Most small businesses don’t need a full IT overhaul — they need a clear place to start. A cybersecurity reset doesn’t have to be complicated. Most small businesses don’t need a full IT overhaul — they need a clear place to start. Cybersecurity can feel technical and overwhelming, especially when you’re wearing every hat in your business.
But here’s the truth: you don’t need to become a tech expert to stay safe online. A few simple, focused steps can drastically reduce your risk and keep your systems — and your sanity — intact.
That’s where the 72-hour cyber reset comes in. Think of it as a three-day refresh for your digital security. It’s not about perfection; it’s about quick, meaningful action that builds confidence and creates momentum.
Here’s how to reclaim control and create a safer, calmer digital space in just three days.
🔒 Day 1 – Secure the Essentials of Your Cybersecurity Reset
Focus: Access, passwords, and accounts
Every major security breach starts with one thing — access. If your passwords are weak or shared too widely, it’s like leaving the keys in your office door overnight.
Start your reset here:
Change your passwords. Begin with your email, social media, and cloud storage accounts. Use unique, strong passwords for each — at least 12 characters, mixing words, numbers, and symbols.
Turn on Multi-Factor Authentication (MFA) wherever possible. It adds an extra verification step (like a text code or app prompt) that blocks most hacking attempts instantly.
Review who has access. Check tools like Google Workspace, Microsoft 365, your CRM, and social media. Remove old logins, ex-contractors, or anyone who no longer needs access.
💡 Quick tip: Use a password manager such as Bitwarden, 1Password, or Dashlane to securely store and update passwords. Keep a simple record of who holds admin rights — it’ll save hours in an emergency.
💻 Day 2 – Protect Your Devices
Focus: Software and physical security
Your devices are your business lifeline — laptops, tablets, phones, even routers. Out-of-date software is like leaving your windows open during a storm.
Here’s how to lock things down:
Update everything. Run updates for operating systems, browsers, plugins, and apps. Those little notifications often contain vital security patches.
Run antivirus or endpoint scans. Don’t assume you’re safe because you use a Mac. Malware targets everyone. Use built-in tools like Microsoft Defender or reputable antivirus software.
Secure your Wi-Fi. Change your router’s default password and ensure encryption is set to WPA2 or WPA3. If you work from cafés or co-working spaces, use a VPN to protect your connection.
💡 Quick tip: Label all your devices and switch on Find My Device (or the equivalent). If a laptop or phone is lost, you’ll be able to track or remotely wipe it.
☁️ Day 3 – Backup and Behaviour
Focus: Habits and awareness
Technology alone isn’t enough. It’s the habits behind it that keep your business secure.
Back up your critical files. Follow the 3-2-1 rule: keep three copies of your data, on two types of storage (cloud + external drive), with one copy kept offline or off-site.
Check your incident plan. If something goes wrong — a lost laptop, a suspicious email, or a data breach — who do you call first? Have a short, written checklist with emergency contacts and steps.
Spot-test your team. Run a quick quiz or phishing simulation using free online tools. Awareness is your best defence against human error.
💡 Quick tip: Host a lunch-and-learn or 10-minute debrief each quarter. Sharing lessons from near-misses helps your team stay alert without fear.
Once you’ve completed your 72-hour reset, don’t stop there. Cybersecurity works best when it becomes a routine — part of your business hygiene, just like reconciling invoices or renewing insurance.
Set a quarterly reminder to review access, updates, and backups.
Add cybersecurity to onboarding for new team members or contractors.
Create a “digital hygiene” folder in your business drive for policies, checklists, and backup plans.
You’ll quickly notice the difference: fewer worries, faster systems, and more trust from clients who know you take their data seriously.
If you handle client information, this foundation also supports your GDPR compliance and builds credibility with larger partners or corporate clients.
1. What’s the best cybersecurity software for small businesses? Start with built-in tools like Microsoft Defender or Apple’s Gatekeeper. Add reputable antivirus or endpoint protection such as Bitdefender, ESET, or Sophos.
2. How often should I back up my data? Ideally every day for key business files, and at least weekly for full system backups. Automate cloud backups where possible.
3. What’s the biggest mistake small businesses make? Assuming “it won’t happen to me.” Most attacks target small businesses because they’re easier to breach, not because they’re high-profile.
4. Do I need cyber insurance? It’s worth exploring once you’ve implemented the basics. Insurance doesn’t replace good practice, but it can help you recover financially after an incident.
