Cyber Security for Small Businesses

Using Security as a Sales Tool

Cyber Security for Small BusinessesFor most of us, when we think of Cyber Security our thoughts typically turn to high profile cases such as the Sony Pictures Entertainment hack and the Edward Snowden NSA leaks. Highly visible instances of valuable data being leaked.

But what does Cyber Security mean to the average small business? Judging by my conversations with many small business owners, there is a prevailing attitude that Cyber Security is a concern for governments, large corporations and banks — not small businesses. After all, don’t those committing cyber security crimes want to go after the big fish rather than the minnows?

Cyber Security for Small Businesses

Unfortunately for small businesses, that definitely isn’t the case. Rarely a week goes by recently without me speaking to an IT Solution Provider or Managed Service Provider (MSP) who shares with me that one of their clients who they provide outsourced IT for — typically a small business with less than 25 employees — has suffered a serious cyber security breach.

And I do mean serious.

We’re not talking an small interruption to business. The cases I’m hearing about typically involve the entire businesses IT infrastructure being taken off-line as both the business owner and their IT provider scramble to stem the damage and restore order — not to mention the post-breach audit to ascertain the scope of the data protection breaches that have potentially occurred.

According to PwC, the average cost of a small businesses worst breaches costs between £65,000 and £115,000 on average. For the average MSP, how many of your clients could afford that type of impact? Not many, I suspect.

The impact on MSP’s

Frustration over Cyber SecurityThe impact of poor Cyber Security for Small Businesses is high for the small business client themselves, but it’s worth being aware of the impact on the MSP who is serving them too. At best it is highly stressful for those involved, but at worst I’ve seen it impact an MSP’s ability to deliver projects to other clients and have a knock on effect that lasts for weeks and sometimes month as they throw all available resources at the Cyber Security breach.

So what can MSP’s do to mitigate the risk to their clients businesses and in turn, their own business?

There are three broad areas in which MSP’s can help their small business clients become more savvy with Cyber-Security — tools, policies and above all, education for their clients.

Train Employees

Cyber EssentialsIn the UK, Cyber Essentials is a new Government-backed and industry supported scheme to educate on Cyber Security for Small Businesses and guide small businesses in protecting themselves against cyber threats. If you’re a UK IT businesses and haven’t got involved — then you should.

But educating clients to the threat of Cyber Security for Small Businesses is an MSP’s role too. Share information with your clients through Direct Mail (a letter is often more effective than an email), newsletters, social media and importantly, in person.

Throw lunch’n’learns to demonstrate how to stay safe on-line. Nothing motivates people to give up their time and listen more than free Pizza during a lunch hour! Experience shows me that this is time well spent. As well as showing the client you care about their business wellbeing, these sessions actively reduce your own cost of support — the ROI on a Pizza, if you will.

Above that, reach out to your local Police force and offer your help as an IT Professional. I can tell you that Cyber Security is an issue that is landing on many a Chief Superintendent’s desk — and it’s an issue they want help from local businesses in tackling.


AntiVirusAntiVirus software should be a product that sits in the background and silently protects client workstations while pro-actively alerting their IT supplier to any emerging issues.

Viruses are not the only threat any more — think viruses, rootkits, malware, phishing, web threats and much more.

Many MSP’s inherit all manner of AntiVirus software from clients. As IT provider, find a product that takes care of PCs and Macs, Servers and Workstations under one license structure, and which can be managed from a single web-based management console.

I’d also recommend a product that can automatically discover and deploy to new network computers as they are found, as well as be deployed remotely to machines that aren’t permanently within the office.

A quick look at the AVTest – the Independent IT-Security Institute – shows Bitdefender Small Office Security, created by Bitdefender Antivirus, is the best performing corporate product. It’s a very competitive market.

Whichever AntiVirus product you choose, make sure to choose a product and stick with it across your clients, rather than leaving your clients to choose their own product.

Patch Management

Any MSP worth it’s salt should implement a Remote Monitoring and Management product. Remote visibility of all of your clients infrastructure is an investment, not a cost and is an essential Cyber Security for Small Businesses tool.

The current leader in the UK is MAXfocus and whichever RMM you choose you should invest time in configuring the vulnerability scanning and alerting, and understanding how to effectively deploy patches.

Many MSP’s I know shy away from these features taking a “If ain’t broke, don’t fix it” approach. Sadly, that approach is what leads to products not being patched in a timely fashion and vulnerabilities being exploited.

Spend the time now training up on how to use the patch management options in your preferred RMM tool. It is an investment in time that will reap rewards when you need to rapidly deploy a hotfix to a new vulnerability, or highlight a glaring vulnerability that your engineers may otherwise have missed.


FirewallI’d be shocked to find any small business not protected by a hardware firewall nowadays, yet many have firewalls that are badly configured either through neglect or through overly complex configurations.

As an MSP, make sure you regularly audit the IP ports that are open on a Firewall and the users that are allowed VPN access. It’s easy to open a port to get around a short-term problem but then forget to close that port off again, or grant an external contractor VPN access but then forget to deactivate that account when the contractor’s work is done.

Standardise on a Firewall product that your staff are trained on and familiar with.

Schedule regular audits of your clients Firewall. Backup router configurations regularly. Have certainty that the Firewall is protecting your client as it should.

