Protect your business online

Cyber security measures are simple steps and tools that protect your business data, systems and customers from online attacks. They help prevent problems stemming from:

• Internet threats, such as spyware or malware
• weak passwords or lost devices
• software bugs and vulnerabilities
• misuse of systems and features

For small businesses, the National Cyber Security Centre (NCSC) suggests core measures such as firewalls, secure configuration, access control, malware protection and patch management. These block 80% of common attacks and make your business harder to target.

Essential steps for cyber security

These seven steps are easy to implement and provide basic protection for most businesses to defend against common threats.

1. Maintain password security

Strong passwords are vital to good online security. Create passwords that are:

• at least 12 characters long
• a mix of upper- and lower-case letters, numbers and symbols
• free of personal information (like names and birthdays)

Protect them further by:

• changing passwords regularly
• never using them for multiple accounts
• always using two-factor authentication (2FA)

Create a business password policy to make sure all staff follow these rules consistently. It prevents weak or reused passwords across your team, reduces the risk of accounts being hacked, and makes enforcement easier through tools like scheduled resets or password managers. A clear policy also helps during staff training and audits.

For more advice, see the National Cyber Security Centre's (NCSC) password guidance.

2. Control access to data and systems

Give staff access to only the data and services they need for their role. This is called 'least privilege' and stops attackers moving through your systems if one account is compromised. Key actions include:

• locking premises and restricting physical access to devices and servers
• blocking unauthorised users with login controls
• using application settings to limit access to sensitive data
• restricting data copying to USB drives or email attachments
• using modern operating systems with built-in access controls

For more information, read NCSC's identity and access management guidance.

3. Use firewalls

Firewalls act as a barrier between your devices and the internet, blocking viruses and malware by filtering incoming and outgoing traffic. You should:

• enable built-in firewalls on every device and server
• configure rules to block risky ports and untrusted traffic
• check settings and update firmware regularly
• use hardware firewalls (in routers) for network-wide protection
• test firewall logs for blocked threats

Outdated firewalls are a common weak point, as many attacks exploit known firmware bugs. See server security guidance for more advice on advanced setups.

4. Install security software

Install anti-spyware, anti-malware and anti-virus tools on all devices to help detect and remove threats that get past other defences. You should:

• choose reputable, business-grade security software
• enable real-time scanning and automatic updates
• run full system scans weekly
• review quarantine logs regularly for blocked threats

Keep any security software up-to-date with the latest patches. See guidance on detecting spam, malware and virus attacks.

5. Keep software updated

Install security updates promptly to fix known bugs and vulnerabilities. Outdated software is one of the most common ways criminals break into businesses. As basic precautions, you should:

• enable automatic updates for operating systems, browsers and apps
• check monthly for updates on all devices and servers
• prioritise critical security patches
• restart devices after updates to apply changes fully

Enable automatic updates wherever possible – they close security gaps before criminals can exploit them.

6. Monitor for intrusions

Use intrusion detection systems or security information and event management tools to monitor systems for any unusual network activity. These generate alerts, often via email, when they detect a potential security breach. Early detection can limit damage so:

• set up alerts for suspicious logins, data transfers or traffic spikes
• review logs weekly and investigate any warnings
• start with free tools like OS built-in logging if budget is tight

See more on cyber security breach detection.

7. Train your staff

Train employees to recognise cyber risks and follow your security policies. Since people cause most breaches through simple mistakes, training reduces this risk significantly and your staff should understand their role in helping to keep your business secure. At a minimum, you should:

• explain to staff their role in keeping business data safe
• train them on any relevant policies and procedures
• run regular awareness sessions (quarterly minimum)
• test staff with simulated phishing emails
• update training when new threats emerge

See insider threats in cyber security for common staff-related risks and solutions.

Test your defences

Follow government best practices and free NCSC tools to check your security:

• get certified with the government's Cyber Essentials scheme
• run the free cyber security checks to scan your public-facing IT
• use the Cyber Action Toolkit to start protecting your business

These resources will help close common gaps fast and build confidence in your security.

Servers are powerful computers that host services like email, websites or file sharing. They process requests from other devices and deliver data to them, often running 24/7. Cyber criminals target them because they often hold sensitive business data.

What is server security?

Server security protects data and resources on your servers from intrusions, hacking and other malicious actions. Defences are often layered and cover:

• the operating system and critical services
• applications and content hosted on the server
• network protection against online threats

Insecure servers create significant business risks like data theft and network-wide attacks.

