Skip to content
Search
AI Powered
Human content, AI powered search.
Latest Stories

ICO urges small businesses to tighten cyber security

Shopping cart sign and binary code background
Photo: iStock
Kiran Paul
By Kiran PaulOct 03, 2025
Kiran Paul
With a background that spans both the agility of startup environments and the established presence of Asian Media Group, Kiran tries to bring a well-rounded perspective to his work. His career as a journalist began at a dynamic news startup, where he honed his reporting and storytelling skills for five years, gaining valuable experience in a fast-paced and evolving media landscape. Since 2018, he has been contributing to Asian Trader, where a standout feature of his work has been his in-depth interviews with award-winning retailers, which he transforms into insightful profiles that appear in each issue.
See Full Bio
Follow:

Businesses are being urged to strengthen their cyber security measures after a fresh wave of high-profile attacks disrupted global supply chains and cost UK retailers hundreds of millions of pounds.

The Information Commissioner’s Office (ICO) this week reminded businesses that protecting customer and staff data must be a top priority, with government figures estimating 7.7 million cyber crimes against UK businesses over the past year.

The warning comes as Japan’s Asahi Group, brewer of Super Dry beer and owner of Nikka Whisky, continues to grapple with the fallout from a ransomware attack that has disrupted operations since Monday. The company suspended shipping and order processing after its systems were knocked offline, forcing it to take handwritten orders and ration deliveries.

The attack on Asahi is the latest in a series of sophisticated cyber incidents targeting household names. In Britain, Marks & Spencer and the Co-op Group have also been hit. Co-op revealed last week that the disruption wiped £206 million off its revenues in the first half of 2025, with profitability dented by around £80 million. M&S said in May that the cyberattack will cost it around £300 million in lost operating profit.

While large corporations often make headlines, the ICO stressed that small businesses are equally at risk, particularly independents that rely on digital systems for payments, customer data, and supplier orders.

“While cyber attacks can be very sophisticated, we find that many organisations are still neglecting the very foundations of cyber security” Ian Hulme, Executive Director for Regulatory Supervision at the ICO, said.

“As the data protection regulator, we want to support organisations to get this right and these simple steps will help to protect both your customers and your business.”

The ICO highlighted simple but effective steps retailers can take to protect themselves, including:

  1. Back up your data
    • You should back up your data regularly. If you’re using an external storage device, keep it somewhere other than your main workplace – encrypt it, and lock it away if possible.
    • Check your back-up. You don’t want to find out it’s not worked when you need it most. Make sure your back-up isn’t connected to your live data source, so that any malicious activity doesn’t reach it.
  2. Use strong passwords and multi-factor authentication
    • Make sure you use strong and unique passwords, which are difficult to guess, on all account and devices where personal information is stored. The National Cyber Security Centre (NCSC) recommends using three random words.
    • Where possible, you should consider using multi-factor authentication. Multi-factor authentication is a security measure to make sure the right person is accessing the data. It requires at least two separate forms of identification before access is granted.
  3. Be aware of your surroundings
    • Be careful what you say and what documents are open on your screen when people are around you, particularly if you’re in a public place where people can easily see you and overhear your conversations.
  4. Be wary of suspicious emails
    • You and your staff need to know how to spot suspicious emails. Look out for signs such as bad grammar, demands for you to act urgently and requests for payment. New technologies mean that email attacks are becoming more sophisticated. A phishing email could appear to come from a source you recognise. If you’re not sure, speak to the sender.
  5. Install anti-virus and malware protection and keep it up-to-date.
    • You must make sure the devices you and your employees use at home, or when you’re working away, are secure. Anti-virus software can help protect your device against malware sent through a phishing attack.
  6. Protect your device when it’s unattended
    • Lock your screen when you’re temporarily away from your desk to prevent someone else accessing your computer. If you do need to leave your device for longer, put it in a secure place, out of sight.
  7. Make sure your Wi-Fi connection is secure
    • Using public Wi-Fi, or an insecure connection, could put personal data at risk. You should make sure you always use a secure connection when connecting to the internet. If you’re using a public network, consider using a secure Virtual Private Network (VPN).
  8. Limit access to those who need it
    • Different workers may need to use different types of information. Put access controls in place to make sure people can only see the information they need. If someone leaves your company, or if they’re absent for a long period of time, suspend their access to your systems.
  9. Take care when sharing
    • Sharing your screen in a virtual meeting may show your device to others exactly as you see it, including any open tabs or documents. Before sharing your screen, you should close anything you don’t need and make sure your notifications and pop-up alerts are switched off.
    • Be careful when sending emails to multiple people. If an email may reveal sensitive information about the recipients, use alternatives to the blind carbon copy (BCC) email function such as bulk email or mail merge services.
  10. Don’t keep data for longer than you need it
    • Getting rid of data you no longer need will free up storage space. This also means you have less personal information at risk if you suffer a cyber-attack or personal data breach.
  11. Dispose of old IT equipment and records securely
    • You must make sure no personal data is left on laptops, smartphones or any other devices, before you dispose of them. You could consider using deletion software or hire a specialist to wipe the data.

If an organisation experiences a data breach as a result of a cyber attack, they should report it to the ICO within 72 hours of becoming aware of it, the regulator added.

For more advice on protecting personal information, visit their security guidance for organisations.

Retailers are also being encouraged to make use of the National Cyber Security Centre’s resources and the government-backed Cyber Essentials certification programme, which provides practical support to keep customer data safe.

data protectioninformation commissioners officenational cyber security centrecyber security

Related News