity afterwards. A quick response usually limits the damage.

This is general guidance, not a full security review. If you handle sensitive information, a more thorough assessment can be worth the time.

What we can do for you and your business.

Tell us briefly what you need help with — a new website, more visibility on Google, or just a once-over. We get back within a working day, usually with something concrete.

Book a free 20-min callBuild a site with us