How to secure your servers

Securing large, complex servers may require specialist skills. However, any business using a server should be aware of the risks and - at the very least - use basic cyber security measures.

Physical security 

If you are not using a secure data centre to host your servers, you should:

• keep them in locked rooms
• restrict access to authorised staff only
• monitor security logs regularly
• check for environmental risks, eg overheating and fire
• ensure stable power supply

Like desktop PCs, servers need firewalls, regular backups and software updates, reliable anti-malware protection, and ongoing support and maintenance.

Network firewall security

Firewalls filter all incoming and outgoing traffic to your network. They block threats and can:

• prevent malicious email relay
• stop malware downloads
• restrict access to risky websites or services

Hardware firewall

Hardware firewall is built into broadband routers. It protects your whole network from unauthorised external access and is usually effective even with minimal configuration.

Software firewall

Software firewall is installed on individual devices. It is often part of the operating system and usually needs greater configuration of settings and applications controls.

Server hardening

Default server settings are rarely secure. They can leave systems exposed to known threats with default passwords, open ports and unnecessary services running. Server hardening is a security process that addresses these risks. It strengthens servers by removing known vulnerabilities, including:

• encrypting data transmissions
• disabling unnecessary services - unused ports, protocols and software
• applying security patches and updates regularly
• enforcing complex passwords and access control
• locking accounts after failed logins
• using intrusion detection
• backing up data and systems regularly

The National Cyber Security Centre has detailed guidance to help you secure your server.

Cloud servers as an alternative

Cloud servers provide an alternative (often a cost-effective one) to on-premises setups by hosting services on remote infrastructure through Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) models.

In SaaS and PaaS, the cloud provider will typically be expected to configure and maintain servers for you, including patching, security hardening, and implementing security functions like logging and auditing.

With IaaS, you will be responsible for server security, including server hardening, access controls and compliance with UK rules, just as you would with traditional, on-premise servers.
 

Spam, viruses and other malware can have a damaging effect on your business. It is important to understand how to detect an attack and recover your systems following the incident. It is also important to keep an eye on the latest cyber threat alerts or subscribe to the Early Warning Service from the National Cyber Security Centre (NCSC) to learn of potential cyber attacks on your business network.

How to detect spam

Spam is unsolicited communication that now makes up the majority of email traffic. Your internet service provider should offer you spam filtering as a default feature of your dedicated email service.

Spam filters detect unwanted emails based on suspicious word patterns and other clues, and divert them to a separate folder or mailbox after classifying them as spam. You can buy separate spam filters or programs to reduce the spam you receive and securely manage your inbox. See how to protect your business against phishing.

How to detect a virus or malware

Common signs of virus or malware infection include:

• system slowing down
• unexpected activity on your machine or pop-up messages
• email server becoming overloaded or intermittent
• data files becoming corrupt or going missing
• unexpected changes in the content of your files

If you notice these signs and suspect a problem, use your security software to diagnose the issue. Your software provider may be able to offer you advice. Read more about cyber security breach detection.

Virus or malware recovery

If a virus has infected your system, follow these five basic recovery steps:

1. Tell everyone who needs to know

If the virus is spread through email, tell everyone with an email account on the infected system as quickly as possible. If there is a specific file attachment that contains the malicious virus program, name it.

2. Quarantine infected machines

As soon as possible, disconnect infected computers from any internal or external networks. Do not reconnect until after you remove the virus.

3. Organise a clean-up operation

Use your anti-virus software to scan all computers and files to check if the virus has spread. If you can't remove the virus or malware, you may need to restore your computer files from a recent backup. In extreme cases, it may be more practical to wipe the infected computer, reinstall the operating systems and restore your files from a recent, clean backup. If necessary, contact your software supplier for specific advice.

4. Make sure there are no re-infections

Carry out emergency security measures and inform the users that clean-up is underway. Ensure that additional patches are in place to prevent re-infection.

5. Manage outgoing email traffic during the crisis

Use whatever facilities you have to prevent the transfer of the virus via email. Consider closing down the outgoing mail service.

Read NCSC's detailed guidance on how to recover an infected device.

Cyber attacks are almost inevitable, so the speed at which you react to an incident is critical. You should plan, develop and test a cyber security incident response plan to help you deal with security incidents quickly and efficiently.

The NCSC provides a free 'Exercise in a Box' online training tool to help you test and practise your response to a cyber attack.

