Search Our Site

We have 3,757,213 registered online learners.
382 new learners so far today.

Introduction to Cyber Security for Small Businesses

schedule 15th November 2017 by Alex Bateman in Virtual College Last updated on 24th April 2018

small business team gathered around computer

Introduction to Cyber Security for Small Businesses

The collection and use of customer data, and the increasingly large amount of data that businesses store about themselves, means that cyber security has become a consideration for companies of every size. In fact, business security is now primarily about the digital world rather than anything physical. As a result, it’s very important that even small businesses understand what they need to do to keep their own business systems and information safe, along with their customers’ data. Failure to do so might mean severe financial difficulties, lawsuits, and even criminal prosecution. In this article, we’re going to briefly introduce you to what the law says about cyber security, how you can get better at it, and where you can find further resources.

The Law & GDPR

Currently, there are few laws that directly pertain to your specific obligations in regards to preventing cyber security incidents, but Data Protection Act 1998 does insist that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This ultimately means that it is your legal responsibility to keep consumer data safe, and should do everything you can to do so. Naturally, these same techniques will apply to keeping your own business data safe.

This is further reinforced by the upcoming GDPR regulation.

The General Data Protection Regulation (EU Regulation 2016/679) was agreed in 2016, and comes into force on May 17th of 2018. It is a hugely important development for cyber security, because it makes illegal a number of practices that would previously have been widespread. In short, it means that anyone collecting or handling EU citizens’ data must have a genuine, legally defensible reason for doing so, which in most cases will require consent. Data collection must also be transparent, and people can request access to or erasure of their data. In addition, GDPR makes the reporting of data breaches in a reasonable timeframe a legal requirement. This is particularly important to cyber security.

Types of Cyber Security Incident

Cyber security incidents can take numerous forms, and are increasing in their complexity and impact. In order to help categorise them and plan mitigation for specific events, the National Cyber Security Centre has outlined four major categories. They are the following:

  • attempts to gain unauthorised access to a system and/or to data - This means that the mere attempt to get into a system without permission is considered an incident. This could be as minor as someone trying to guess their colleague’s password, to a major attempt to break into a business’ financial data.
  • the unauthorised use of systems and/or data - This is when a malicious party actually gains access to your business software, hardware or data and uses it. For small businesses, this could be when a hacker manages to break in and steal customer data to be ransomed or sold.
  • modification of a system's firmware, software or hardware without the system-owner's consent - Viruses and other types of malware are well understood by most internet users, and they might modify software or hardware to make it unusable, or inaccessible.
  • malicious disruption and/or denial of service - Cyber criminals can cause problems without actually gaining access to networks. By overloading them, they can stop them from working properly, which can cost businesses a lot of money.

Data Breach Prevention

There are a huge number of things that you can do as a small business to prevent incidents such as those detailed above from happening, and it can be difficult to figure out exactly where to begin, especially if you are a small business with either no IT department, or a very small one. Fortunately, there are a number of UK Government initiatives and international standards and certifications that can be used to make sure that you’re doing everything you can as a small business. Two of the most important are ISO 27001 and the Cyber Essentials Scheme. The former is for smaller businesses with significant cyber security needs, and the latter is useful for all businesses.

For more information on how adhering to these schemes can help you guard against cyber security incidents, read our article which explains what they contain here.

However, some of the main points that all small businesses should think about are the following:

  • Have your business systems and network been set up correctly to mitigate against attacks?
  • Are permissions management policies in place to ensure that only the right people have access to the right data? This can be as basic as having a password policy for computers.
  • Do computers have the right malware protection software on them? This can help prevent viruses and other software from causing issues.
  • Is everything up-to-date? Cyber criminals often rely on taking advantage of exploits, which are patched quickly by software providers when found, but still need to be implemented by users.
  • Is everyone relevant trained to understand what their responsibilities are and how they can prevent cyber crime? This might even mean basic training on how to avoid phishing scams.

GDPR Education and Training

Proper understanding of cyber security is vital for preventing serious incidents from occurring, which is why it is recommended that those responsible undertake training. Dedicated IT employees should have accredited qualifications where possible, but it is useful for just about any employee to have an understanding of what cyber security means for small businesses.

Virtual College offers two cyber security courses that will be useful for small businesses that wish to ensure their employees are clued up. The first is our Introduction to Cyber Security course, which will help any SME get to grips with protecting their business. The second is Data Protection at Work, which will help you stay on the right side of the law when it comes to holding other people's’ data.

Related resources

Alex Bateman - Virtual College

Author: Alex Bateman

Alex is interested in the strategic application of learning and development. In particular how organisations can promote engagement with ongoing learning campaigns. He spends his spare time renovating his Victorian house. Ask him about his floors, I dare you.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.