Budget-conscious prioritisation

Skip This, Buy That: A Small Business Cyber Security Guide

Where to spend your money when there isn't much of it

---

I've sat where you're sitting.

Three laptops. No IT department. A budget that laughs at you when you Google "enterprise security solutions." And a growing feeling that cyber security is a game designed for companies with deeper pockets than yours.

Here's what eighteen months of learning the hard way taught me: most of what they're selling, you don't need. And the stuff you actually need? It's cheaper than you think.

Let me save you some sleepless nights.

Buy This: Cyber Essentials Certification

I know. You've heard this from me before. But I'm saying it again because it's the foundation everything else sits on.

Cyber Essentials isn't just a certificate for your wall. It's a checklist that forces you to get the basics right. Firewalls configured properly. Software updated. Access controlled. Passwords that aren't "password123."

Cost? Some providers offer it for as little as twenty quid a month. We got ours for free through a research programme, but even at full price, we're talking hundreds, not thousands.

What you get back: the ability to bid for government contracts, credibility with larger clients, and the knowledge that you've actually done something rather than just hoping for the best.

Skip This: Expensive Vulnerability Scanning Tools

There are companies out there who'll charge you thousands for automated scanning tools that spit out terrifying reports full of "critical vulnerabilities."

Most of those reports? Noise. Designed to frighten you into buying more services.

At our level, the free or low-cost tools built into Cyber Essentials certification platforms do the job. They check what needs checking. They flag what needs fixing. You don't need the enterprise-grade scanner. You need to actually act on what the basic one tells you.

Buy This: Proper Backups

Not "I think it saves to the cloud somewhere." Proper backups. Tested backups. Backups you've actually tried restoring from.

Ransomware doesn't care that you're a small business. If anything, it likes you more because you're probably not protected. When they lock your files and demand payment, your options are pay up, lose everything, or restore from backup.

One of those options costs about a tenner a month for decent cloud backup. The others cost you your business.

We use a simple system now: daily automatic backups, stored separately from our main systems, tested quarterly. Danny runs a restore drill every few months just to make sure it actually works. Boring? Yes. Essential? Absolutely.

Skip This: Advanced Threat Detection Platforms

"AI-powered threat detection." "Machine learning security analytics." "Real-time breach monitoring."

Sounds impressive. Costs a fortune. And for a business our size? Complete overkill.

These tools are designed for companies with hundreds of endpoints, complex networks, and dedicated security teams to actually respond to all the alerts. If you've got three laptops and Sandra's son, you don't need a mission control centre. You need the basics done properly.

Buy This: Staff Training

Here's an uncomfortable truth: your biggest security risk isn't hackers in hoodies. It's Kev clicking on an email that says "URGENT: Your Invoice Is Overdue" from a sender called "Aboringcompanyname@totallylegitimate.ru."

No offence, Kev.

Training your people doesn't have to be expensive. There are free resources from the National Cyber Security Centre. Short, practical videos that teach people to spot dodgy emails, think before they click, and report anything suspicious.

We do a fifteen-minute refresher every quarter now. It's become a bit of a laugh, actually. We share the best scam emails we've received and compete to spot the red flags. Sandra's surprisingly good at it. Danny pretends to be offended that she's better than him.

Cost: nothing but time. Return: not having to explain to your clients that their data got stolen because someone clicked on a link promising free Amazon vouchers.

Skip This: Cyber Insurance (For Now)

Controversial opinion incoming.

Cyber insurance is worth having eventually. But if you're choosing between insurance and actually implementing basic security, implement the security first.

Insurance doesn't stop you getting attacked. It just helps clean up afterwards. And here's the thing most policies don't advertise: if you can't prove you had basic protections in place, they might not pay out anyway.

Get Cyber Essentials. Get your backups sorted. Train your people. Then think about insurance. It's the roof, not the foundation.

Buy This: Software Updates

I know what you're thinking. "Updates are free. Why is this in the 'buy this' section?"

Because the real cost is time. And because too many small businesses treat updates like that pile of paperwork in the corner. Something to get around to eventually.

Updates fix the holes that attackers crawl through. That Windows update you've been postponing for three weeks? It might be patching exactly the vulnerability someone's trying to exploit right now.

We have a rule now: updates within one week. No exceptions. Yes, even the ones that require a restart. Yes, even when Kev's in the middle of something.

The twenty minutes it takes is cheaper than the twenty days it takes to recover from a breach.

Skip This: Consultants Who Speak Only in Jargon

If someone's trying to sell you security services and you can't understand a word they're saying, walk away.

Good security advice should make you feel clearer, not more confused. The best consultants translate complex stuff into plain English. They meet you where you are and explain what you actually need to do.

The ones drowning you in acronyms and technical terms? Often they're hiding a simple truth behind complicated language because simple truths are harder to charge five grand for.

The Bottom Line

Eighteen months ago, I thought cyber security was for other businesses. Bigger businesses. Businesses with money and IT teams and time to spare.

I was wrong.

It's for all of us. And it doesn't have to cost a fortune.

Cyber Essentials: do it.
Backups: test them.
Training: make it regular.
Updates: stop postponing them.

Everything else? Most of it can wait until you're ready. And by "ready" I mean profitable enough that four-figure security investments don't make you feel sick.

Start with what matters. Skip what doesn't. And remember: perfect security doesn't exist, but good enough security absolutely does.

Good enough kept my business safe. It can keep yours safe too.

---

Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt who still gets nervous when Danny starts talking about "zero trust architecture." Some things never change.