Cyber Security Mistakes

& How to Fix them

#8 Biggest Cyber Security Mistakes SMBs Make & How To Fix Them

Technology is essential to the operations of every single business nowadays, but unfortunately it also brings a high amount of risk. Cyberattacks are forever increasing in frequency and severity, especially for SMBs.

As a provider of Cloud Solutions and Managed IT Services, we have helped hundreds of businesses stay secure, productive and agile. We also know that when it comes to cyber security, the majority of SMBs tend to fall victim to the same pitfalls.

With that being said, below are the 8 biggest cybersecurity mistakes SMBs make and how to fix them.

Cyber Security Mistake #1: Thinking only big companies get hacked.

Unfortunately many small businesses fall into the trap of thinking that they won’t get attacked. Why would a cyber criminal choose to attack a small company over a huge corporation, right? The answer… SMBs are easy prey. Many smaller businesses don’t have sufficient security measures in place which means, from a cyber criminal’s perspective, attacking them is easy work.

This is why SMBs are three times more likely to be targeted by cybercriminals than larger companies. In addition, more than half (54%) of UK SMEs had experienced some form of cyberattack in 2022.


Realising that it’s not ‘if’ you get attacked… it’s ‘when’, SMBs need cyber security measures and solutions in place to protect themselves, and to ensure that when they do get attacked, they know they can recover.

In terms of solutions, as an absolute minimum every organisation needs a decent antivirus and data backup.

For some tips on how best to prevent cyber attacks check out our blog:

Cyber Security Mistake #2: Thinking the Cloud is backed up

If you don’t know already, the Cloud is not invincible! Many people think that Cloud data (your Microsoft 365 data for example) is automatically safe and backed up, but this simply isn’t true. A backup solution ensures that you have a separate second copy of your data ready to recover from if something happens to the original version. Whether the original version lives on a desktop, on a physical server in your office, or in a Cloud datacentre, it still needs a separate second copy to be secure and backed up.

You don’t need to just take our word for it – Microsoft explicitly state in section 6b of their Ts and Cs that they “recommend that you regularly backup your Your Content and Data that you store on the Services or store using Third-Party Apps and Services”.

Microsoft do have a retention policy of 90 days but the problem here is with accidental deletions. How long ago did you accidentally delete that important file or folder? An accident is an accident, so you’ll never know!


Backing up Microsoft 365 ensures that if you lose that data – through a cyber attack, accidental deletion or any other cause of data loss, you have an unaffected version ready to restore so that you can continue to operate with minimal business downtime and disruption.

Cyber Security Mistake #3: Not keeping your computers updated

Let’s be honest, it’s pretty easy to ignore the software updates on your computer, but they’re an important part of your cybersecurity strategy that shouldn’t be overlooked. The software updates on your devices ‘patch’ or fix security vulnerabilities. If you don’t keep on top of updates, then these vulnerabilities can be exploited and used as entry points for cyber attacks. Not only is it important for security, but software updates keep everything working efficiently and with the latest features as well.


Make sure all your devices are updated when prompted. Using a Remote Endpoint Management tool makes updating devices quick and easy as you can see which ones need updates and push them out remotely. A Remote Endpoint Management tool also unifies the management of updates by shifting the responsibility to your IT Team, rather than hoping that all your end users will update when prompted.

Cyber Security Mistake #4: Accessing company data on personal devices that aren’t secure

Remote and multidevice working is now the norm. However, we regularly see organisations that have great security for their office desktops, but allow access to work apps and business data through home PCs, iPads and mobile phones that don’t have the same rigorous levels of security applied. Allowing employees to access work apps and services on these devices is insecure and undermines the high levels of security that you’ve set up in your office.


Like cyber security mistake #3, an Endpoint Management Tool is the solution here. It is essential for every business that allows remote and multidevice working. This ensures that you have consistently high levels of security on all devices whether they’re personal or business owned. A good endpoint management solution will separate personal and work ecosystems, so security measures aren’t intrusive to your personal apps, but are also applying the necessary levels of security to keep your business safe.