Backup and Disaster Recovery

Disaster RecoveryLike Cyber Security, most small businesses believe a disaster is something that happens to someone else.

For UK Small Businesses, the common sentiment I hear is that a disaster is an earthquake, flood or other natural disaster that doesn’t affect the British Isle. In reality a disaster affecting a small business is more likely to be something like a Cryptolocker virus that wipes out an entire businesses data without the payment of a ransom to a shady cyber criminal, or a disgruntled exiting employee deleting critical client files. These are the more mundane, but very real disasters that affect small businesses worldwide on a daily basis.

As an MSP, don’t tolerate clients who penny pinch with antiquated tape or rotated USB drive backup routines. Any human element such as swapping tapes or drives inevitably leads to failed backups when you need them the most.

Help your clients invest in an automated offsite backup and disaster recovery solution which will help them get back online as a business quickly and effectively when they need it. Educate your clients that the most valuable element of their business is not hardware, but data — and it should be protected.

Mobile Devices

Mobile DevicesAs an MSP, does your business have a policy in place for Mobile Devices. You know, all those tablets, smartphones and laptops that your engineers access your client data on?

If you don’t have a mobile device policy in place, then implement one now. Lead by example, and then educate your clients as to why they need a mobile device policy in place too.

Mobile Device Management is a technical issue that strays dangerously close into HR territory for most small business. For instance, remote wipe a mobile device that not only contains business data but also a member of staff’s baby photos and guess how that move will be received by the member of staff affected?

While these issues might be difficult and not always about technology, they are an opportunity for MSP’s to step beyond being seen as just the “IT guy” and position themselves as being a real business advisor to their small business clients.

Administrator Accounts

Do you help your clients limit authority to install software, or do you take short cuts when it’s quicker to elevate an end-user to administrator access to resolve some irritating 3rd party Line-of-Business App issue?

Limiting the administrative access your clients employees have access to is old fashioned, for sure, and it remains a solid way to mitigate risk of dodgy software being installed and causing untold grief.

Bonus points for not crumbling in the fact of your clients Managing Director who insists he needs Administrator access on his laptop, only to then complain that the Corporate network is mysteriously infected by a virus after his teenage son used his laptop to download the latest warez.

Strong Passwords

Strong PasswordSome clients might complain, whinge, bitch and piss about the perceived irritation — but having a strong password policy, with complex strong passwords and password changes being regularly required — is important.

It’s not that difficult. Password managers such as LastPass should mean that your client never has to use the same password at multiple web sites or remember dozens of different complex passwords again.

Two-Factor Authentication is now the standard at cloud companies such as Google, Microsoft, Dropbox, Facebook, Evernote and others. If you and your clients have a Smartphone, they can use Two-Factor authentication easily.

Again, it’s all about educating the small business client. Demonstrate how easy it is to use strong passwords. Highlight the pitfalls to your small business clients in not doing so.


While most Small Businesses believe Cyber Security is a concern for governments, banks and large enterprises, the reality is that small businesses are being impacted every single day.

As an IT Solution Provider or Managed Service Provider (MSP), your job is to educate your clients about Cyber Security for Small Businesses and the risks of neglecting to protect themselves.

Because at the end of the day, when — not if — a cyber-security breach happens at your small business client, the impact will not only have a devastating effect on the small business, but your business too.

You might also like:


  • Richard Tubb2019-08-05 15:07:17

    Thanks, Arpita! Cybersecurity is crucial for *all* businesses, regardless of size. The criminals make no allowance for whether you are big or small!

  • Arpita Biswas2019-08-05 14:22:24

    Nice and very insightful post! Thanks for sharing Richard. Cyber Security is most crucial for small to large scale businesses, specifically when all businesses are going mobility and adapting mobility programs. Employees use company-owned devices or personal devices (BYOD) at work and access corporate data and information through open and vulnerable networks. Mobility Management Solutions are essentially required, which secures and allows management remotely.

  • Richard Tubb2015-04-28 15:01:40

    Aiden -- thanks for the feedback!

  • Aiden Smith2015-04-28 06:23:35

    very well explained, i like your point where you have mention about the backup and data recovery. Most of the people running small business do not give much importance to their data backup unless and until they face big trouble.

  • Richard Tubb2015-03-25 08:31:14

    Chris - thanks for the kind words. I know you and the team at Vermont work hard to keep your clients safe!

  • Richard Tubb2015-03-25 08:30:35

    James - thanks for the feedback. You're right, content filtering an important piece of the puzzle in keeping clients safe. I'll check the comment box issue. Thanks for sharing with me.

  • Chris Ward2015-03-24 20:34:46

    Great post Richard. Exactly the right stuff we need to talk to clients about, and it's something they are generally bothered about. So there's an opportunity ...

  • James Kimbley2015-03-24 09:20:51

    Your blog post missed out the best and most effective way to control security and that is control of the DNS with tools such as Umbrella - which will successfully block Cryptolocker and similar ransomware. Remote wipe of mobile devices is not a problem anymore with cloud office services such as Google Apps. Business data is kept in its own sandbox and away from employees personal data. P.S the tab button does not work when filling in the comments boxes - hit tab and you get taken to filling in newsletter details.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Send this to a friend