Small-business security basics: the simple stack that protects a UK business in 2026

The businesses that get hit are rarely the ones with a determined hacker on their trail. They are the ones running the whole company on three reused passwords, a laptop with no backup, and a coffee-shop wifi connection that anyone in the room can read. The good news is that the boring basics remove most of that risk, and almost none of them are expensive or technical.

This is the plain-English version: what actually matters for a UK small business in 2026, in the order I would do it. You do not need all of it this week. You need the first two or three things done properly, and the rest over the following month.

A note before we start, because honesty is the whole point of a piece like this: some of the links below are affiliate links, and UK Web Marketing may earn a small commission if you sign up, at no extra cost to you. It does not change the advice. Where a free or open-source option is the better pick, I say so and name it.

What actually goes wrong (the honest threat model)

You do not need to defend against a state actor. For a small business, the real risks are mundane and common:

• A password reused across your email, your bank and your shop, and one of those other services gets breached, so now the attacker has the password to all three.
• A phishing email that looks like your accountant, your bank or Companies House, asking you to log in or change bank details.
• A laptop or phone lost or stolen with everything still logged in.
• Working on public wifi (a cafe, a hotel, a client site) where the connection is not yours and not encrypted.
• A drive that dies, or a ransomware lock, with no backup to fall back on.

Cover those five and you have handled the overwhelming majority of what actually happens to businesses like yours. Everything below maps to one of them.

1. A password manager (the single biggest win)

Reused passwords are the number one cause of small-business account takeovers, and a password manager fixes the whole category in one move. It generates a long, unique password for every account, stores them encrypted, and fills them in for you, so you never reuse one and never have to remember them. You memorise one strong master password and that is it.

This is the first thing I would set up, ahead of everything else on this page.

The picks:

• For the easiest, most mainstream option with a free tier to start on: NordPass → (affiliate link). It is free for one user, has paid family and team plans, runs frequent multi-year deals, and its parent company sits in Lithuania (inside the EU). The apps are polished and beginner-friendly, which matters, because the best password manager is the one your team will actually use.
• For the cleanest open-source, data-protection story: Bitwarden. It is free, EU-resident by default, and audit-friendly. If anyone ever asks how your password manager works, an open codebase is the easiest answer.

Either is a good choice. For the full breakdown, including 1Password and Proton Pass and which fits a regulated practice, see the password-manager comparison.

2. Turn on two-factor authentication everywhere

Two-factor authentication (2FA) means that even a stolen password is not enough on its own, the attacker also needs a code from your phone. It is the single highest-value free thing you can do after the password manager.

Turn it on for your email first (your email is the master key, because it can reset everything else), then your bank, your domain registrar, your Google Business Profile, and your payment and accounting logins. Use an authenticator app (the free Google Authenticator, Microsoft Authenticator, or the one built into your password manager) rather than text-message codes where you have the choice, as app codes cannot be intercepted by a SIM-swap.

3. A VPN for public wifi and working on the move

When you work from a cafe, a hotel, an airport or a client’s office, you are on a network you do not control. A VPN (virtual private network) encrypts your connection so that whoever runs that wifi, or anyone else sitting on it, cannot read what you are doing. For a business owner who works on the move, or has staff working remotely, it closes the public-wifi risk from the threat model above.

It is worth being honest about what a VPN does and does not do. It protects your connection on untrusted networks and adds privacy. It is not antivirus, it is not a magic shield, and if you and your team only ever work from one trusted office or home connection, it is a lower priority than the password manager and your backups. It earns its place the moment anyone works from a network they do not own.

The pick: NordVPN → (affiliate link). It is well known, fast, works across your laptop and phones, and runs multi-year deals that bring the monthly cost down. Same EU-based parent as NordPass, so it is one account family if you use both.

4. Back up everything (the 3-2-1 rule)

Backups are the difference between a bad afternoon and a closed business. The rule worth remembering is 3-2-1: keep three copies of anything you cannot lose, on two different types of storage, with one of them off-site.

For a typical small business that means: the working copy on your computer, a copy on an external drive, and a copy in a cloud backup that runs automatically. The off-site copy is what saves you from theft, fire and ransomware, the on-site drive alone does not. Once a year, actually try to restore a file, because a backup you have never tested is a hope, not a backup.

5. Keep software updated

Most security holes that get exploited are old and already patched, the businesses that get hit are the ones that never installed the update. Turn on automatic updates for your operating system, your web browser, your phones, and anything running your website (the platform and any plugins). It is the least glamorous item on this list and one of the most effective.

6. Email: stop spoofing, and stay sceptical

Email is the main way attacks arrive, so it is worth two small jobs. First, the technical one: make sure your domain has SPF, DKIM and DMARC set up, the three records that stop other people sending email that looks like it came from you, and that help your own email land in inboxes rather than spam. If you are not sure, that is part of what a managed setup handles, and the UK/EU sovereign stack guide and the sub-processor page show how we wire it.

Second, the human one: treat any unusual request to log in, pay an invoice, or change bank details as suspicious, even when it looks like it came from someone you know. Verify it through a different channel (a phone call to a number you already have) before you act. Most successful attacks on small businesses are a convincing email, not clever code.

7. Your website (where this becomes our job)

Your website is part of your security surface too: it should be on HTTPS, kept patched, backed up, and monitored so a problem is caught before a customer sees it. This is exactly the boring operational layer that a managed website covers, and the part most one-off builds quietly leave to you.

If you would rather not think about it, that is the whole idea of a managed website service, the hosting, the SSL, the patching, the backups and the monitoring are run for you. It is also the practical difference between website management and website maintenance, if you are weighing up what a plan should actually include.

The 10-minute checklist

You will not finish all of this in ten minutes, but you can start every item:

• Install a password manager and move your five most important logins into it (NordPass or Bitwarden).
• Turn on two-factor authentication for your email, first.
• If you work from public wifi, set up a VPN (NordVPN).
• Check you have an automatic, off-site backup, and that you can restore a file.
• Switch on automatic updates everywhere.
• Confirm your domain has SPF and DKIM, and brief your team to verify payment changes by phone.
• Confirm your website is on HTTPS and is being patched and backed up by someone.

The disclosure, plainly

NordPass and NordVPN are affiliate links, so UK Web Marketing may earn a small commission if you sign up, at no cost to you. Bitwarden, the open-source password-manager option, is not an affiliate link, and it is named here precisely because it is the better pick for some readers. The advice on this page would be identical with or without the commission, the tools are recommended because they genuinely fit the job, not the other way round.

And if you would rather hand the whole website-security half of this to one person who runs it for you, that is what we do. Start with a free Site Score to see where your site stands today, or get in touch and we will talk through your setup.