Skip to main content
Cyber Security Basics — UK Small Business

Backup & MFA Basics

for Small Businesses

Two controls stop the vast majority of cyber attacks on UK small businesses: reliable backups and multi-factor authentication. This guide shows you exactly how to set both up — no jargon, no big budgets.

Why Backups and MFA Are the Two Controls That Matter Most

The UK Government's Cyber Security Breaches Survey consistently shows that small businesses are the most likely to suffer a cyber incident yet the least likely to have basic protections in place. Ransomware can encrypt every file on your network in minutes. A single stolen password can give attackers access to email, invoicing, and customer data.

The good news: implementing a proper business backup best practice and enabling multi-factor authentication across your accounts blocks the two most common attack paths. Both are free or very low-cost, and both are required for Cyber Essentials certification.

80% of ransomware victims with tested backups recover without paying
99% of account-takeover attacks are blocked by enabling MFA
Backup

How to Backup a Small Business — the 3-2-1 Rule

The 3-2-1 backup rule is the gold standard recommended by the National Cyber Security Centre (NCSC) and is a cornerstone of business backup best practice in the UK. It is simple:

3

Three copies

Keep at least three copies of every critical file — the original plus two backups.

2

Two different media

Store backups on two different types of storage — e.g. a local NAS and a cloud service.

1

One off-site

Keep one backup off-site or in the cloud so fire, theft, or flooding cannot destroy all copies.

Making Your Backups Ransomware-Proof

A standard backup is not enough if ransomware can reach it. To create a truly ransomware-proof backup for your small business, follow these additional steps:

  • Use immutable or write-once storage so backups cannot be overwritten or deleted
  • Air-gap at least one backup — disconnect it from the network after each run
  • Encrypt backups in transit and at rest
  • Automate daily backups so they happen without human intervention
  • Test a full restore at least once per quarter — a backup you have never tested is not a backup
MFA

How to Set Up MFA for Your Small Business

Multi-factor authentication (MFA) adds a second verification step — usually a code from an authenticator app or a push notification — so a stolen password alone is not enough to access an account. Rolling out MFA across a small business is one of the highest-impact security improvements you can make, and Microsoft, Google, and most cloud providers now offer it at no extra cost.

MFA for Microsoft 365 Small Business

Microsoft 365 is the most common business email and productivity platform in the UK. Enabling MFA on Microsoft 365 protects email, SharePoint, OneDrive, and Teams in one step:

  1. Sign in to the Microsoft Entra admin centre (entra.microsoft.com).
  2. Navigate to Protection > Authentication methods > Policies.
  3. Enable Microsoft Authenticator for all users (or start with a pilot group).
  4. Ask each user to install the Microsoft Authenticator app on their phone and register.
  5. Set a Security Default or Conditional Access policy so MFA is required for every sign-in.

For a deeper walkthrough, see our blog post: Multi-Factor Authentication — How to Actually Roll It Out Across Your Business.

Multi-Factor Authentication Rollout — Best Practice

A successful MFA rollout across any business follows a predictable pattern:

  • Audit every account that can reach company data — email, cloud storage, accounting, VPN
  • Prioritise admin and finance accounts first — they are the highest-value targets
  • Choose authenticator apps over SMS codes — SMS is vulnerable to SIM-swap attacks
  • Communicate clearly — explain why MFA is being introduced and give step-by-step instructions
  • Set a deadline and enforce it — optional MFA never reaches 100% adoption
  • Issue backup recovery codes and store them securely in case staff lose their device
Checklist

Small Business Cyber Security Checklist — UK

Use this cyber security checklist to confirm you have covered the basics. Every item below is recommended by the NCSC and is required (or strongly encouraged) for Cyber Essentials certification.

Backup

  • Critical data identified and documented
  • 3-2-1 backup rule implemented
  • At least one backup is offline or immutable
  • Backups encrypted in transit and at rest
  • Automated daily backup schedule in place
  • Quarterly test-restore completed and logged

MFA

  • All email accounts protected with MFA
  • Cloud storage and collaboration tools covered
  • Admin and finance accounts prioritised
  • Authenticator app used instead of SMS where possible
  • Staff given clear instructions and a deadline
  • Backup recovery codes issued and stored securely

Further Reading

Dive deeper into cyber security basics for small businesses in the UK with these related guides:

Need help getting backups and MFA right?

SOC in a Box includes 24/7 monitoring, configuration guidance, and a named analyst to walk you through every step — from £335 / month.

Book a Free Scoping Call