🌟 Wrap-Up
Nine small actions in three days can make a big difference. Each change builds another layer of protection and peace of mind.
Cybersecurity doesn’t have to be complicated or scary — it’s simply good business hygiene.
If you’d like to turn these quick wins into a lasting plan, download my free Cyber Basics Toolkit — it walks you through the next steps to build confident, practical cyber resilience for your business.
Well, third time lucky. New data protection legislation has (finally) been given royal assent. You might have seen headlines this week about the Data (Access and Use) Act 2025 (DUAA). I say third time lucky; this is the third time a data protection bill has been put forward, but the only one that has made it to legislation. It’s being called the biggest data protection update since GDPR—but before you panic, take a breath. This new law is more evolution than revolution.
The DUAA is not an overhaul. It is tweaking GDPR and DPA. Think of it as a refresh of UK GDPR that aims to make data protection more straightforward, more business-friendly, and supportive of innovation, all while keeping people’s rights front and centre. Most of the changes are designed to give you more flexibility, rather than introducing new, unfamiliar obligations.
So, what does this mean for your business? Let’s break it down.
What is the Data (Use and Access) Act?
The Data (Access and Use) Act 2025 was passed to amend (not replace) key pieces of data law in the UK:
The UK GDPR
The Data Protection Act 2018
And the Privacy and Electronic Communications Regulations (PECR)
The goal? To support innovation and growth, particularly for businesses using data in creative or technology-driven ways, while still safeguarding personal information and individual rights.
The changes will be phased in between June 2025 and June 2026, giving everyone time to adjust.
What’s Changing?
Here are some of the key updates that may affect small businesses like yours:
1. Simplified lawful bases for processing
A new category—“recognised legitimate interests”—has been introduced. This means that for certain activities (like safeguarding national security or preventing crime), you no longer have to go through a balancing test to justify your use of personal data.
While this won’t affect most day-to-day SME operations, it signals a shift toward making data protection less burdensome.
2. Clarity around scientific research and reuse
If you conduct research or support organisations that do, there’s now clearer guidance on using personal data—including the ability to reuse data without fresh privacy notices (as long as safeguards are in place). This also supports businesses that use AI or develop digital tools that rely on data insights.
3. Cookie consent relaxed
You can now use cookies for analytics and certain functional purposes without explicit consent, so long as they don’t infringe on users’ rights. This could make your website smoother and less reliant on constant pop-ups.
What this means for you: You’ll still need a cookie policy, but you might be able to reduce the number of consent requests, making your site feel more user-friendly.
4. More flexibility with direct marketing
It’s now clearer that direct marketing can be considered a legitimate interest—something many of us assumed, but it’s helpful to have this confirmed in law. For charities, there’s even a new “soft opt-in” right for electronic marketing if someone has shown interest in their cause.
5. Changes to Subject Access Requests (SARs)
The DUAA introduces a more proportionate approach to SARs. You only need to conduct reasonable and proportionate searches, which helps reduce the admin burden, particularly for small teams.
6. Children’s data responsibilities
If you run an online service likely to be accessed by children, there is now an explicit legal duty to consider their needs. If you’re already aligned with the Age Appropriate Design Code, you’re on the right track—but it’s a good moment to double-check.
7. Stronger complaint-handling expectations
You’ll be expected to:
Offer an accessible way for people to raise concerns (think: a contact form or email address)
Acknowledge complaints within 30 days
Respond without undue delay
This aligns with good customer service anyway, but now it’s a compliance requirement.
What’s Not Changing?
Notably, the UK GDPR remains in effect.
If you’ve already taken steps to get your policies, privacy notice, and practices in shape, you’re not starting from scratch. The DUAA adds clarity and flexibility, but the foundations of data protection (transparency, fairness, purpose limitation, security, rights) are still intact.
What Do Small Businesses Need to Do Now?
Here’s a practical checklist for small businesses getting ready for the DUAA:
✅ 1. Familiarise yourself with the key changes
Understanding what’s changing gives you the confidence to act without feeling overwhelmed. Start by reading the ICO’s DUAA guidance or using this blog as your reference point.
✅ 2. Review your privacy notice
Now is a great time to review your privacy notice to ensure it is clear, accessible, and comprehensive, covering all the ways you process data, including analytics cookies, marketing, and complaint handling.
✅ 3. Check your cookie use
Are you using cookies for website stats or performance improvements? You may now be able to rely on the new exemption, saving you (and your website visitors) some extra clicks.
✅ 4. Assess your complaint-handling process
Make it easy for individuals to raise concerns. Consider a simple form on your website or a clear email contact. Ensure your team is aware of the 30-day response requirement.
✅ 5. Double-check any services used by children
If your products or services are likely to be accessed by children—even unintentionally—you’ll need to consider this explicitly. Review the Age Appropriate Design Code if this applies to you.
✅ 6. Stay informed
The ICO is updating its guidance gradually between now and 2026. Sign up for their newsletter or follow trusted advisers (like me!) to stay ahead without being overwhelmed.
A Word of Reassurance
I know what it feels like when new legislation lands—it can seem like yet another thing to add to the never-ending small business to-do list. But this law isn’t here to trip you up.
The Data (Use and Access) Act 2025 aims to make things simpler, not scarier.
If you already have your data protection basics in place—clear policies, secure systems, a lawful basis for marketing—you’re in a strong position. Use this moment as a chance to refresh rather than rebuild.
Need a Hand?
If you’d rather not wade through guidance documents or wonder what counts as “reasonable effort,” you don’t have to do it alone.
I help small businesses simplify data protection with real-world advice, done-for-you documents, and affordable training.
📩 Book a free callto see how we can help you understand what DUAA means for your business—and how to stay compliant, confident and focused on what you do best.
Michelle Molyneux Business Consulting Ltd Making data protection doable for growing service-based businesses. Friendly. Expert. Non-jargon. Always on your side.
Business Trends 2025: Key Challenges & Growth Opportunities
As we wrap up the first month of the year, it’s time to take stock of how business is shaping up; the business trends, challenges and possible growth opportunities in 2025. January is a month of fresh starts, planning, and often, a reality check on how the new year is actually unfolding.
Welcome to the first edition of Business Mega Brew, where we – Jill from Cherryade Marketing and our very own Michelle – discuss all things business, marketing, data, and the challenges and opportunities we’re seeing in the small business world. If you’re a business owner looking for practical insights and a bit of honesty about what’s really going on, this is the place for you. So if you don’t have time to watch/listen to the vodcast, then ready below for a recap.
Meet Your Hosts
Before we dive in, here’s a quick intro:
Jill Bishop runs Cherryade Marketing, helping businesses craft effective marketing strategies to reach the right audience and grow their brands.
Michelle Molyneux is a data protection and compliance consultant with a background in quality and action learning facilitation, helping businesses navigate the often-dreaded world of policies and compliance.
Looking Back: The Highs & Lows of 2024
Last year was a challenging one for many businesses. As we chatted in this episode, we both felt that 2024 ended with a bit of a meh feeling. Many businesses we spoke to were cautious, hesitant, and struggling with decision-making. We saw a lot of:
Delayed decisions – businesses wanting to move forward but holding off due to financial uncertainty.
Budget concerns – small businesses are feeling the squeeze, making it harder to commit to new investments.
General fatigue – after years of navigating economic ups and downs, many business owners felt drained by the end of the year.
The good news? There’s a definite shift happening now that we’re into 2025. While businesses are still cautious, things are starting to move forward, and that’s a promising sign.
Planning for 2025: Business Goals & Pivots
For many business owners, January is a time to set resolutions – or, in our case, avoid them entirely! Instead of traditional resolutions, we both prefer goal-setting and strategic reviews.
Michelle has taken the time to reflect on her business direction and decided to pivot. While she’ll continue offering consultancy and audits, she’s expanding into online courses to help small businesses understand and implement data protection more affordable. It’s about meeting businesses where they are – and their budgets!
Jill, on the other hand, is taking a more reflective approach this year, stepping back to think about what she really wants from her business beyond just client numbers and revenue goals. A big focus is on work-life integration rather than just work-life balance.
If you haven’t already, now is a great time to review where your business is heading and whether your current strategy still makes sense.
Another key focus this month has been reviewing tools and systems.
Social Media: Michelle has completely left Twitter (or X, as it’s now called) and is exploring new platforms like BlueSky and Threads. If you’re using social media for business, it’s worth considering whether the platforms you’re on are actually working for you.
CRMs & Software: If you’ve got subscriptions you’re paying for but rarely use, now’s the time to reassess. Michelle’s been comparing Moxie and Plutio, while Jill has been questioning whether she’s on the right CRM. It’s a great exercise to reduce unnecessary costs and streamline your operations.
Data Mapping & Policies: Reviewing privacy policies and data mapping is a must-do at least once a year. Have you checked whether the software you’re using has changed its policies? Are you still compliant? These are critical steps to ensuring your business stays on the right side of data protection laws.
Process Reviews: January is a great time to declutter processes, unsubscribe from unnecessary tools, and evaluate whether your workflow is as efficient as it could be.
Predictions for 2025: AI, Compliance & Sustainability
So, what’s coming up this year in the world of business? Here are our top predictions:
AI & Data Protection: With the UK government embracing AI and the EU AI Act coming into force, businesses need to be mindful of how they use AI responsibly. Transparency, documentation, and ensuring compliance with data privacy laws will be essential.
Sustainability: More businesses are making meaningful changes in their sustainability efforts, moving beyond just planting trees to truly embedding sustainability into their processes and products. We expect to see more of this in 2025.
Marketing Trends: Video and live streaming will continue to grow in importance. It’s time to get comfortable in front of the camera – something Michelle has reluctantly accepted!
Cost-Saving Mindset: Many businesses are still being cautious, and we expect a continued focus on efficiency and cost-effectiveness in decision-making.
What’s Coming Up in February?
February brings some interesting dates for businesses:
6th February: Safer Internet Day – A great time to check your cybersecurity and online safety practices.
12th February: Clean Out Your Computer Day – Declutter, organise files, and eliminate unused subscriptions.
14th February: Valentine’s Day – A perfect time to show appreciation for your customers and clients. How? Through loyalty rewards, thank-you messages, or even just a heartfelt email.
Shouting Out Your Service Providers: In the spirit of appreciation, take the time to leave Google reviews or LinkedIn recommendations for the businesses and freelancers who have supported you. Authentic testimonials go a long way in building credibility!
Our next episode will focus on Love It or Hate It – what we love (and hate) about running a business. We’ll also discuss whether businesses hate marketing or compliance more – we have a sneaky suspicion we know the answer already!
Join the Conversation
We’d love to hear from you! How has January been for your business? What changes are you making in 2025? And most importantly – what do you hate more: marketing or compliance?
Drop us a message, tag us on social media, and let us know your thoughts.
Got questions?Drop us a line, and we’ll do our best to tackle them in the next episode.
Thank you for reading! We hope this blog provides you with valuable insights similar to those in the full video. We would love to hear your thoughts, so please feel free to share them with us — we enjoy connecting with fellow business owners. Enjoy your drink, and see you next time!
Protect Your Small Business from Costly GDPR Errors
Are You Making These Data Protection Mistakes?
Data protection is a big deal for small businesses, but many owners and teams unknowingly make mistakes that could lead to fines, reputational damage, or data breaches.
The problem? Most mistakes are avoidable—they often come down to a lack of awareness, poor habits, or outdated practices.
But here’s the good news: fixing these mistakes is quick and simple once you know what to watch out for.
✅ In this blog, we’ll cover:
• The most common GDPR and data security mistakes small businesses make
•Real-life examples of where things went wrong
•Practical solutions to avoid fines, breaches, and compliance issues
Let’s make sure your business stays protected, compliant, and trusted. 🚀
1. Not Having a Clear Privacy Policy
Many small businesses collect customer data without having a proper Privacy Policy in place. This is a legal requirement under GDPR—and failing to provide one can lead to complaints or even fines.
🔹 What’s the Risk? Customers may feel uncomfortable sharing their details, and the ICO (Information Commissioner’s Office) could investigate if someone raises a concern.
💡 Real-World Example: A UK small business was fined £40,000 for not having clear consent policies in place for collecting customer data.
✅ How to Fix It:
✅ Write a simple Privacy Policy that explains:
•What data you collect
•Why you collect it
•How customers can request access or deletion of their data
✅ Make it accessible—place a Privacy Policy link in your website footer and on sign-up forms.
📌 Helpful Resource: You can use the ICO’s SME GDPR Guide to check what should be included.
2. Keeping Data for Too Long (Or Not Knowing When to Delete It)
It’s easy to store old customer data indefinitely—but GDPR requires businesses to only keep data for as long as necessary.
🔹 What’s the Risk? Holding onto unnecessary data increases your security risk. If there’s a breach, old data could be exposed.
💡 Real-World Example: A UK company was fined for holding customer data years after it was no longer needed. They had no formal deletion process, meaning data was stored indefinitely.
How to Fix It:
✅ Set up a Data Retention Policy—decide how long you need to keep different data types.
✅ Delete old customer records, email lists, and unused files regularly.
✅ Automate data deletion using CRM or cloud storage tools.
💡 Tip: If you don’t need it, securely delete it!
3. Sending Personal Data Over Email Without Protection
Many businesses send sensitive data via email without realising how risky this is. If an email is hacked, forwarded, or sent to the wrong person, it can lead to data leaks.
🔹 What’s the Risk? Data sent in plain emails is vulnerable to cyberattacks. Once it’s sent, you can’t take it back.
💡 Real-World Example: A small law firm accidentally emailed client records to the wrong recipient, leading to an ICO investigation.
How to Fix It:
✅ Use encrypted email services for sending sensitive files.
✅ Double-check email recipients before hitting send.
✅ Use secure file-sharing tools like OneDrive or Dropbox instead of email attachments.
💡 Tip: If you need to send password-protected files, send the password in a separate message!
4. Using Weak Passwords or No Multi-Factor Authentication (MFA)
A weak password is like leaving your front door unlocked—it’s an open invitation for hackers.
🔹 What’s the Risk? A leaked password could give attackers access to your business systems, emails, or customer data.
💡 Real-World Example: A UK SME was hit with a cyberattack because their staff used weak passwords without two-factor authentication. Hackers stole customer payment details, causing substantial reputational damage.
How to Fix It:
✅ Use strong, unique passwords for each system (at least 12 characters, a mix of letters, numbers, and symbols).
✅ Enable Multi-Factor Authentication (MFA) for email, CRM, and cloud accounts.
✅ Use a password manager instead of writing down passwords.
💡 Pro Tip: A data breach is often caused by weak passwords—protect your accounts properly!
5. Not Training Your Team on Data Protection
Even if you have great policies, they’re useless if your team doesn’t follow them.
🔹 What’s the Risk? Human error causes 90% of data breaches—usually because staff aren’t trained on security best practices.
💡 Real-World Example: A UK business was fined after an employee clicked on a phishing email, exposing sensitive client data. The company had no cybersecurity training in place.
How to Fix It:
✅ Train your team on phishing, data handling, and GDPR basics.
✅ Encourage a “Speak Up” culture—staff should report security concerns without fear.
✅ Make data protection part of new employee onboarding.
💡 Tip: Even small teams should regularly review data protection best practices!
Final Thoughts: Small Fixes, Big Protection
Most data protection mistakes are avoidable—they happen because businesses aren’t aware of the risks.
How Small Businesses Can Embed GDPR & Security into Everyday Operations
When you think about an organisation’s culture, data protection probably isn’t the first thing that comes to mind. But, embedding GDPR and security into daily operations from the start can save you from costly mistakes later.
Many small businesses view data protection as a compliance tick-box rather than a core business value. The result? Data incidents and breaches, poor customer trust, and even legal penalties.
But here’s the thing—when data protection is part of your business culture, it becomes second nature. Instead of being a last-minute worry, it’s built into how your team works daily.
We will show you:
✅ Why embedding a data protection culture is crucial for small businesses
✅ How to make GDPR and security second nature in your team
✅ Simple steps to get started—without adding more work to your plate
Let’s make data protection easy and intuitive—so your business stays secure, compliant, and trusted from day one. 🚀
1. Why a Data Protection Culture Matters for Small Businesses
It’s easy to think of data protection as something you only need to worry about in legal documents. But the truth is that how your team handles personal data daily has a more significant impact than policies alone.
💡 Consider This:
A customer emails their details, and a team member accidentally forwards it outside the company.
A freelancer downloads sensitive client files onto a personal (unsecured) device.
A marketing assistant adds customers to a mailing list without their consent.
👉 These are small, everyday mistakes that can lead to big problems.
A strong data protection culture ensures that everyone, no matter their role, understands the risks and follows best practices without hesitation.
💡 Real-World Example: A UK charity was fined £100,000 after staff accidentally shared sensitive data. The ICO found that a lack of training and awareness was the root cause. A better data protection culture could have prevented it!
To understand your legal obligations, the ICO’s SME Data Protection Guide provides clear steps for small businesses to follow
2. How to Embed Data Protection into Your Business Culture
Want to make data protection second nature in your business? Here’s how:
📌 Lead by Example
If business owners and managers don’t take data protection seriously, neither will the team.
✅ Show that data protection isn’t just a legal thing—it’s a business priority.
✅ Follow best practices yourself—use strong passwords, secure devices, and GDPR-compliant processes.
💡 Quick Win: Mention data protection regularly in team meetings so it stays on everyone’s radar.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
