Cyber Security

Phishing, the single biggest cyber security risk to your business

According to the UK's Cyber Security Breaches Survey 2025, 93% of businesses that experienced any cybercrime reported phishing as the method used.

Cybercriminals know that the easiest way into a business isn’t by “hacking” a firewall, it’s by tricking someone into clicking a link or opening an attachment.

The term phishing is used for generic attacks, where cybercriminals send fake messages to many people, often with the goal of tricking recipients into clicking on links, or downloading malware. The fake messages will often look like they are from a well known organisation such as your bank, or HMRC. 

Whereas spear-phishing is a targeted attack aimed at a specific person or role within a company. These attacks are often personalised and researched, using real names with the goal of gaining deeper access into systems to access data or initiate fraud. These attacks can be harder to spot and are on the rise.  

Human error is a critical vulnerability. More than 90% of cyber security incidents are traceable to mistakes such as poor password hygiene, falling for phishing links, or mismanaging sensitive data.

Attackers are leveraging AI and automation to craft highly convincing, personalised phishing requests and spear-phishing attempts that are harder to detect and stop.

In the last few months we have seen a significant increase in phishing attacks. Improving awareness and taking steps to reduce your risk are essential.

So what can everyone do to reduce their risk of a phishing attack?

Be vigilant and take extra care when clicking on links or sharing information.
 
1. Pause before you click
If an email creates a sense of urgency and has requests, such as "pay now", or "reset your password immediately", take a moment to think. Urgency is a red flag. 
2. Check the sender address carefully
Look for subtle spelling mistakes or strange domains (e.g. @micros0ft.com instead of @microsoft.com).
Or for unusual domain extensions, most large organisations will have purchased the common domain extensions such as .com, .co.uk, .net even if they don't use them, but there will be many other extensions available that could potentially be used for malicious activity. Unusual domain extensions are a red flag.
3. Check the path of the link
Sometimes the links in an email are disguised. Hover over or copy and paste links into a text document to check the path of the url. If it looks odd, don’t click on it.
4. Report suspicious emails
If you are unsure, or if you have discovered a malicious email it's best to let our support team know. We can help identify if the email is malicious and we will also implement additional security actions should they be necessary.

What can businesses do to reduce the risk further

When securing your IT to reduce the risk of phishing attempts, it’s important to remember that phishing is just one piece of a wider cybersecurity system. The solutions below all contribute to providing a more secure environment for your users to work within. 

1. Cyber Security Awareness Training
Regular user training and realistic phishing simulations to build employee vigilance
2. Strong Email Security
Implement DMARC, SPF, DKIM, advanced spam and phishing filters
3. Zero Trust Architecture
Minimise access privileges across devices, networks and accounts
4. Supply Chain Audits
Vet vendors, enforce security standards, and monitor access
5. Active threat protection monitoring and remediation
Anti-Virus and malware scanning, realtime endpoint detection and response, zero day threats across computers, mobile devices and cloud platforms
6. Identity and Access Management
Enforce MFA, security policies, passwords and access rights across all identities 
7. Security Framework
Implement a recognised level of security, such as Cyber Essentials +, SOC 2 or ISO27001.

We're here to help

Roadmap are both Cyber Essentials + and ISO27001 certified and we can help your businesses achieve the same level of compliance. We also have a number of other Cyber Security solutions to help secure your business. 

Contact us

Roadmap achieve ISO27001 Certification

We’re thrilled to announce that Roadmap has achieved ISO 27001 certification, a globally recognised standard for information security management! This milestone underscores our commitment to safeguarding our customers' data and maintaining the highest level of trust and security in all our IT support services. To streamline this rigorous process, we partnered with Vanta, whose automation platform made compliance simpler and faster. Vanta’s real-time monitoring, task automation, and intuitive dashboards allowed us to efficiently prepare for audits and ensure we met every requirement with confidence. Achieving ISO 27001 certification not only enhances our security posture but also provides our customers with added assurance that their data is managed securely and responsibly.

