10 Security Mistakes
That Could Cost You Millions
A comprehensive guide to the most common security gaps in UK businesses — and exactly how to fix them. Based on NCSC and NIST frameworks.
Why This Guide Exists
Every week, we assess security for UK businesses. And every week, we see the same mistakes — preventable vulnerabilities that put organisations at serious risk.
These aren't exotic, nation-state level threats. They're fundamental security gaps that exist because of convenience, legacy decisions, or simply not knowing better. The good news? Every one of them is fixable.
This guide covers the 10 most common security mistakes we encounter, mapped to official NCSC (UK National Cyber Security Centre) and NIST (US National Institute of Standards and Technology) guidance. For each mistake, you'll learn:
- What the mistake is and why it's so common
- Why it matters — the real risks and consequences
- How to fix it — practical, actionable steps
- Quick wins — what you can do today
- Official references — NCSC and NIST guidance links
Whether you're a business owner wanting to understand your exposure, an IT manager prioritising your security roadmap, or an office manager who inherited IT responsibilities, this guide will give you clear direction on what to fix first.
Let's get into it.
No Multi-Factor Authentication
Multi-Factor Authentication (MFA) is the single most impactful security control you can implement. Yet according to recent surveys, over 60% of small businesses still don't use it — leaving their accounts protected by nothing more than a password.
When you rely solely on passwords, you're one phishing email away from a breach. Attackers don't need to "hack" anything — they just need to trick one employee into revealing their credentials, or buy leaked passwords from the dark web.
Why This Matters
Microsoft reports that MFA blocks 99.9% of automated attacks. That's not a typo — nearly all credential-based attacks fail when MFA is enabled. Without it, your business email, cloud storage, financial systems, and customer data are all vulnerable to:
- Credential stuffing attacks — Automated tools trying leaked passwords across multiple services
- Phishing attacks — Employees tricked into entering credentials on fake login pages
- Password spraying — Attackers trying common passwords against many accounts
- Brute force attacks — Systematic guessing of weak passwords
Real-World Impact
In 2023, a UK accounting firm lost £180,000 after attackers gained access to their email system using stolen credentials. The attackers monitored email conversations for weeks, then intercepted a legitimate invoice and changed the bank details. The money was transferred to the attackers' account before anyone noticed.
MFA would have prevented this entirely — even with the stolen password, the attackers couldn't have accessed the account without the second factor.
How to Fix It
- Enable MFA on all business-critical systems immediately — start with email, then financial systems, then cloud storage
- Use authenticator apps (Microsoft Authenticator, Google Authenticator) rather than SMS where possible
- Consider hardware security keys (YubiKey, Google Titan) for high-privilege accounts
- Implement conditional access policies that require MFA for risky sign-ins
- Create a rollout plan that includes user training and support
- Document your MFA requirements in your security policy
Enable MFA on Microsoft 365 or Google Workspace today. It takes 15 minutes and immediately protects your most critical business system.
Weak Password Practices
Despite decades of security awareness campaigns, weak passwords remain one of the most exploited vulnerabilities. "Password123", "Company2024", and "Welcome1" appear in breach after breach.
The problem isn't just weak passwords — it's the entire approach. Complex password policies (requiring uppercase, lowercase, numbers, symbols) have backfired. Users respond by creating predictable patterns: "Summer2024!", "January2024@", "Company123!". Attackers know these patterns.
Why This Matters
Modern password-cracking tools can test billions of combinations per second. A password like "Tr0ub4dor&3" (which looks complex) can be cracked in hours. Meanwhile, a simple passphrase like "correct horse battery staple" would take centuries.
The real risks of weak passwords include:
- Account takeover — Direct access to business systems and data
- Lateral movement — One compromised account leads to others
- Reused passwords — Personal account breaches exposing work credentials
- Password sharing — Team members sharing accounts defeats all security
Real-World Impact
A professional services firm discovered their entire client database had been accessed when a former employee's credentials — unchanged for 3 years after they left — were found on a dark web marketplace. The password was the company name followed by "123".
The breach triggered GDPR notification requirements, client notifications, and a forensic investigation costing over £50,000.
How to Fix It
- Implement a password manager (1Password, Bitwarden, LastPass) for all staff
- Require unique, randomly-generated passwords for every account
- Use passphrases of 3+ random words for accounts that can't use a password manager
- Set a minimum length of 12+ characters rather than complex character requirements
- Check new passwords against known breached password lists
- Remove password expiration policies — they encourage weaker passwords
- Disable password hints and security questions where possible
Deploy a password manager to your team this week. Most offer free trials and can import existing passwords.
Unpatched Systems
Every piece of software you use has vulnerabilities. When vendors discover these flaws, they release patches. The window between patch release and when attackers start exploiting the vulnerability is shrinking — sometimes to just hours.
Yet many businesses run systems that are weeks, months, or even years behind on updates. "It's working fine" or "we'll do it next maintenance window" becomes the default response — until it becomes "we've been breached".
Why This Matters
The majority of successful breaches exploit known vulnerabilities with available patches. Attackers don't need zero-day exploits — they just need to find organisations that haven't updated.
The risks of delayed patching include:
- Known exploit availability — Attackers have working attack code for unpatched vulnerabilities
- Automated scanning — Bots constantly scan the internet for vulnerable systems
- Ransomware entry points — Many ransomware attacks start with unpatched systems
- Compliance failures — Most frameworks require timely patching
Real-World Impact
The WannaCry ransomware attack in 2017 exploited a Windows vulnerability that had been patched two months earlier. Organisations that hadn't applied the patch — including parts of the NHS — were devastated. The attack cost the NHS an estimated £92 million in direct costs and cancelled appointments.
More recently, the MOVEit vulnerability in 2023 was exploited within days of disclosure, affecting hundreds of organisations worldwide including several UK councils and businesses.
How to Fix It
- Implement automated patching for operating systems and common applications
- Create a patch management policy with defined timelines (critical: 48 hours, high: 7 days, medium: 30 days)
- Maintain an accurate inventory of all software and systems
- Subscribe to vendor security bulletins for your critical systems
- Test patches in a staging environment before production deployment
- Have a rollback plan for patches that cause issues
- Prioritise internet-facing systems and those handling sensitive data
- Replace end-of-life systems that no longer receive security updates
Enable automatic updates on Windows and macOS for all workstations. This handles 80% of your patching needs.
No Security Awareness Training
Your employees are simultaneously your biggest security vulnerability and your best defence. Technology alone cannot protect against social engineering, phishing, and human error — which account for over 80% of breaches.
Yet many organisations either skip security training entirely or run a single annual compliance exercise that employees forget within days. Real security awareness requires ongoing engagement, not a tick-box exercise.
Why This Matters
Attackers target people because it works. A well-crafted phishing email will bypass your spam filters and land in inboxes. At that point, your only defence is the human reading it.
Without proper training, employees will:
- Click malicious links — Phishing emails designed to steal credentials or install malware
- Open dangerous attachments — Weaponised documents that compromise systems
- Fall for CEO fraud — Impersonation attacks requesting urgent wire transfers
- Overshare on social media — Giving attackers reconnaissance information
- Use insecure practices — Sharing passwords, leaving devices unlocked, tailgating
Real-World Impact
A UK recruitment firm lost £120,000 when an employee received an email appearing to be from the Finance Director requesting an urgent payment. The email was sent on Friday afternoon (a common tactic), used the correct email signature, and referenced a genuine project. The employee, wanting to be helpful, processed the payment.
With proper training on CEO fraud tactics and verification procedures, this would have been caught.
How to Fix It
- Implement continuous security awareness training, not just annual compliance
- Run regular phishing simulations to test and reinforce learning
- Make training engaging — short videos, real examples, gamification
- Cover specific threats: phishing, CEO fraud, social engineering, physical security
- Create clear reporting channels — make it easy to report suspicious emails
- Recognise and reward security-conscious behaviour
- Include security in onboarding for new employees
- Tailor training to roles — finance teams need different awareness than developers
Send a company-wide email this week explaining how to identify phishing emails and what to do when they receive one.
Poor Backup Practices
Most organisations have backups. Few have tested them. The assumption that "IT handles backups" provides false comfort until the day you actually need to recover — and discover the backups are incomplete, corrupted, or encrypted by the same ransomware that hit your production systems.
Modern ransomware specifically targets backup systems. If your backups are on the same network as your production systems, they'll be encrypted too.
Why This Matters
Backups are your last line of defence against ransomware and data loss. Without reliable backups, a ransomware attack becomes an existential threat — you either pay the ransom (with no guarantee of recovery) or lose everything.
Common backup failures include:
- Untested restores — Backups that fail when you try to use them
- Online-only backups — Cloud backups that ransomware can also encrypt
- Incomplete coverage — Critical data not included in backup scope
- Slow recovery — Backups that work but take weeks to restore
- No offline copies — All backups accessible from the network
Real-World Impact
A legal firm suffered a ransomware attack that encrypted all their servers. Their IT provider had been running daily backups to a network-attached storage device. The ransomware encrypted the backup device too.
The firm paid £35,000 in ransom and still only recovered 60% of their data. They lost case files, client correspondence, and billing records. Several clients left, and the firm nearly closed.
An air-gapped or immutable backup would have allowed full recovery without paying the ransom.
How to Fix It
- Follow the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 offsite
- Maintain at least one air-gapped or immutable backup that ransomware cannot reach
- Test restore procedures regularly — at least quarterly for critical systems
- Document recovery time objectives (RTO) and recovery point objectives (RPO)
- Include cloud services in your backup strategy (Microsoft 365 data isn't automatically backed up)
- Encrypt backups and secure backup credentials separately from production
- Maintain backup retention policies that allow recovery from older clean backups
- Regularly verify backup integrity and completeness
Schedule a backup restore test this month. Pick a non-critical system and verify you can actually recover it.
Excessive User Privileges
When everyone in the organisation is a local administrator, attackers are too. The principle of least privilege — giving users only the access they need to do their job — is fundamental to security but often ignored for convenience.
"Just give them admin so they don't complain" is a common IT response. But every admin account is a target for attackers, and every unnecessary privilege expands the blast radius when an account is compromised.
Why This Matters
Excessive privileges enable attackers to:
- Install malware — Admin rights let malware install deeply into systems
- Access sensitive data — Users see data they don't need, so attackers do too
- Move laterally — One compromised admin account can access many systems
- Disable security tools — Admin rights can turn off antivirus and monitoring
- Create persistence — Attackers create new admin accounts to maintain access
The principle of least privilege limits the damage from any single compromise.
Real-World Impact
An insurance broker discovered that a junior employee's account had been compromised for months. Because that account had unnecessary admin rights and access to all client files "in case they needed to help colleagues", the attackers had accessed 15,000 client records including financial details.
The subsequent ICO investigation and client notification cost over £200,000. If the account had appropriate limited access, the breach scope would have been a fraction of the size.
How to Fix It
- Audit current user permissions — identify who has admin rights and why
- Remove local admin rights from standard user accounts
- Implement role-based access control (RBAC) for business systems
- Use just-in-time administration for temporary elevated access when needed
- Separate admin accounts from daily-use accounts for IT staff
- Review and recertify access permissions quarterly
- Implement the principle of least privilege for service accounts too
- Use privileged access management (PAM) tools for sensitive systems
Review who has admin access to your core business systems today. Remove access for anyone who doesn't actively need it.
No Incident Response Plan
When a security incident occurs, the first few hours are critical. Yet most organisations have no documented plan for how to respond. Decisions are made in panic, evidence is accidentally destroyed, and the situation escalates while people argue about who should do what.
An incident response plan doesn't prevent breaches — but it dramatically reduces their impact and cost. Organisations with tested incident response plans contain breaches 50% faster than those without.
