After auditing small business networks across York and Yorkshire, the same issues come up every time. Not variations — literally the same issues. This is not a criticism of the businesses involved. These are the natural results of networks that were built when smaller, maintained under time pressure, and never subjected to a systematic review.
Here are the five most common problems, what the actual risk is, and what to do about them.
Default credentials that nobody changed
Every router, switch, wireless access point, network-attached storage device, printer, and IP camera ships with a default username and password. Sometimes they are published in a public manual. Sometimes they follow a pattern (admin/admin, admin/password, admin/the-device-model-number). Automated scanning tools know all of them.
When I do an internal network scan on a business that has never had an independent assessment, I find at least one device with default credentials. Often more. The devices most frequently affected are printers, wireless access points bought without being properly commissioned, and old NAS devices that have been running in the corner since 2017.
A device with default credentials is effectively a device with no password. If it is accessible on your network, it can be accessed by anyone on your network. If it has remote management enabled, it may be accessible from anywhere.
Fix: Audit every networked device for default credentials. Change them all. Use a password manager. This takes two to three hours for a typical small business network and costs nothing.
A flat network where everything can talk to everything
Most small business networks are flat. All devices — workstations, servers, IoT devices, CCTV, printers, guest wifi — are on the same network segment and can communicate freely with each other.
The problem this creates is called lateral movement. If an attacker compromises one device — say, through a phishing email that installs malware on a workstation — they can immediately start scanning and attacking every other device on the same network. The server, the NAS, the CCTV system, the printer with stored documents. All of it is reachable from the compromised device.
Network segmentation (VLANs) splits the network into separate zones. Devices in one zone cannot directly access devices in another unless the firewall explicitly permits it. A compromised workstation in the user VLAN cannot reach the server VLAN without crossing a firewall that has been configured to block that traffic.
Fix: If you have a managed switch and a router capable of VLAN configuration — which most modern business-grade equipment is — segmentation is configurable. It requires planning (what needs to talk to what?) and careful implementation, but it is not expensive. An audit will tell you what your current network looks like and what segmentation would actually help.
No MFA on email and cloud services
If your Microsoft 365 or Google Workspace accounts do not have multi-factor authentication enabled, your email accounts are protected by a password alone. Passwords get stolen. They get reused across services. They get guessed. They get obtained through phishing.
Business email compromise (BEC) is one of the most financially damaging attack types affecting UK SMBs. The attacker compromises a legitimate email account, monitors it for financial transactions, and then impersonates the account holder to redirect a payment. The average BEC loss for a small business is in the tens of thousands of pounds. Many are not fully covered by insurance.
MFA does not make email accounts uncompromisable — there are MFA bypass techniques — but it eliminates the large majority of credential-based attacks that rely on a stolen password being sufficient.
Fix: Enable MFA on Microsoft 365, Google Workspace, and any other cloud service your business uses for email, file storage, or financial transactions. Use an authenticator app rather than SMS where possible. This is free on all major platforms and takes less than an hour to implement for a small team.
Software that has not been updated in months
The gap between current software versions and deployed software versions in most small business networks is larger than people realise. It accumulates gradually — a patch requires a restart, a restart requires downtime, the downtime gets deferred, and suddenly the server is running a version that has three known critical vulnerabilities and a patch that has been available for four months.
Ransomware campaigns are automated. They scan the internet for systems running specific vulnerable versions of specific software and exploit them without any human attacker needing to make a decision. Eternal Blue — the exploit that powered WannaCry in 2017 — targeted a Windows vulnerability that had been patched two months before the attack. Every business that was affected had been given two months of warning and had not acted.
The same pattern continues. In 2024 and 2025, automated campaigns exploiting vulnerabilities in VPN appliances, firewalls, and remote management software affected businesses worldwide, including SMBs in Yorkshire. The patches were available. The systems were not patched.
Fix: Establish a regular patch cycle. For internet-facing systems, high-severity patches should be applied within 14 days (this is a Cyber Essentials requirement). For internal systems, monthly is a reasonable baseline. Automated update tools can reduce the manual burden. An external scan will show you exactly which systems are running out-of-date versions with known vulnerabilities.
"We're too small to be a target"
This is the belief I encounter most often and it is the most straightforwardly false. Ransomware campaigns are automated. They do not target specific businesses. They scan every IP address on the internet for vulnerable systems and attempt to exploit them. The attacker is not sitting at a keyboard choosing your business — a tool is running a script and your systems either responded to the probe or they did not.
The UK Government's Cyber Security Breaches Survey 2024 found that 50% of UK businesses experienced a cyber incident in the past year. The proportion for large businesses was higher, but small businesses were not immune — and small businesses typically have less resilience when an incident occurs. Less IT resource, fewer backups, less insurance coverage, more operational dependence on a small number of people who know how the systems work.
Being small does not make you a less attractive target. It often makes you a more tractable one.
Fix: Treat your business's cyber security posture the same way you would treat physical security. You would lock the door even if you thought your area was safe. You would have insurance even if you thought you were unlikely to be burgled. Apply the same logic to your network. The cost of a structured security assessment is significantly less than the cost of recovering from a ransomware attack.
Not sure where your business stands?
The Wolds Cyber Audit covers all five of these areas and more — for York and Yorkshire businesses at a fixed price of £750. One day on-site, plain-English report, money-back guarantee.
Book a Free 15-Minute CallThe common thread
None of these five issues require sophisticated attacks to exploit. They are the network equivalent of an unlocked door. An attacker with basic tools and the right scanning script can find all of them without any specialist knowledge.
The good news is that fixing them is also not complicated. Default credentials take an afternoon. MFA takes an hour. A patch cycle takes a policy decision and some configuration time. Network segmentation is the most involved, but for most small business networks it is a day's work with the right equipment.
The reason they persist is not that businesses do not care. It is that nobody ever looked at the full picture systematically. An independent audit creates that moment.
Charles Cassam is the founder of Wolds Cyber Ltd, based in Pocklington, East Yorkshire. He provides independent network security audits for small businesses in York and Yorkshire. More about Charles →