Protect your business online

Common cyber security measures

Guidance

Cyber security measures are simple steps and tools that protect your business data, systems and customers from online attacks. They help prevent problems stemming from:

Internet threats, such as spyware or malware
weak passwords or lost devices
software bugs and vulnerabilities
misuse of systems and features

For small businesses, the National Cyber Security Centre (NCSC) suggests core measures such as firewalls, secure configuration, access control, malware protection and patch management. These block 80% of common attacks and make your business harder to target.

Essential steps for cyber security

These seven steps are easy to implement and provide basic protection for most businesses to defend against common threats.

1. Maintain password security

Strong passwords are vital to good online security. Create passwords that are:

at least 12 characters long
a mix of upper- and lower-case letters, numbers and symbols
free of personal information (like names and birthdays)

Protect them further by:

changing passwords regularly
never using them for multiple accounts
always using two-factor authentication (2FA)

Create a business password policy to make sure all staff follow these rules consistently. It prevents weak or reused passwords across your team, reduces the risk of accounts being hacked, and makes enforcement easier through tools like scheduled resets or password managers. A clear policy also helps during staff training and audits.

For more advice, see the National Cyber Security Centre's (NCSC) password guidance.

2. Control access to data and systems

Give staff access to only the data and services they need for their role. This is called 'least privilege' and stops attackers moving through your systems if one account is compromised. Key actions include:

locking premises and restricting physical access to devices and servers
blocking unauthorised users with login controls
using application settings to limit access to sensitive data
restricting data copying to USB drives or email attachments
using modern operating systems with built-in access controls

For more information, read NCSC's identity and access management guidance.

3. Use firewalls

Firewalls act as a barrier between your devices and the internet, blocking viruses and malware by filtering incoming and outgoing traffic. You should:

enable built-in firewalls on every device and server
configure rules to block risky ports and untrusted traffic
check settings and update firmware regularly
use hardware firewalls (in routers) for network-wide protection
test firewall logs for blocked threats

Outdated firewalls are a common weak point, as many attacks exploit known firmware bugs. See server security guidance for more advice on advanced setups.

4. Install security software

Install anti-spyware, anti-malware and anti-virus tools on all devices to help detect and remove threats that get past other defences. You should:

choose reputable, business-grade security software
enable real-time scanning and automatic updates
run full system scans weekly
review quarantine logs regularly for blocked threats

Keep any security software up-to-date with the latest patches. See guidance on detecting spam, malware and virus attacks.

5. Keep software updated

Install security updates promptly to fix known bugs and vulnerabilities. Outdated software is one of the most common ways criminals break into businesses. As basic precautions, you should:

enable automatic updates for operating systems, browsers and apps
check monthly for updates on all devices and servers
prioritise critical security patches
restart devices after updates to apply changes fully

Enable automatic updates wherever possible – they close security gaps before criminals can exploit them.

6. Monitor for intrusions

Use intrusion detection systems or security information and event management tools to monitor systems for any unusual network activity. These generate alerts, often via email, when they detect a potential security breach. Early detection can limit damage so:

set up alerts for suspicious logins, data transfers or traffic spikes
review logs weekly and investigate any warnings
start with free tools like OS built-in logging if budget is tight

See more on cyber security breach detection.

7. Train your staff

Train employees to recognise cyber risks and follow your security policies. Since people cause most breaches through simple mistakes, training reduces this risk significantly and your staff should understand their role in helping to keep your business secure. At a minimum, you should: