Commercial data is the absolute lifeblood of any UK business and protecting it requires a very specific combination of actions. You must build a security first culture, enforce multi factor authentication, restrict user access, patch software relentlessly, encrypt sensitive files, secure remote connections and maintain tested offline backups. That is the short answer if you want the facts immediately.
But reading a list is the easy part. Actually implementing these safeguards takes patience.
I have spent years working around corporate IT. I can tell you that basic antivirus software stopped being enough a long time ago. Cyber criminals are highly organised. They are constantly looking for the easiest way into your network. We need to make it much harder for them to succeed. The UK Government Cyber Security Breaches Survey reports that 50 percent of UK businesses identified a cyber attack in the last twelve months. That figure rises to 91 percent for large businesses. The average annual cost of cyber crime for medium and large UK businesses is a staggering £330,000 when considering all related incidents.
We cannot afford to ignore this.
Build a Security First Culture
Technology alone cannot stop every threat. Human error remains a massive factor in data breaches. Around 68 percent of breaches involve a human element like falling for a phishing email or reusing a terrible password. People are naturally trusting and attackers exploit that trait ruthlessly.
I think people assume cyber security is purely an IT problem. It really is not. The UK Government found that only 20 percent of businesses provide staff with regular training. It baffles me.
That number is shockingly low.
I remember working at a mid sized firm a few years back where a senior manager clicked a link in what looked like a standard invoice email. It was a classic business email compromise scam. The panic that followed was entirely avoidable if we had just run basic awareness sessions. Run regular training sessions to help your staff recognise unsafe file sharing and phishing tactics. Criminals increasingly use generative AI to craft more convincing phishing emails. People are your strongest defence when they actually know what to look out for.
Implement Multi Factor Authentication
Weak passwords are an absolute gift to hackers. Research from the National Cyber Security Centre shows that people are still using passwords like 123456 and qwerty. We have to do better than that. Turn on multi factor authentication for all email accounts and financial systems. Microsoft reckons that MFA can block over 99 percent of automated account compromise attacks provided it is implemented correctly.
So why do so many companies resist it.
Often it comes down to convenience. Staff complain about having to use their phones to log in. I get it. It adds an extra ten seconds to your morning routine. But the alternative is a massive data breach that could cripple your operations for weeks. The NCSC recommends turning on MFA wherever possible because password reuse is widespread.
Encourage the use of a password manager across your organisation. Tools like 1Password make handling complex logins much less frustrating for everyday users. They generate strong passwords & store them securely.
Apply the Principle of Least Privilege
Not every employee needs access to your entire database. It sounds obvious but you would be amazed how many companies give standard users full administrative rights just to accomodate a specific software quirk. This is incredibly dangerous.
Implement role based access control. Staff should only view the data required for their specific jobs. This limits the blast radius if an account gets compromised. IBM lists compromised and over privileged accounts as a common contributor to breach costs. Organisations with a mature identity and access management programme saw breach costs around 1.5 million US dollars lower than those without.
I strongly suggest you regularly review these permissions.
If someone leaves the company you must immediately revoke their access. Over privileged accounts are a massive security risk. Keeping a tight grip on who can see what is just good governance. UK organisations are increasingly adopting data classification schemes to label information according to sensitivity. This supports proportionate controls for highly confidential data.
Keep Systems and Software Patched
Many successful attacks exploit known vulnerabilities in outdated software. The NCSC repeatedly stresses that unpatched software is one of the main methods of compromise especially for ransomware. It is incredibly tedious work. Nobody likes seeing that software update notification pop up right in the middle of a busy Tuesday.
Over 50 percent of vulnerabilities exploited in ransomware attacks are more than two years old. That means these breaches were entirely preventable with better patching discipline.
Enable automatic updates for operating systems and web browsers. Ensure end of life systems are replaced promptly because they no longer receive security updates. The US Cybersecurity and Infrastructure Security Agency notes that timely patching is one of the most efficient steps an organisation can take to minimise exposure.
You need a proper software inventory so you actually know what needs patching.
Encrypt Sensitive Information
If devices are lost or networks are breached then encryption ensures your data remains unreadable to unauthorised users. The ICO highlights encryption as a key safeguard under the UK GDPR. If stolen data is encrypted and the key is not compromised an incident may not be reportable as a personal data breach.
Enable full disk encryption on all company laptops. It is a standard feature on Windows and Mac devices now so there is no excuse not to use it.
You should also ensure your website and remote connections use secure encrypted protocols. The NCSC advises encrypting data at rest on laptops and mobile devices and ensuring data in transit uses modern cryptographic protocols like TLS 1.2 or later.
According to the Ponemon Institute organisations that use extensive encryption can expect breach costs to be lower by several hundred thousand dollars. That definetely reduces your regulatory exposure and saves you a massive headache.
Secure Your Remote Access
Hybrid work is completely normal now. But securing remote connections is still a struggle for many businesses. Insecure remote access is a major attack vector. People use unencrypted Wi Fi at coffee shops or access corporate files on unmanaged personal devices.
A report from Check Point found that 80 percent of organisations experienced at least one security incident related to remote work since 2020. These are often related to remote desktop protocol exposure or misconfigured VPNs.
Use a virtual private network for staff accessing company files from outside the office. Ensure the VPN is fully patched and configured with strong authentication. Exposed remote desktop services are heavily targeted by attackers in the real world.
Enforce strict mobile device management policies if employees use personal phones for work. You need the ability to wipe company data remotely if a device is stolen or lost on a train.
Maintain Reliable Backups
Even with strong defences in place incidents can still occur. Ransomware is still the most acute cyber threat to UK organisations. Criminal groups increasingly target SMEs and supply chains. They steal data before encrypting systems then threaten to publish it if a ransom is not paid.
Perform daily automated backups of all critical data. Store them securely offsite. The 3 2 1 rule is often recommended by experts. Three copies of data on two different media with one copy offline or offsite.
For many growing organisations partnering with a specialist in IT Support London is a highly effective way to ensure backup systems are robust and ready to deploy at a moments notice.
You need to test those backups. A staggering 34 percent of organisations hit by ransomware found their backups were not sufficiently protected or recoverable. Having tested offline backups means you can recover faster & you are far less likely to pay a ransom. Victims with recoverable backups were able to reduce their average recovery costs by more than half.
Final Thoughts
Protecting commercial data is an ongoing process. It requires constant attention and a willingness to adapt as threats change. I know it feels like a lot of work. Especially when you just want to focus on running your business and keeping your clients happy.
But taking these steps seriously protects your reputation.
Start with the basics like MFA and staff training. Then work your way through the more technical controls like network segmentation and encryption. Cyber insurance requirements are getting stricter anyway so you will likely need to implement these policies eventually just to get coverage.
It is far better to be proactive & secure your systems now. Your future self will be very glad you did.
