In the United Kingdom, we must navigate a complex legal landscape when it comes to cybersecurity for SMEs. The legal obligations extend beyond best practices; they are increasingly codified in law and regulation.
Central to this is the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These require businesses to implement “appropriate technical and organisational measures” to safeguard personal data. Therefore, failing to do so can result in significant financial penalties and reputational damage.
Computer Misuse Act 1990
Additionally, the Computer Misuse Act 1990 criminalises unauthorised access to computer systems. This means businesses must take proactive steps to protect their networks from being used as platforms for cybercrime. Sector-specific regulations and obligations, such as those under the Network and Information Systems (NIS) Regulations 2018, may also apply. This is particularly true where services deemed essential to the economy are concerned.
For SMEs, understanding these legal requirements and integrating them into day-to-day cybersecurity practices is not only prudent but necessary.
Lawrie Abercrombie, Technical Director of Arcanum, has created this simple guide to bridge the gap between technical advice and legal compliance. This ensures small businesses are both secure and aligned with the law.
In today’s digital age, cybersecurity for SMEs is a critical concern. Most people will be aware of the recent cyber-attacks on major retailers, including Marks & Spencer, Co-op and Harrods. These attacks have caused shortages on supermarket shelves. They are a stark reminder that cyber threats are real. Unfortunately, they are not limited to big retailers. Small businesses, and even individual householders, are increasingly getting caught out.
My company (Arcanum) normally works with large organisations, and no, we didn’t advise any of the ones who’ve just been hacked! We’ve put together some simple advice for small/medium businesses that don’t have the advantage of an on-call team of cybersecurity experts.
Protecting yourself starts with the basics. This is just as applicable to individuals as it is to businesses, and you should do this at home as well as at work. If you do nothing else, do these five things:
- Set your system to update automatically (settings/Windows Update)
- Use strong passwords, for example three random words selected from a dictionary e.g. doodlePortugalcelebrate as per the advice from the National Cyber Security Centre
- Do not use the same password for multiple systems. If it gets hacked once, every other system you use it on will also get hacked.
- Back up your important data.
- Enable two-factor authentication wherever possible.
For those with a little more IT knowledge or an IT support team, whether it’s in-house or outsourced, here is some more detailed advice.
Back Up Your Data
Data is the lifeblood of any business. Imagine losing all your customer details, orders and payment information. Regularly backing up your data ensures that your business can continue to operate even in the event of a disaster such as a flood, fire, or cyber-attack. Here are some tips:
- Identify Essential Data: Determine which data is critical for your business, such as customer details, quotes, orders, and payment details. Make sure you back it up.
- Keep Backups Separate: Store backups on separate devices or locations to prevent ransomware from infecting them.
- Consider Cloud Storage: Cloud storage offers physical separation and high availability, often at minimal cost.
- Automate Backups: Use automated backup solutions to ensure you always have the latest version of your files.
Protect against Malware.
Malicious software, or malware, can cause significant damage to your business. Here are some steps to protect your organisation:
- Install Antivirus Software: Use antivirus software on all computers and laptops.
- Prevent Dodgy App Downloads: Only download apps from manufacturer-approved stores.
- Keep IT Equipment Up to Date: Regularly update software and firmware to improve security.
- Control USB Drive Usage: Limit the use of USB drives and memory cards to reduce infection risk.
- Switch on Your Firewall: Firewalls create a buffer zone between your network and external networks.
Avoid Phishing Attacks
Phishing attacks are a common threat to businesses. Here’s how to protect yourself:
- Configure Accounts to Reduce Impact: Use the principle of ‘least privilege’ and two-factor authentication. Basically, and this is important, any account with internet access either to browse or send / receive emails should not have any administrative rights.
- Think About How You Operate: Educate staff on normal working practices to spot unusual requests.
- Report All Attacks: Encourage staff to report phishing attacks and take steps to mitigate damage.
- Check Your Digital Footprint: Be aware of what information is publicly available about your organisation. Criminals make use of this to make their phishing emails look more authentic.
Keep Your Smartphones (and Tablets) Safe
Mobile devices are now an essential part of modern business, but they need protection too:
- Switch on Password Protection: Use complex PINs or passwords to prevent unauthorised access.
- Track, Lock, or Wipe Lost Devices: Use web-based tools to manage lost or stolen devices.
- Keep Devices and Apps Up to Date: Regularly update devices and apps to patch security holes.
- Avoid Unknown Wi-Fi Hotspots: Use secure mobile networks or VPNs instead of public Wi-Fi.
Use Passwords to Protect Your Data
Passwords are a simple yet effective way to protect your data:
- Switch on Password Protection: Use screenlock passwords or other authentication methods.
- Use 2-Step Verification: Add an extra layer of security to important accounts.
- Avoid Predictable Passwords: Use easy-to-remember but hard-to-guess passwords.
- Use a Password Manager: Consider using password managers, the ones in internet browsers are fine, just don’t save passwords on shared computers!.
- Change Default Passwords: Regularly check and change default passwords on devices.
By following these steps, small businesses can significantly reduce their risk of falling victim to cyberattacks. Remember, cybersecurity for SMEs is not just a one-time effort but an ongoing process. Stay vigilant and keep your security measures up to date to protect your business from evolving threats.
Conclusion: Cybersecurity Legal Essentials & What’s Coming for UK SMEs
1. Legal Compliance Is Non-Negotiable
Under the UK GDPR and Data Protection Act 2018, SMEs must implement “appropriate technical and organisational measures” or risk fines and reputational harm. The Computer Misuse Act 1990 also makes failing to protect networks legally risky. Unauthorised access remains a criminal offence. For SMEs in regulated sectors (e.g. utilities, healthcare), the NIS Regulations 2018 already apply—and soon will apply even more widely.
2. Cyber Governance Is Moving Up
The government’s revised Cyber Governance Code of Practice now urges boards to engage directly in cyber risk oversight. This makes it a core business concern, not just an IT issue. This shift also signals forthcoming legislative power for regulators to fine data providers and directors for failures in implementation.
3. New Responsibilities Ahead with the Cybersecurity & Resilience Bill (CSRB)
The upcoming CSRB, previewed in April’s policy statement and formally introduced in May 2025, will expand the NIS regime to include additional entities such as managed service providers and data centres. SMEs operating in these sectors should start preparing now. They should expect mandatory incident reporting, strengthened regulators’ audit powers, and possible ransomware reporting obligations
4. AI-Powered Threats Are Intensifying
Cabinet Office Minister Pat McFadden indicated at CyberUK 2025 that AI technologies are already increasing both the frequency and sophistication of cyberattacks. This reinforces legal and operational urgency for SMEs to view cybersecurity as a continuous, strategic imperative, not a one-off compliance checkbox.
5. Other Legislative Landscape Shifts
- The 2024 PSTI regime (effective April 2024) bans weak default passwords on connected devices. This pushes device manufacturers and SME users to adopt better security hygiene.
- New Online Safety and National Security Acts (2023) further extend obligations over digital services and safeguard national infrastructure. This means SMEs involved in web hosting, content platforms, or sensitive data may face additional compliance scrutiny.
Thank you to Lawrie Abercrombie for his input into this guide.
Farringford Legal is your growth partner, providing affordable, expert legal services across England & Wales with a client-centric, entrepreneurial approach. We are not just lawyers; we are allies in your business journey, adapting as your business evolves, deeply trustworthy, always responsive.
www.farringfordlegal.co.uk | info@farringfordlegal.co.uk