Some useful advice to small businesses from NFU Mutual;
High-profile cyber attacks on Marks & Spencer and the Co-op have put the need for online security firmly in the spotlight in recent weeks.
And commercial insurer NFU Mutual is warning that severe cyber risks loom just as much – if not more so – for small businesses, highlighting that it isn’t just big companies that are targeted by digital criminals.
The message comes on the back of the Cyber Security Breaches Survey 2025, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, which showed more than four in 10 UK businesses reported having a cyber breach or attack in the last 12 months. That equated to approximately 612,000 companies.
With smaller businesses often most at risk from cyber incidents, James Trevis, Cyber Portfolio Manager at NFU Mutual, offers his three tips for small businesses to consider when assessing their cyber risk.
Enable two-factor authentication (2FA) alongside basic cyber controls
While the report shows more businesses are using basic controls like malware protection, network firewalls, and backups, less than 40% of those surveyed have implemented 2FA. “Passwords are frequently compromised by hackers,” James explains. “Adding a second layer of protection – like an authenticator app, one-time passcode, or SMS code for remote logins such as email – significantly reduces the likelihood of unauthorised access. Small businesses can often enable this feature easily within their existing applications.”
Train your staff
Phishing was again the most common cyber-attack observed by the survey. However, basic cyber security awareness training can significantly reduce the likelihood and impact of a cyber event. “Many free training tools are available, such as those from the National Cyber Security Centre’s ‘Top tips for staff’,” says James. “These materials can help organisations defend against phishing, adopt stronger security practices, and know what to do if an incident does occur.”
Assess critical dependencies and plan for an incident
The report indicates that smaller organisations struggle to develop incident response plans due to a lack of in-house expertise or capacity. “Because of this, smaller organisations may find it harder to deal with complex cyber-attacks,” James notes. “We’re also seeing a rise in cyber events within the supply chain, which can have a knock-on effect on businesses that depend on them. It’s critical to assess technological dependencies including vital software, IT infrastructure and other technology services provided by third parties that the business relies on to trade. A good cyber insurance policy can be configured to insure against such indirect cyber risks.”
CASE STUDY
Autobits Motorstore, based in Armagh in Northern Ireland, have suffered two cyber-attacks in the last seven years.
The family-run business has more than 35 years of experience in supplying car parts and accessories but has seen the digital landscape change over the years and knows the risk of cyber required ‘continuous attention and investment’.
In 2019, Autobits’ point of sale (POS) system was attacked and held to ransom. It took the business’ software company around five working days to get them back up and running again to retrieve back-ups.
“We had to operate the business with absolutely no access to our POS system,” Autobits Motorstore Director Marty McDonagh said. “Luckily, we had held a copy of our supplier price files which meant that our sales team had to manually calculate prices. This was a much slower process but it meant we were able to remain operational until our POS system was retrieved.”
Having not suffered at the hands of online criminals previously, Marty said that was the wake-up call needed to take the issue seriously.
“That incident served as a turning point in how we approach cybersecurity,” he said. “It highlighted the vulnerabilities in our systems and the potential consequences.
“This experience led us to view cybersecurity as a technical concern to recognising it as a core business risk that requires continuous attention and investment.”
Last year, Autobits fell victim again when hackers got into the business Facebook account, something Marty warned others ‘highlighted just how vulnerable even routine platforms can be’.
The Armagh business is still actively liaising with social media bodies to try and recover their account, serving as a reminder that cyber breaches can strike through any channel, not just IT infrastructure.
“Following the breach of our business Facebook account last year, the importance of having a response plan and strong support systems in place became very clear,” said Marty. “Thankfully our cyber insurance and the measures we had implemented meant we had access to a team of IT security experts immediately.
“Their quick response not only gave us peace of mind, but it also helped restore our operational confidence and demonstrated the value of being prepared.”
Be the first to comment