NCSC launches new cyber guidance for SMBs as threats continue to rise

NCSC logo superimposed with a translucent background in front of an office building
(Image credit: Getty Images)

The UK's National Cyber Security Centre (NCSC) has released new cyber guidance for SMBs on how to use cloud and online services more securely.

Concerned that smaller businesses may be overwhelmed by its existing cloud security guidance - aimed squarely at IT professionals and containing a lot more technical details - the NCSC said it wants to help SMBs avoid falling victim to cyber attacks.

"Many SMEs already rely on online services for day-to-day tasks, even if they’re not aware of it. This includes email and instant message communications, cloud storage, website/shop hosting, online accounting and invoicing, or simply using social media to engage with customers," said Amelia H of the NCSC's economy and society team.

"If you rely on any of these services, it’s important that they are set up in such a way that they’re safe from online risks, whilst also reflecting your organization’s priorities."

The new guidance offers practical advice on basic cyber security measures that small businesses can employ to protect themselves amid heightened threats.

It recommends checking to make sure that cloud services are configured in such a way that they are safe from common cyber attacks. " Reputable service providers make it easy for you to do this," the NCSC said.

Organizations should make sure that all their essential data is exported and backed up, and that they know how to access and restore it. While some cloud services keep a copy of deleted files for a short period, this shouldn't be relied on, according to the NCSC, and organizations should keep their own independent copy.

The cyber security center also offered fresh advice on how to keep domain names secure.

"If your public domain name was set up with a personal email account, you should change this so that it is now managed by an account under your organization’s control, such as a work email account," the NCSC said.

Organizations are also warned not to allow staff to use personal accounts for work activities or the other way round, nor to allow accounts to be shared. Accounts should be secured using two-factor verification, with unique, unguessable passwords. Admin accounts should have similar protection, and should only be created when necessary.

NCSC warns of growing malware threats

The NCSC also detailed additional advice on avoiding malware for small businesses amid an uptick in incidents over the last year. Devices should be kept up to date and protected, the guidance reads, and only trusted devices should be used to log into work accounts.


2023 ThreatLabz Enterprise IoT and OT Threat Report

(Image credit: Zscaler )

Discover strategies that ensure the resilience of OT environments


"The amount of trust you want in a device should be based on what it will be able to do and access. For example, users should only use a device that they know has been kept up to date and protected when logging into admin and staff accounts," the guidance reads.

"Similarly, your organization may choose whether to allow users that only have limited access to log in from a personal device as long as you trust them and they trust their device."

Organizations should make sure they make full use of cloud services' built-in security features, such as filtering out malicious messages and files and accessing services via a web browser or a dedicated mobile or desktop app.

Finally, there's advice on how to spot the signs and compromise and how to recover a hacked account or service, including step-by-step guides for Google Workspace and Microsoft 365.

"Our new guidance will help SMEs use online services more securely, so that they’re less likely to be the victim of a cyber attack," said Amelia H.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.