Somewhere, right now, a bot is testing your email address against a list of a billion leaked passwords. It is not personal. It is just Tuesday. The question is whether your accounts are ready for it, or whether you are about to have a very bad week.
The Scale of the Problem
Cybercrime costs UK businesses around 21 billion pounds a year. Small businesses are now the preferred target, precisely because they are under-protected and over-trusting. The average compromise is discovered around 200 days after it happens. That is six months of someone reading your emails, watching your finances, and picking the moment to strike.
The good news is that the vast majority of attacks are stopped by about six basic habits. The bad news is that most businesses do not bother with any of them.
The Essential Six
- Unique passwords everywhere: One breach should not become ten.
- A password manager: Because you cannot remember 200 unique passwords. Nobody can.
- Two-factor authentication on everything important: Email, banking, CMS, social, cloud storage, domain registrar.
- Software updates, installed promptly: Most breaches exploit patched vulnerabilities on unpatched machines.
- Backups that actually work: Tested restore. Not just "we have a backup" assumed.
- A healthy suspicion of email: Phishing is still the number one attack vector, by miles.
Do these six and you eliminate something like 95 percent of the risk you currently carry. For a dedicated look at the password piece, see our World Password Day guide.
Email Is the Crown Jewel
If an attacker gets your email, they can reset the password on almost every other account you own. That is why email deserves the strongest protection in your entire digital life. App-based 2FA at minimum, a hardware key if you can stomach it, and a separate account for high-value logins so that your day-to-day inbox getting compromised does not end your business.
Most business owners use one Gmail for everything. It is the digital equivalent of keeping your passport, chequebook, and house keys in a plastic bag on the bus.
Your Website Is an Account Too
WordPress sites in particular are constantly probed for weak admin logins and outdated plugins. Use a strong admin password, limit login attempts, enable 2FA on the admin area, keep core and plugins updated, and take regular off-site backups. Our web maintenance service handles this for clients who would rather not.
A compromised site is not just an IT problem. Google will flag it as unsafe in search results within days, and your traffic will evaporate faster than you can say "malware redirect".
Social Media Is a Sitting Duck
Business Facebook pages, Instagram accounts, and LinkedIn company pages are increasingly targeted for takeover. Losing access to a page with 5,000 followers is a proper crisis, and Meta's recovery process is legendary for all the wrong reasons. Admin roles, 2FA, and avoiding dodgy "verification" DMs are the baseline.
We have watched Newcastle brands lose decade-old accounts because a team member clicked a link promising free blue ticks. Train the team. It is cheaper than rebuilding from zero.
When Something Goes Wrong
If you suspect a compromise, act fast. Change passwords from a clean device, revoke active sessions, enable 2FA if it is not already on, check for forwarding rules in your email, and review recent logins. Then do the boring bit of working out what might have been seen and who you need to tell. GDPR does not care that you were busy.
Want a Second Pair of Eyes?
We will review your website, email, and key accounts for common risks. Free, fast, and jargon-free.
Book a Security CheckGood digital hygiene is profoundly unsexy. It is also the single most reliable way to make sure you are still in business this time next year. Do the boring bit now, thank yourself later.