You can also use the NCSC's free Check your cyber security service to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

Phishing is widespread in the UK. It is one of the most common types of cyber crime that targets businesses regardless of their size or sector.

What is phishing?

Phishing is a type of cyber attack that most commonly happens through email. In a typical attack, thousands of people receive fake emails from unknown criminals asking them to:

• provide sensitive or confidential information (such as passwords and bank details)
• send money to individuals or organisations
• download something that infects your computer

The email usually contains attachments infected by malware or links to a 'spoof website' where attackers try to trick you into surrendering sensitive data.

Variations of phishing include:

• vishing- when fraud is attempted by phone
• smishing - when fraud is attempted via text messages

Read the National Cyber Security Centre (NCSC) guidance on phishing and how to defend against it.

Targeted phishing attacks

Rather than delivering mass emails to random individuals, some forms of phishing target specific individuals or organisations. One such form is spear phishing.

Spear phishing

As with regular phishing, spear phishing emails appear to come from a trusted or familiar source. The criminals gather personal information about the target and modify their message to make it look legitimate. This method is known as social engineering - it increases the chances of tricking the target into divulging sensitive information or downloading malware from infected attachments and links.

Whale phishing

Whale phishing attacks use the same personalised technique but target high-profile individuals, such as celebrities, politicians or C-level executives. Read the NCSC's blog to find out more about these targeted forms of phishing.

Social media phishing

As well as email, text messages and phone calls, criminals can also use social media websites to commit financial or identity fraud. Social media phishing usually involves:

• fake social media accounts that impersonate known or trusted people
• fake customer support accounts to impersonate brands
• click-bait posts that include malicious links
• fake surveys, promotions or contests to get personal information

See Get Safe Online tips to help you avoid social media phishing.

How to spot phishing websites

Fraudulent websites can be difficult to identify. They may closely resemble, for example:

• your social networks
• your email providers, such as Yahoo or MSN
• your banking provider
• government service, such as HM Revenue & Customs
• IT service providers and vendors such as Microsoft, Google or Apple
• online marketplaces, such as eBay or Amazon
• money transfer websites, such as PayPal

Once you enter information into fake sites, criminals can steal it and use it to commit identity or financial fraud.

Common warning signs that you are on a fake website may include:

• a different URL address to that you originally clicked on
• an element of urgency in whatever the website is asking you to do
• requests for personal information such as financial account or social security numbers
• spelling errors, unusual navigation or substandard graphics
• suspect ads or pop-ups on the website
• a mix of legitimate links with fake links
• incorrect company name
• an absence of legitimate contact details

Keep in mind that an HTTPS site (where the padlock symbol next to the URL address claims a secure connection) can also be malicious.

How to prevent phishing

The key to avoiding phishing is to treat all emails with caution. For example:

• Be wary of emails that begin with 'Dear Sir/Madam' or another type of generic greeting (eg 'Dear account holder', 'Dear customer', etc). Legitimate companies and individuals will generally call you by your name, eg 'Dear [FIRST NAME]'.
• Look for inconsistencies in the sender's email address and any links to web pages. Make sure that they match legitimate sources, including when you hover your cursor above them.
• Be careful with unsolicited emails carrying attachments or directing you to download documents or files from unknown websites. A good email filter will block many of these types of messages.
• Ignore emails that appear to come from a bank or similar institution, and request sensitive information. If in doubt, contact your bank directly using trusted contact details and do not use the contact details or links provided in the email.
• Ignore emails demanding urgent action or making offers that are too good to be true.
• If in doubt, do not click on any links within an email. Instead, contact the sender through a known source, such as phone or their official website. Do not use contact details supplied within the suspicious email. 

You should also train your employees to recognise scam emails and act appropriately. If you need help training your staff, the NCSC has created a free online tool to help you do just that - access the NCSC's Top Tips for Staff tool.

If you or your staff receive a potential phishing message, you can report it to the NCSC using their Suspicious Email Reporting Service: report@phishing.gov.uk.

Point-of-sale (PoS) security is a growing concern for many businesses, especially for those in the retail sector. There are two main areas of PoS vulnerabilities:

• hardware - eg when criminals affix a 'skimmer' device to PoS terminal in order to intercept and capture card data
• software - eg when criminals use malware to gain access to PoS networks and steal payment card data as it transmits through the network

If you use point-of-sale networks to conduct business, it is vital that you follow security best practices and make every effort to protect your terminals and software.