Cyber Security Mistake #5: Under budgeting and under resourcing

Many organisations think that cyber security measures are an unnecessary expense… until they’re attacked.

The truth of the matter is that cyber attacks are devastating. The average annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim. And 60% of SMEs that suffer a cyberattack go out of business within six months.

Unfortunately, it often takes a cyber attack and its devastating consequences for a business to recognise the importance of cyber security measures, and to assign the budget and resource required to keep the business safe.


We know it’s easier said than done, but it’s important to recognise the value of cybersecurity before you’re attacked. Having an IT partner that is knowledgeable and trustworthy (like us!) will help you navigate this. They’ll educate you, be your outsourced IT team or your in house IT Team’s sounding board, and will always operate with your best interests in mind so that you remain secure and operational.

Cyber Security Mistake #6: Assuming your employees all have the same knowledge as you

What may be obvious to you, might not be to somebody else. Perhaps you spot that someone’s email address isn’t quite right and recognise it as a phishing attempt. Or you can see the typos and poor grammar in that dodgy email and report it as spam. Or perhaps, you know that the likelihood of the CFO unexpectedly needing £20,000 transferring across accounts urgently is practically 0%. But another employee won’t.


User education and documentation about cybersecurity ensures that everyone in your organisation is on the same page, so there’s no guesswork. In addition, having an open company culture which allows employees to ask about and report potential cyber security threats with confidence is imperative. Together this will ensure that employees will know what to look out for, what tactics cybercriminals often employ, and will be confident in what actions need to be taken to handle security threats.

Cyber Security Mistake #7: Being too restrictive

Yes – there is such a thing as too restrictive! Although this is done with the best intentions, we’ve seen security measures that are so restrictive it affects everyone’s ability to work effectively. The result of this is a group of very frustrated employees that will simply find work arounds to bypass security measures and make their lives easier… and these workarounds won’t be secure.


You need to find the correct balance between freedom and security for your organisation, which oftentimes means adding more security measures, but other times means taking a step back. If you have frustrated employees, listen to their pain points and see if they can be alleviated without compromising security. Something like Microsoft’s Conditional Access which only requires Multi Factor Authentication when logging in on a new device or in a new location for example, might make all the difference to your employees’ frustration levels, and allow them to work productively within a secure environment. Additionally, if a critical security element is causing some frustration – going back to mistake #6 – educating your users on why the security measures are in place and the consequences of bypassing them with workarounds is also crucial.

Cyber Security Mistake #8: Thinking cyber security is a one off job

Cyber attacks are skyrocketing at the same rate technology is developing. This means that business security is an ongoing task in an everchanging landscape. Your cyber security strategy needs constant assessment, development and management – it’s not a job that’s done once and then you’re secure. If your cybersecurity strategy isn’t reviewed and maintained, time will naturally make you vulnerable to cyberattacks.


Recognising the rate at which cybersecurity best practice develops and realising that securing your business is an ongoing task is the first step. Having a dedicated team to keep on top of and implement cybersecurity best practice is a great starting point. If this is difficult for your organisation, consider using a Managed IT Service.

For a small team of one or two IT professionals, keeping on top of licences, being proactive rather than reactive, understanding ever changing product capabilities, and maintaining absolute security becomes an impossible task, regardless of how brilliant your team is.

Our Managed IT Support team here at Risc train for over 150 hours collectively each week to keep their knowledge up to date. They have a high level of expertise and experience to ensure that your business security is implemented, monitored and maintained so that you’re consistently operating securely long into the future.

If you would like more information about anything covered in this article or how we can help your organisation with its cybersecurity, please reach out to us.

You may also find the articles below useful:

How to prevent cyber attacks –

Why Hybrid Working is a Security Threat –

Don’t sleepwalk into a Microsoft 365 Data Loss –

Preparing your business for the landline switch off in 2025 –