Why This Matters
Without an incident response plan:
- Response is slower — Time is wasted figuring out who does what
- Evidence is lost — Systems are rebooted or wiped, destroying forensic data
- Communication fails — Customers, regulators, and leadership learn at the wrong time
- Legal risks increase — Poor handling creates liability
- Recovery costs more — Uncoordinated response extends downtime
The first 24 hours set the tone for the entire incident.
Real-World Impact
A retail business discovered unusual activity on their payment systems at 4pm on Friday. Without a plan, staff debated what to do over the weekend. On Monday, they called their IT provider, who advised rebuilding the systems — destroying all evidence of what happened.
Three weeks later, their bank informed them of a pattern of fraudulent transactions traced to their systems. Without logs or evidence, they couldn't determine the scope of the breach, when it started, or what data was taken. The investigation and recovery took months and cost far more than it should have.
How to Fix It
- Create a documented incident response plan with clear roles and responsibilities
- Define what constitutes an incident and how to classify severity
- Establish an incident response team with contact details (including out-of-hours)
- Document initial containment steps — what to do and what NOT to do
- Create communication templates for different scenarios
- Include contact details for external resources: legal, forensics, cyber insurance
- Test the plan through tabletop exercises at least annually
- Review and update the plan after each real incident
Write down the names and phone numbers of who to call if you discover a breach at 3am on a Sunday. That's your starting incident response plan.
Shadow IT & Unsanctioned Apps
Your employees are using applications you don't know about — with your company data. It's called Shadow IT, and it's everywhere. Marketing signed up for a new email tool. Sales is using a file-sharing service. Finance has a personal Dropbox with client spreadsheets.
These aren't malicious actions. Employees use unsanctioned apps because the official tools don't meet their needs or they don't know alternatives exist. But every unknown application is a blind spot in your security.
Why This Matters
Shadow IT creates risks because:
- No security review — Apps haven't been vetted for security practices
- No data protection — Company data in uncontrolled locations
- No visibility — Security teams can't monitor or protect what they don't know exists
- No offboarding — When employees leave, access to shadow apps isn't revoked
- Compliance failures — Data in unapproved locations violates policies and regulations
Studies suggest the average company has 10x more cloud applications in use than IT knows about.
Real-World Impact
A marketing agency discovered that a contractor had been sharing client files via a personal Google Drive account for two years. When the contractor relationship ended badly, they retained access to all those files — including confidential client strategies and contact lists.
The agency had no legal recourse since they hadn't sanctioned or controlled the account. They had to disclose the situation to affected clients and lost two major accounts as a result.
How to Fix It
- Conduct a shadow IT discovery exercise — survey staff and review network traffic
- Understand why employees use shadow IT — their needs are valid even if the solution isn't
- Provide approved alternatives that meet legitimate business needs
- Implement a cloud access security broker (CASB) for visibility
- Create an acceptable use policy that's realistic and enforceable
- Make the process for requesting new tools simple and fast
- Use single sign-on (SSO) to control access to approved applications
- Regularly audit connected applications to business platforms like Microsoft 365
Ask your team what tools they use that IT didn't provide. You'll learn about shadow IT and their unmet needs in one conversation.
Insecure Remote Working
The traditional security perimeter — a firewall protecting everything inside the office — no longer exists. Employees work from home, coffee shops, client sites, and airports. They use home WiFi networks, personal devices, and public hotspots.
Many organisations rushed to enable remote work during the pandemic without properly securing it. Those "temporary" arrangements have become permanent, but the security hasn't caught up.
Why This Matters
Remote working introduces risks including:
- Unsecured networks — Home and public WiFi are easily compromised
- Unmanaged devices — Personal devices lack security controls
- Physical security — Devices left in cars, bags, visible screens in public
- Shared environments — Family members with access to work devices
- VPN misuse — Assumed security without proper configuration
Attackers know remote workers are softer targets than corporate networks.