How to protect your Point-of-Sale station and network

The best advice on securing your PoS environment is to use multiple layers of protection. For example:

• Use strong passwords - replace the default user name and password after installation and change passwords on a regular basis.
• Update your PoS software - install security upgrades and patches to keep your systems protected against known bugs and vulnerabilities.
• Install firewall and anti-virus software - see common cyber security measures.
• Set up encryption - your POS service provider will usually set up encryption of data transmission by default. If you have any concerns, talk them over with your provider and make sure processes are in place to safeguard your system from abuse.
• Control access - only allow access to customer data to authorised and relevant employees. You should also restrict PoS computers and terminals from accessing the internet; this can prevent exposure to online security threats such as viruses and malware.
• Disable remote access - remote access can expose your PoS system to more vulnerabilities and make it easier for cyber criminals to exploit. Consider disabling remote access to your PoS network as a precaution.

Even with all these measures in place, there is no guarantee that your PoS system won't be attacked. Always watch out for any signs of security breach and train your staff on the proper use of the PoS system. It may also be worth investing in cyber security breach detection and developing and testing your cyber security incident response plan.

Cloud security takes in a range of policies, technologies and security controls that serve to protect data, applications and the infrastructure associated with cloud computing.

Cloud security risks

Two main types of cloud security threats relate to issues faced by:

• cloud providers - who look after the infrastructure and the client's data and applications
• cloud customers - who rely on password protection and authentication measures

Key risks in the cloud include hacking, data theft, server faults and non-compliance. You can address each by deploying the same security solutions you would normally use to protect your in-house IT devices and networks.

Cloud security controls

Many of the common cyber security measures apply in a cloud-based environment as they do in conventional IT systems, including:

• antivirus
• firewalls and perimeter protection
• traffic monitoring and reporting
• spam filtering
• real-time alerts and analytics

The National Cyber Security Centre (NCSC) offers detailed guidance to help you configure, deploy and use cloud services securely.

Your security responsibility if you use cloud services

Providers and customers share the responsibility for maintaining and protecting the security of cloud services and systems. As a buyer, your responsibilities will vary depending on the type of service involved. Your responsibilities will be the largest when using Infrastructure as a Service (IaaS).

Cloud security and data protection - things to consider

If you are processing and storing sensitive business or personal data in the cloud, you will want to check that your provider takes security seriously. Things to consider include:

Cloud provider vulnerabilities

Are they following best security practices, patching up regularly, implementing proper security controls? Can they guarantee that your assets will be protected against physical tampering, loss, damage or seizure?

Technology vulnerabilities

Are there weaknesses in the host system or server configuration? Can you get assurances that the technology is secure? Will it be reliably accessible and available when you need it?

Access policies

Did you agree standards and responsibilities between yourself and the provider? Defining roles and responsibilities can help ensure secure coverage and prevent potential liabilities in case of cyber incidents.

Access controls

Will the provider limit access to the cloud service to only those who need it? How will they minimise the risk of accidental or malicious compromises of your data by their personnel?

Service level agreements

Can you establish a documented standard with your cloud provider, including their duties in relation to ongoing management, response times and support?

Risk assessment and analysis

Does your provider have an adequate incident plan in place to quickly deal with and mitigate any potential damage?

Legal and regulatory implications

If you're storing or processing personal data in the cloud, you will have to comply with the UK General Data Protection Regulation (UK GDPR). For more information, you can read the NCSC's report on cloud computing and data storage.

If you're using software that interacts with cloud services, you may also want to read about managing the risk of cloud-enabled products.

Data breach involves unauthorised access or disclosure of sensitive, confidential or otherwise protected data. This may be personal information (for example regarding health or financial accounts), trade secrets or intellectual property.

Data theft relates to stealing digital information - from an individual or an organisation with the intention to compromise privacy or obtain confidential information. 

Impact of data breach or theft

The exact impact of data breaches or theft may vary depending on the organisation. However, common consequences you will need to consider are:

• financial loss
• reputation damage
• operational disruption
• monetary penalties (if you fail to comply with data protection laws)

Risks to your data can come from:

• unauthorised access to your IT systems and networks
• theft of property or equipment from your premises
• transporting data externally via unsecure devices
• failure to follow data protection processes and principles, with or without intent

How to prevent data breach

To protect your business data, you should think about:

• where and how you store it
• how you secure it (physically and electronically)
• who has access to it
• how is that access facilitated (eg individual devices)

Back up your data

You should back up your important data regularly and store it securely off-site. For added protection, you can use data loss prevention software to:

• disable USB ports
• monitor copying of files to storage media
• prevent users from transferring the data altogether

Read the National Cyber Security's (NCSC) detailed guidance on the importance of backing up your data.