Why every business, regardless of size, must take cybersecurity seriously

All businesses, regardless of size, heavily depend on digital systems and data, making cybersecurity not just a technical concern but a critical business necessity. Yet, many organisations, particularly small and medium-sized businesses (SMBs), often underestimate the importance of robust cybersecurity measures. This article delves into why every business must prioritise cybersecurity and the risks they face if they fail to do so.

A Double-Edged Sword

The digital transformation has unlocked unprecedented opportunities for businesses. AI, cloud computing, and mobile technology have all revolutionised the way companies operate, enabling faster growth and more efficient operations. However, this digital shift also comes with new risks. As businesses become more reliant on technology, they become more vulnerable to cyber threats.

Cybercriminals are becoming increasingly sophisticated, exploiting weaknesses in business systems with alarming precision. No business, regardless of size, is immune. In fact, smaller businesses are often seen as low-hanging fruit by cybercriminals because they typically have less sophisticated security measures in place compared to larger enterprises.

The Myth of "Too Small to be Targeted"

One of the most dangerous misconceptions we hear is the belief that only large corporations are targeted by cyber-attacks. This couldn't be further from the truth. Cybercriminals often target smaller businesses because they assume (often correctly) that these companies have weaker security defenses. According to a report by Verizon, 46% of all data breaches in 2022 involved small businesses. The rationale is simple: while a small business may not yield as much profit as a large corporation, the effort required to breach its systems is often much lower.

The potential impacts following a cyber attack

Failing to secure your business against cyber threats can result in significant financial losses, both immediate and long-term, including costs from ransomware attacks, data breaches, and increased insurance premiums. Additionally, a cyber-attack can result in the loss of confidential data and has the potential to severely damage your reputation. Businesses also face legal and regulatory consequences, including hefty fines for non-compliance with data protection laws and potential lawsuits from affected parties..

Cyber-attacks can disrupt your operations, sometimes for days or even weeks. Whether it’s a ransomware attack that locks you out of critical systems or a denial-of-service attack that makes your website inaccessible, the impact on your ability to conduct business can be profound.

In some cases, cybercriminals are after more than just financial gain; they may seek to steal intellectual property or proprietary information.

A cyber-attack can also affect your employees. If sensitive employee data is compromised, it can lead to a loss of trust within the organisation. Additionally, the stress and extra workload that often follow an attack can lead to lower morale and productivity.

The Evolving Threat Landscape

The cybersecurity threat landscape is constantly evolving. Cybercriminals are always finding new ways to exploit vulnerabilities, and businesses need to stay ahead of these threats. This requires a proactive approach to cybersecurity, which includes regular risk assessments, employee training, and investment in the latest security technologies.

One of the most prevalent threats today is Ransomware, where attackers encrypt your data and demand payment for the decryption key. Small businesses are increasingly targeted because they are often seen as more likely to pay the ransom quickly to resume operations.

Phishing attacks are becoming more sophisticated, using social engineering techniques to trick employees into revealing sensitive information or downloading malicious software. Educating employees about the signs of phishing is crucial.

Cybercriminals are now also targeting the supply chains of businesses. Even if your company has strong cybersecurity measures, a weak link in your supply chain can expose you to risks.


IT security is a business requirement, not an IT decision.

Cybersecurity isn’t just the responsibility of your IT team, it’s a company-wide concern. Creating a culture of security within your organisation is essential. This means educating employees about the importance of cybersecurity, establishing clear policies and procedures, and ensuring that cybersecurity is a regular topic of discussion at a management level.

Moreover, businesses must recognise that cybersecurity is not a one-time effort but an ongoing process. Regularly updating software, conducting security audits, and staying informed about the latest threats are all part of maintaining a strong cybersecurity posture.

Frameworks such as Cyber Essentials +, ISO27001 and SOC2 will significantly reduce your risks to a Cyber Attack and should be seen as the foundation of how to manage and protect your IT systems.

