In fifteen years of supporting South Wales businesses, we've conducted hundreds of IT security audits. The same vulnerabilities come up time and again โ not because business owners don't care, but because they're busy running a business and nobody has ever told them these things need fixing.
Here are the five most common mistakes, and exactly what to do about each one.
1Not using Multi-Factor Authentication (MFA)
This is the single most impactful security improvement most businesses can make, and it's free. MFA means that even if someone steals your password, they still can't log in without a second verification โ usually a code from your phone.
Yet the majority of South Wales SMEs we audit have MFA disabled on Microsoft 365, their email, and their cloud services. A stolen password is all a hacker needs to access your entire email history, files, contacts and โ if you bank online โ financial accounts.
โ The fix: Enable MFA on Microsoft 365 immediately. Go to admin.microsoft.com โ Azure Active Directory โ Security โ MFA. It takes 30 minutes to roll out to your whole team. We can do this for you as part of a free Microsoft 365 health check.
2Ignoring software and Windows updates
We regularly find South Wales businesses running Windows machines with updates months or years behind. In 2017, the WannaCry ransomware attack infected over 200,000 computers in 150 countries โ exploiting a Windows vulnerability that Microsoft had already patched two months earlier. The NHS lost an estimated ยฃ92 million.
Every unpatched vulnerability is an open door. Hackers don't target businesses individually โ they scan the internet looking for known vulnerabilities at scale. An unpatched machine will be found.
โ The fix: Enable automatic Windows updates and ensure all business software is kept current. With a managed IT support contract, we handle patch management silently in the background โ you never need to think about it.
3Reusing passwords across accounts
When a data breach happens โ and hundreds happen every year โ usernames and passwords are often published on the dark web within hours. Hackers then automatically try those credentials on thousands of other services. This is called credential stuffing.
If your staff use the same password for their work email as they do for Netflix, a breach of Netflix's database could give a hacker access to your company email. We regularly find breached credentials for South Wales businesses during dark web monitoring scans โ staff who had no idea their details were compromised.
โ The fix: Roll out a password manager (we recommend Bitwarden for business โ free for small teams) and enforce a policy of unique passwords for all business accounts. Ask us about dark web monitoring to find out if your credentials are already out there.
4No backup โ or a backup that's never been tested
Ransomware encrypts your files and demands payment for the decryption key. The only reliable defence is a clean, tested backup you can restore from. Yet most small businesses either have no backup, or have a backup that hasn't been verified in years.
We've had conversations with business owners who thought they had a backup โ only to discover the backup drive failed 18 months ago and has been silently doing nothing since. They only found out during the recovery attempt after a ransomware attack.
โ ๏ธ A backup that hasn't been tested is not a backup. The only backup that counts is one you've successfully restored from.
โ The fix: Implement Datto cloud backup, which automatically verifies every backup and sends you a daily report. Backups run hourly, are stored both locally and offsite, and can restore individual files or entire systems in minutes. We include this in our Professional IT support tier.
5Staff who can't recognise a phishing email
Over 90% of successful cyber attacks begin with a phishing email. A convincing email that appears to come from HMRC, your bank, Microsoft or a supplier tricks a staff member into clicking a link or entering credentials. Modern phishing emails are extraordinarily convincing โ they use your company's logo, reference real invoice numbers, and come from spoofed email addresses that look legitimate.
Technology can filter out most phishing attempts, but some always get through. Your last line of defence is a staff member who knows what to look for โ and knows to verify before they click.
โ The fix: Two things. First, implement proper email filtering (Microsoft Defender for Office 365 or a dedicated solution). Second, run staff security awareness training โ this can be done online in under an hour per person and dramatically reduces click rates. We offer both as part of our cyber security packages.
Where to start
If you're feeling overwhelmed, start with MFA. It's free, it's fast, and it's the single most impactful change you can make today. Then work through the list.
If you'd like us to review your current setup, we offer a free cyber security audit for South Wales businesses. We'll identify your vulnerabilities, prioritise them by risk, and give you a clear, jargon-free action plan โ with no obligation to use our services.
We'll review your entire security posture and give you a plain-English report. No obligation, no jargon.