Create an asset register

As part of your security measures, you should create an asset register taking into account all hardware and software, including your server equipment. Determine which assets are at risk from cyber attack and record all the relevant details. Audit the register regularly to ensure that equipment is accounted for, and that the information is safe and secure. 

Dealing with a data breach

If you believe that data has been stolen, or you have been exposed to scam or fraud, you will have to take action to:

• prevent the data breach from continuing
• discover the extent of the damage
• clean up the results

Your incident response will depend on the circumstances. You may need to take specific advice from the police or legal advisors, but generally speaking, you should:

• report the incident to the relevant authority
• inform your bank
• check bank accounts for unexplained transactions
• check your business for any unexpected changes in its credit condition
• consider hiring an IT security specialist to investigate the breach
• consider hiring a specialist to rebuild or replace parts of your IT infrastructure, if necessary

Find out how to develop a cyber security incident response plan.

The NCSC provides detailed resources to help you effectively detect, respond to and resolve cyber incidents. You should consult the following:

• incident management guidance
• 'Exercise in a Box' online cyber exercising tool 
• small business guide to response and recovery

You can also use the NCSC's free Check your cyber security service to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

The NCSC also offer a free Cyber Action Plan. By answering a few simple questions, you can get a free personalised action plan that lists what you or your organisation can do right now to protect against cyber attack.

Reporting a data breach

As part of managing the incident, you may need to let people or organisations know about the security breach. You may need to notify:

• the regulators, if the breach is significant or if you've failed to comply with data protection legislation
• individuals or groups whose personal data has been compromised
• relevant industry bodies, eg in the financial or telecommunications sector

Different agencies have different remits in terms of investigating and assisting with cases of online fraud, data breaches and cyber crime. Find out how to report a cyber crime.

Under the UK General Data Protection Regulation (UK GDPR), you must report a serious personal data breach to the Information Commissioner's Office if the breach is likely to result in a risk to people's rights and freedoms.

Remote access is a growing need for many businesses. It allows mobile workers or remote staff to access office systems and processes via the internet from remote locations. Despite its many benefits, remote access can expose your business to risks.

You will have to manage these risks to keep your remote access secure at all times. Otherwise, your network may become vulnerable and your business data exposed.

Remote access threats

Remote working relies on the exchange of business data or services outside of the corporate infrastructure, typically over the internet. It can be achieved through a variety of client devices, including many that are outside the organisation's control.

The remote environment in which these devices are used may also pose risks. For example, security concerns may exist around:

• lack of physical security controls - creating a risk of device loss or theft
• eavesdropping - as the information travels over the public internet
• unauthorised access to systems or data - perhaps overlooking the screen
• monitoring and manipulation of data - if someone gains access to the device

You can adapt most of the common cyber security measures to meet the unique challenges of remote access security.

Remote access risk assessment

You should assess the specific risks associated with mobile working and providing remote access to staff. The assessment will inform your mobile working policy, establishing processes for:

• authorising users to work remotely
• device provisioning and support
• the type of information or services that can be accessed or stored on devices
• the minimum procedural security controls

Examine the risks to your corporate network and systems and determine whether you need to increase monitoring on remote connections. If you do so, remember to review and update your workplace monitoring policies.

Remote access security measures

Some specific recommended actions for securing your remote access include:

• encrypting data to prevent theft
• using strong firewall and security software
• using two-tier authentication (eg first with a password and then with a token)
• restricting access to unauthorised users
• allowing access to legitimate users but limiting to the minimum services and functions required
• reviewing server logs to monitor remote access and any unusual activity
• deleting remote access privileges once they are not needed
• testing system regularly for vulnerabilities
• keeping firewall and remote access software patched and up-to-date

You may also choose to restrict the type of data that users can access remotely and use the virtual private network (VPN) software for high level of encryption.

If you're introducing remote access to your business for the first time or scaling it up, you should read the National Cyber Security Centre's (NCSC) guidance on moving your business from the physical to the digital and home working: preparing your organisation and staff.

If your staff is working on personal devices rather than work-issued IT, read about secure home working on personal IT.

Employees are a common source of cyber security breaches. In fact, most cases of insider incidents involve some type of misuse of corporate IT systems by a staff member. This misuse may be malicious, however more commonly it happens inadvertently through an employee's carelessness or negligence.

Regardless of the cause, insider threats can seriously compromise your operations and have a significant financial and reputational impact on your business.

Types of insider threats

Most types of insider threats fall under one of three categories: the malicious insider, the negligent/unknowledgeable employee, and the third party contractor.

Typical events that happen in the workplace, and which could pose a significant risk to your business, include things like:

• browsing unauthorised websites
• visiting social networking sites
• sharing confidential information in a social network environment
• opening spam or suspicious links and email attachments
• accidentally sending sensitive information to the wrong people
• accidentally transferring viruses or malware
• choosing weak passwords and never changing them
• using the same password on multiple accounts
• installing unauthorised programmes on the employee's machines
• uploading files to an online file-sharing service, personal cloud or storage network
• downloading unauthorised files (eg music, films or photographs)
• misplacing or losing property (eg laptops, mobile phones, USB devices)
• providing information to a third-party, eg suppliers or vendors
• transporting company information via unsecured portable devices
• sending sensitive work documents to their personal email addresses
• using unsecured mobile devices to share work data or access company information
• accessing your business' virtual private network via public computers and public wireless hotspots

Cyber security breach detection systems can uncover risky user activity in real-time and alert relevant teams to investigate. However, education and staff training can often be the key to an effective and preventative cyber security strategy.

Cyber security measures in the workplace

Many unintentional mistakes employees make are entirely avoidable. To help keep your workplace safe, you should:

• screen new employees, contractors or anyone else who will have access to your business information - check references, qualifications, identity, etc
• implement a strict, written set of security guidelines
• set good password practices in place
• restrict access to unauthorised websites and devices
• restrict permissions to install software or access system data
• review current practices on email and internet use, remote working and bring your own device standards
• ensure staff receive IT security training and know how to use IT systems properly
• clearly outline the IT risk management policies and practices you expect your staff to follow
• increase general cyber and corporate security awareness through the workplace
• insist on confidentiality or non-disclosure agreements for people who are given access to sensitive information
• build in security controls compliance into employment contracts, including the disciplinary consequences of breaching them

It's important that you explain to your employees their roles and responsibilities in keeping data and company resources safe. Use our sample IT policies, disclaimers and notices to help you set out IT policies for your business.

Lastly, keep in mind that even if you follow all the best practices, you may still encounter security issues from time to time. Review your cyber security risk management processes and develop an incident response plan, to enable you to quickly and efficiently deal with cyber incidents.

Cyber attacks threaten all businesses. A recent government survey found that many organisations, including small businesses and charities, have experienced cyber incidents. Larger businesses face more frequent attacks, but any business without proper defences can be vulnerable.

How to protect your business online

The National Cyber Security Centre (NCSC) recommends these actions:

• Back up data regularly. Keep copies of your data off-site and test that backups work.
• Update software promptly. Apply security patches on all devices used in your businesses. Enable auto-updates where possible.
• Use anti-virus and anti-malware software. Keep it up to date.
• Choose strong, unique passwords. Change them regularly and use two-factor authentication.
• Encrypt sensitive data. Never send passwords or sensitive details via unencrypted email.
• Be cautious of phishing and ransomware. Avoid clicking on suspicious links in emails or social media.
• Use firewalls and keep router firmware updated.
• Secure Wi-Fi with encryption (e.g. WPA2). Change Wi-Fi passwords regularly.
• Use a VPN when connecting over public or external networks.

For detailed guidance, check the NCSC's cyber security advice for small and medium-sized businesses.

Useful NCSC tools and services for businesses

You can access a range of free resources from the NCSC to help protect your business. These include:

• Check your cyber security service: Quickly find vulnerabilities in your online systems.
• Cyber Action Plan: Get a personalised plan with practical steps to improve your security.
• Small Business Guide: Simple, low-cost advice for small organisations.
• Free Cyber Security Training: Short, easy-to-use online training modules for staff on recognising cyber threats and protecting your business.

You can also stay informed of any emerging threats by registering for the NCSC's Early Warning Service.

If you experience a cyber attack, report it immediately to the NCSC's 24/7 Incident Management team at report.ncsc.gov.uk.