In conclusion, cybersecurity is not a technical issue confined to IT professionals, but a critical business issue that affects every aspect of an organisation. The risks of ignoring cybersecurity are too significant to overlook. Financial losses, reputational damage, legal consequences, operational disruption, and the erosion of employee morale are all potential outcomes of a cyber breach.

For businesses of all sizes, cybersecurity should be viewed as an essential investment in their future. Taking cybersecurity seriously is not just about protecting data it’s about protecting the very foundation of your business.

The new normal

Overnight businesses have changed how they operate and working remotely, or working from anywhere, has quickly become the new normal. Most businesses by now will have worked with their IT teams to provide remote working solutions for their staff to enable them to work from home.

A common and well documented topic that seems to be consistent across all businesses and people I speak with is that “this new normal” is here to stay in some capacity moving forward and as such planning IT systems in and out of the office should form the basis of all IT roadmaps.

There are many “quick fix” cloud services that enable businesses to overcome a technical challenge that enable their staff to work remotely (eg DropBox for remote file sharing). Often IT security and control of data is overlooked in favour of ease of use and quick deployment. As with any IT system, planning, security, management and reporting should be features that are considered from the outset and that are just as important as the user experience and cost of the product.

Working from home brings new challenges for business owners and IT managers. Securing your IT systems and data within your office environment is easier to manage and lock down. Remote working brings a number of security and device management challenges that I will cover below.

Arguably one of your largest cyber security risks are your employees. Educating your workforce with the basics will go a long way and will help protect your IT systems and data. There are a number of inexpensive online courses that staff can sit to help educate them in the basics. Are staff aware of phishing techniques and do they have a way or reporting any security concerns. Do they understand the importance in using secure passwords and are they using 2FA to access your systems. Do they have the right tools to securely share data across your team and with customers. If you don’t provide your teams with the tools they need, they will quickly and easily find their own solutions which could be highly disruptive to your business and data.

If your remote teams are using their own unmanaged devices to access your systems this could open up a whole number of IT security and data control concerns. It is very likely you will have little to no control over your data if you have adopted this method. If your team are working in this way and handing confidential or sensitive information you should review this urgently.

Who has access to your data? Controlling access to your data in a remote working environment can very quickly spiral out of control. You’ve given your employees the ability to access your files so they can work on them from home. Then what? Do they have the ability to then upload those files to their personal DropBox’s or GDrive, or to external drives. Once this happens you have lost control of your data and possibly worse.

Do your remote teams have adequate network security in place? Do their home computers have access controls in place (eg individual computer accounts that are password protected)? Are drives encrypted? Do other users at their residence have access to the same computer? Are these devices running the latest security patches? Are these devices accessing sites that could be considered high security risks? As you can see there are often many questions to consider if cyber security and controlling your data is important to your business.

Your team may have been working remotely for a few months now. All seems well, they have access to email and files and Zoom has become a daily ritual, but are all your IT systems being managed and maintained as if they were in the office? If you are not using an MDM solution to manage all your remote endpoints its likely that security patches have not been applied and best practise maintenance routines are not being carried out. Are AV and Malware scans being run along with other proactive maintenance and security routines? Neglecting these could quickly become a cyber security risk and in turn a risk to your data.

Now take another scenario where you need to furlough or make a remote member of your team redundant. How do you disable access to all your IT systems efficiently and securely and have the confidence that the remote employee can no longer access your data. This is where having the right cloud platforms and IT team is essential. The same goes for new starters. Having the ability to onboard new members of the team remotely and provide them with preconfigured devices is going to be an essential part of your IT strategy.

There are many more areas for your IT team to consider such as streamlining and integrating cloud and on-premise IT systems, SSO, backup, archive and business continuity. Ask your IT team how they will manage your next round of operating system upgrades across a remote team, if they are not sure its time for a review.

Roadmap have managed solutions for all of the above and more, from zero touch deployments, to detailed reporting and monitoring of your remote assets and users. We empower businesses to work remotely efficiently and securely.

Credits: Image supplied by Freepik.com

T 0203 327 0001  E hello@roadmap-it.co.uk