A love letter to passwords, updates, and backups

Why 'Boring' Security is Better for Business

---

I went to a cyber security conference last year.

The exhibition hall was wild. Vendors everywhere, promising the future of security. AI-powered threat detection. Machine learning behavioural analytics. Next-gen endpoint protection with quantum-resistant encryption. Dashboards that looked like something from a sci-fi film.

I walked around for an hour, collecting brochures, nodding at demos, feeling increasingly inadequate about our setup at Simpson & Sons.

Then I got chatting to a guy at the coffee stand. Turned out he worked incident response - the people who come in after a breach to figure out what happened.

"What actually causes most breaches?" I asked. "The sophisticated stuff? Zero-days? Nation-state attacks?"

He laughed so hard he nearly spilled his coffee.

"Mate," he said. "It's passwords. It's unpatched software. It's someone clicking a dodgy link. Every single time."

That conversation changed how I think about security.

The Shiny Object Problem

The cyber security industry has a marketing problem. The boring stuff doesn't sell.

Nobody's going to a conference to hear about password policies. Nobody's writing breathless LinkedIn posts about the importance of software updates. Nobody's getting venture capital funding for a startup that just... reminds people to do backups.

So the industry sells excitement. Advanced persistent threats. Sophisticated attack vectors. AI-powered everything.

And small business owners hear this and think: "I can't afford that. I can't understand that. Security isn't for businesses like mine."

Meanwhile, the actual threats they face - the ones that will actually hit them - are completely preventable with boring, basic, affordable measures.

It's a massive disconnect. And it's costing businesses everything.

What Actually Gets You

Let me tell you what actually causes breaches in small businesses. Not theoretically. Actually.

Weak passwords. Still, in 2024, the most common cause. "Password123". "CompanyName2023". "Welcome1". Guessed, cracked, or stolen, then used to walk straight in.

Unpatched software. Known vulnerabilities that have known fixes that haven't been applied. The digital equivalent of leaving your door unlocked because you couldn't be bothered to turn the key.

Phishing emails. Someone clicks a link. Enters their credentials on a fake page. Hands the keys over without realising.

No backups. Ransomware hits, everything's encrypted, and there's no way to recover because nobody bothered to save copies anywhere else.

Shared accounts. Everyone using the same login. No way to know who did what. No way to revoke access when someone leaves.

That's it. That's what actually gets businesses. Not sophisticated nation-state hackers. Not AI-powered attacks. Just... the basics, neglected.

The Boring List

Here's what boring security looks like:

Strong, unique passwords. Different password for every system. Long enough to be unguessable. Stored in a password manager so you don't have to remember them.

Multi-factor authentication. Something you know (password) plus something you have (phone). Even if someone gets your password, they can't get in without the second factor.

Regular updates. Operating systems, applications, browsers - all patched within two weeks of updates being released. Preferably faster.

Working backups. Regular, automated, tested, stored separately from your main systems. So when things go wrong, you can recover.

Basic training. Staff who know what a phishing email looks like. Who know to check before clicking. Who know it's okay to ask if something seems weird.

Access control. Each person with their own account. Minimum necessary permissions. Access removed when people leave.

That's boring security. No AI. No machine learning. No quantum anything. Just... doing the basics, consistently.

Why Boring Works

Here's the thing about the boring stuff: it works because attackers are lazy.

I don't mean that as an insult. It's rational. If you're a criminal trying to make money, you're not going to spend weeks crafting a sophisticated attack against a specific target when you can send out a million phishing emails and catch hundreds of people who haven't been trained.

You're not going to develop a zero-day exploit when there are thousands of businesses running unpatched software with known vulnerabilities.

You're not going to bother with advanced techniques when "Password123" still works on a depressing number of systems.

Criminals are looking for easy targets. Boring security makes you not an easy target. That's it. That's the whole strategy.

The sophisticated attacks exist, sure. Nation-states have scary capabilities. But they're not targeting a lubricant supplier in an industrial estate. They're not targeting your accountancy firm or your marketing agency or your manufacturing business.

You don't need to defend against the NSA. You need to defend against opportunistic criminals looking for the easiest possible win. Boring security does that.

The Cost Comparison

Let's talk money.

AI-powered endpoint detection platform: £50-100+ per device per month. For a business with twenty devices, that's £12,000-24,000 per year.

Password manager: £3-5 per user per month. For twenty users, that's £720-1,200 per year.

Multi-factor authentication: Often free (Microsoft Authenticator, Google Authenticator) or included in your existing subscriptions.

Software updates: Free. Just time to apply them.

Backups: Basic cloud backup, maybe £10-20 per month. £120-240 per year.

Staff training: Free resources from NCSC, or cheap online courses. A few hundred quid at most.

Cyber Essentials certification: £300-500, proves you've got the boring stuff in place.

The boring approach costs maybe £2,000-3,000 per year total. The flashy approach costs ten times that. And the boring approach stops most attacks, while the flashy approach is solving problems you probably don't have.

I know which one makes more sense for a small business.

But What About...

I can hear the objections.

"But what if we face a sophisticated attack?"

You probably won't. And if you do, no amount of spending will guarantee protection. Nation-state attackers have essentially unlimited resources. The game there is detection and response, not prevention. For small businesses, the ROI on advanced protection against advanced threats is basically zero.

"But the vendors say we need this stuff."

Vendors say that because they sell that stuff. They're not lying - their products do what they claim. But they're solving problems that aren't your problems. The vendor selling AI-powered threat detection isn't going to tell you that a password manager would help you more. There's no commission in boring.

"But we want to be really secure."

Great. Do the boring stuff first. Get Cyber Essentials certified. Implement all the basics properly. Then, if you've got budget left and you're genuinely facing sophisticated threats, look at the advanced stuff. But most businesses never get to that point because the basics are enough.

"But boring is... boring."

Yeah. That's the point. Security shouldn't be exciting. If your security is exciting, something's probably gone wrong. The best security is invisible, running quietly in the background, stopping threats you never even know about.

The Simpson & Sons Approach

Let me tell you what we actually use.

Password manager. MFA on everything. Automatic updates enabled across all devices. Cloud backups running nightly. Quarterly security training that takes fifteen minutes. Cyber Essentials certified and renewed annually.

That's it. That's our security stack. Boring as anything.

And in four years, we haven't had a single successful attack. Not one. We've had attempts - phishing emails, dodgy links, opportunistic scanners - but nothing's got through.

Because we're not an easy target. And the criminals move on to someone who is.

Meanwhile, I know businesses spending ten times what we spend who've still had incidents. Because they bought the flashy stuff but forgot to change the default passwords. Because they've got AI-powered detection but their staff still click on anything that lands in their inbox.

The advanced tools don't help if the basics aren't in place. And if the basics are in place, you might not need the advanced tools at all.

The Boring Security Checklist

If you take nothing else from this post, take this checklist:

☐ Password manager deployed, everyone using it
☐ Multi-factor authentication on all critical systems
☐ Automatic updates enabled everywhere
☐ Backups running, tested, stored separately
☐ Staff trained on phishing and basic security
☐ Individual accounts, no sharing, access controlled
☐ Cyber Essentials certified

That's boring security. That's what actually protects a small business. That's what stops the attacks that actually happen.

No AI required. No machine learning. No quantum-resistant anything.

Just the basics. Done properly. Consistently.

Boring wins.

---

Danny Preece is Head of Technical Sales at Simpson & Sons and an SME Cyber Resilience Consultant with TransCrypt. He has a "Boring Security Enthusiast" mug that he uses specifically to annoy vendors at conferences. It works.