Real-World Impact
An employee of a financial services firm worked from a coffee shop while waiting for a flight. They connected to what appeared to be the venue's WiFi network. It was actually an "evil twin" network set up by an attacker, who captured their VPN credentials as they logged in.
The attacker used those credentials to access the corporate network over the following weeks, eventually exfiltrating client data. The breach was traced back to the coffee shop session.
How to Fix It
- Implement zero-trust network access (ZTNA) instead of traditional VPN where possible
- Require managed devices for accessing company data — no personal devices for sensitive work
- Enable device encryption (BitLocker, FileVault) on all endpoints
- Implement mobile device management (MDM) for remote device security
- Provide security guidance for home network setup
- Use always-on VPN or secure web gateway for unmanaged network protection
- Deploy endpoint detection and response (EDR) on all devices
- Create a remote working security policy and enforce it
Enable full-disk encryption on all company laptops this week. It protects data if devices are lost or stolen.
No Cyber Insurance
No security programme is perfect. Eventually, something will go wrong. When it does, the costs escalate rapidly: forensic investigation, legal fees, notification requirements, regulatory fines, business interruption, customer compensation, and reputation damage.
Cyber insurance provides a financial safety net and, importantly, access to expert resources when you need them most. Yet many businesses either lack coverage entirely or have policies with exclusions that would deny the claims they're most likely to make.
Why This Matters
The financial impact of a breach can be catastrophic:
- Average UK SMB breach cost: £8,460 — and that's the average, not the worst case
- Forensic investigation: £10,000-50,000+ — Understanding what happened requires experts
- Legal fees: £10,000-100,000+ — Regulatory response, customer claims, contracts
- Business interruption: Variable — Every day of downtime costs money
- Notification costs: £1-10 per record — Multiply by number of affected individuals
- Regulatory fines: Up to £17.5M or 4% of turnover — GDPR maximum penalties
Cyber insurance doesn't prevent breaches, but it ensures they don't destroy your business.
Real-World Impact
A 50-person professional services firm suffered a ransomware attack that encrypted all systems. Their cyber insurance covered:
• Forensic investigation to determine the scope and cause • Legal counsel for regulatory notification requirements • Crisis communications support • Business interruption during the 3-week recovery • Credit monitoring for affected clients
Total claim: £180,000. Without insurance, the business would likely have closed.
How to Fix It
- Get cyber insurance if you don't have it — it's more affordable than you think
- Review existing coverage — check exclusions, limits, and what's actually covered
- Understand what triggers coverage and what documentation you need
- Check coverage for ransomware, business interruption, and regulatory fines
- Verify third-party coverage if you handle client data
- Keep your broker informed of changes to your business and security posture
- Use the policy's risk management resources — many include security assessments
- Document your security controls — they affect premiums and claims
Request a cyber insurance quote this week. Even if you don't buy immediately, you'll understand your risk exposure and coverage options.
Official References
Security Checklist
Use this checklist to assess your current security posture. Each item maps to the mistakes covered in this guide.
Authentication
Patching & Updates
People & Training
Data Protection
Access Control
Incident Response
Remote Working
Insurance & Planning
Taking Action
You've read the guide. You've identified gaps. Now what?
Security improvement isn't about fixing everything at once — it's about consistent progress on the things that matter most. Here's how to prioritise:
Critical Quick Wins
- Enable MFA on Microsoft 365 / Google Workspace
- Enable automatic updates on all workstations
- Deploy a password manager to your team
- Enable full-disk encryption on all laptops
High-Impact Improvements
- Audit and remove unnecessary admin privileges
- Test your backup restore process
- Create a basic incident response plan
- Run a phishing awareness session
Strategic Initiatives
- Implement a formal patch management process
- Roll out security awareness training programme
- Review and update cyber insurance coverage
- Conduct a shadow IT discovery exercise
- Secure your remote working setup properly
Need Help Implementing These Fixes?
We've helped dozens of UK businesses close these exact security gaps. If you'd like expert guidance on your security improvement journey, we're here to help.
Official Resources
All recommendations in this guide are based on official government guidance: