Five Cyber Security Wins Any North Wales SMB Can Action This Week

The Cyber Security Breaches Survey 2025/2026, published by the UK government in April 2026, found that 43% of businesses experienced a breach or attack in the past year. That’s roughly 612,000 organisations. But buried in the same data is something more useful: most of the damage traces back to a handful of preventable gaps. None of the five below require budget. All of them are completable this week.

1. Switch on multi-factor authentication

Phishing caused 69% of the most disruptive breaches in the survey. When phishing works, the attacker gets a username and password. That’s it. Without MFA (a second check, like a code sent to your phone), that’s enough to get into your email, files, and banking. With MFA switched on, a stolen password goes nowhere.

If you use Microsoft 365 or Google Workspace, you already have it. It just needs turning on. Start with anyone who accesses email, payroll, banking, or customer data. Then roll it out to everyone else. Budget around 30 minutes for setup and five minutes per person to get enrolled. As phishing attacks get harder to spot, MFA is the single most effective thing standing between your accounts and someone who’s just tricked a member of staff.

2. Ask your broker what you actually have

Twenty-two percent of business leaders didn’t know whether they had cyber cover at all. That’s a problem, because most cyber insurance policies have conditions: specific controls you must have in place for a claim to be valid. MFA, regular backups, staff training, keeping software up to date. If you don’t know the conditions, you can’t know whether you’re meeting them. A denied claim is a disaster on top of a disaster.

Send your broker one email today: Do we have cyber cover? What does it cover? What must we have in place? File the answer somewhere shared.

3. Write a one-page breach contact list

Only 25% of small businesses have any kind of incident response plan. When something goes wrong, the first hour matters most. If nobody knows who can reset accounts, where the backups are, or how to reach the ICO (the UK’s data-protection regulator), the response turns chaotic fast.

A one-page list covering your IT provider, insurance broker, bank fraud line, ICO contact details, and backup locations takes about 45 minutes to put together. Print it and keep it somewhere physical, somewhere that doesn’t rely on the systems that might be down. A laminated sheet in a drawer beats a document on a compromised machine every time.

4. Set three basic rules for AI tools

Thirty-one percent of UK businesses are now using or considering AI tools. Of those, only 24% have any rules in place. That means staff are pasting customer names, contract terms, and financial figures into public AI tools with no clear guidance on where that information ends up.

Three rules cover most of the risk: don’t paste customer personal data into AI tools without approval; don’t paste contracts or confidential documents into public AI; anything going to a client or regulator needs a human to sign it off first. Email it to the team, raise it at the next staff meeting, add it to your handbook.

5. Check in with your three biggest suppliers

Just 15% of small businesses formally review their suppliers’ security practices. But if your payroll provider, CRM, or email marketing platform gets breached, your customers don’t blame the supplier. They blame you.

Pick the three suppliers with the most access to your data and send each one five short questions: Do you have MFA enforced? Are you Cyber Essentials certified? How would you notify us of a breach? Who handles your data protection? You don’t need a formal framework. Three emails is a practical start.

The survey data makes the case clearly: if 53% of UK businesses lack MFA, 75% lack an incident response plan, and 85% don’t review their suppliers, ticking all five puts your business ahead of the large majority. For anyone responding to tenders or facing customer due diligence, being able to say “we’ve done these five things” is a stronger position than most small businesses are currently in.

For most of this, whoever looks after your IT should be able to help you get it sorted quickly. If you’re not sure where to start with MFA on Microsoft 365, ask them about it directly.