This week on Impactful Teamwork, I sat down with Andy Price, founder of Initial IT, for a straight-talking tour of small-business cybersecurity. He cut through the myths fast. Most attacks on SMEs aren’t cinematic, targeted capers; they’re opportunistic scans that probe the internet for weak doors. Find one, and the attackers walk in. When that happens, it’s not only systems that go down — trust, sales and team morale go with them. Let’s stop treating this as “the IT guy’s job” and start treating it as teamship.
The uncomfortable truth about modern attacks
Forget the hoodie-in-a-dark-room stereotype. Cybercrime runs like an industry, with office hours, targets and KPIs. Automated tools sweep for vulnerabilities and strike wherever they find one. Two patterns cause the most pain. First, data exfiltration: client information gets stolen and sold, and you end up notifying regulators and apologising to customers while your reputation takes a beating. Second, ransomware: your files are encrypted, operations stall and you’re left choosing between a ruinous payout or a slow, painful recovery. Either choice hurts. Crucially, small doesn’t mean safe. Attackers often don’t know who you are until they’re already inside.
Cyber Essentials: your minimum viable defence
There’s a sensible baseline every scaling business should adopt: Cyber Essentials. It’s a UK government-backed standard that forces practical discipline. Are your devices patched? Do you kill default passwords? Are joiners provisioned correctly and leavers fully removed? Is multi-factor authentication enabled as standard? None of this is glamorous; all of it is effective. Increasingly, bigger clients and public bodies expect suppliers to meet this bar. In other words, good security posture is now commercial hygiene and a competitive signal, not a box-ticking chore.
Your people are the perimeter
Breaches rarely start with world-class codebreaking. They start with a busy human who clicks a convincing link, shares a credential or skips a process. If the organisational response is blame, people learn to hide mistakes — and silence turns small incidents into disasters. Psychological safety isn’t fluffy; it’s operational security. Train the team regularly. Show real phishing examples. Run simulations that feel authentic. Most importantly, praise early reporting. When “I think something’s off” is celebrated, people speak up faster. Speed reduces damage.
Backups: worthless until priceless
Here’s a line from Andy I’ll repeat forever: backups are worthless; restores are priceless. Leaders usually get serious about backups after getting burned. Don’t wait for that lesson. You need offsite, immutable backups that can’t be altered or deleted — even by an attacker with access. USB drives on a desk won’t cut it. Nor will a simple sync to a cloud folder that could be encrypted or wiped. Go for snapshot-based backups stored in a separate, managed vault, and actually test restores so you know the real recovery time. Think seatbelts: you don’t plan to crash, but you plan for the possibility.
Keep policies brutally practical
Security theatre wastes time; security clarity protects it. Keep the rules short and usable.
- Passwords: longer is stronger. Use a password manager and enforce multi-factor authentication across systems.
- Access: apply least-privilege. People get what they need to do the job — no more.
- Joiners/Movers/Leavers: automate provisioning and deprovisioning so no “zombie” accounts linger.
- Vendor sprawl: prune ruthlessly. Every extra app is another door to guard.
- Incident drills: table-top your worst day. Who talks to clients? Who informs the regulator? Where’s the playbook?
- Device hygiene: patch cycles, encrypted drives and remote wipe as standard.
AI: accelerate the good, anticipate the bad
AI is changing the game on both sides. On the inside, it helps us triage tickets, detect anomalies and eliminate drudge work. On the outside, criminals use it to craft flawless phishing emails, clone voices and create slick lures. Consequently, your threshold for “looks legit” needs to rise. At the same time, human skills — judgement, curiosity and candour — become even more valuable. Use AI to reduce noise, not to outsource your relationships or ethics. Write the first draft yourself, then refine with AI. And always verify through a second channel: if “the bank” calls, you hang up and call the number on the back of the card. No exceptions.
Culture beats criminals
You can buy tools. You can’t buy trust. Security culture grows the same way team trust grows: clear standards, consistent behaviour and mutual accountability. As leaders, our job is to make the secure path the easy path. Remove friction from good practice rather than piling on hoops people will dodge under pressure. Treat cyber like health and safety — embedded in the way you work, not bolted on at the end. When protecting the herd becomes part of everyone’s role, your team acts like an immune system. Threats still come; your response becomes instinctive.
The real cost of a breach
Let’s be candid. A breach isn’t a single invoice; it’s a momentum killer. Pipelines pause while you firefight. Prospects hesitate because they sense risk. Your best people burn out cleaning up chaos. Leadership attention gets hijacked for weeks. The external bill stings, but the invisible costs bite harder. If you pride yourself on being values-driven, protect the value clients trust you with: their data. That’s table stakes for modern leadership.
From command to collaboration
Old school says security belongs to IT and IT belongs in the corner. Teamship says security is a shared responsibility because everyone has influence. In practice, that might mean a five-minute “security moment” at your all-hands each month. It could mean a rotating “threat spotter” in each team who flags suspicious patterns. It might mean OKRs that link security hygiene to business outcomes. This isn’t driven by fear; it’s fuelled by pride. We are the kind of business that looks after our people, our clients and our future.
Talent, energy and finding the spark
My favourite part of talking with Andy was his backstory — the student labelled “not academic” who discovered the right environment and lit up. That’s the essence of Impactful Teamwork. When people find work that fits their natural energy, performance soars. Cyber follows the same logic. Spot the Spades who love “winning” the defence game, the Clubs who obsess over patch cycles and process, the Diamonds who’ll evangelise new tools, and the Hearts who will coach psychological safety. Harness that mix and your resilience multiplies.
Try this this week
- Run a “phish freeze.” Show three real emails — one genuine, two fake — and have the team vote. Discuss why.
- Enable MFA everywhere that touches client data. Do it today, not next quarter.
- Book a Cyber Essentials gap review. Even if you’re not ready to certify, close the obvious holes.
- Audit backups with two questions: when did we last test a restore, and how long did it take? If you don’t know, you don’t have a strategy.
- Rewrite your incident playbook in plain English. Remove blame, add speed and make the first step obvious.
Key take-aways
- Opportunistic attacks are the norm; exposure equals risk.
- Cyber Essentials provides a strong, commercially credible baseline.
- People form your first and last line of defence — train them and reward early reporting.
- Offsite, immutable and tested backups turn crises into recoveries.
- AI raises the bar for both attackers and defenders; keep the human in the loop.
- Culture, not tools, determines resilience.
- Breaches drain trust, energy and momentum far beyond the incident itself.
If this sparked a “we should sort that” moment, gather your leadership team for a 20-minute huddle and pick one action to ship this week. Want an expert lens on your setup? Connect with our guest, Andy Price of Initial IT — his details are in the show notes. Protect the herd. Protect the momentum. That’s what impactful teamwork looks like.Words cyber security and a padlock
Show Notes
00:00 Introduction and Guest Welcome
01:54 Understanding Cybersecurity Threats
02:48 Strategies for Small Businesses
14:58 The Importance of Data Backup
20:13 Andy’s Journey into IT
27:11 The Impact of AI on Business
34:16 Conclusion and Resources
Connect with Andy at https://www.initialit.co.uk/ or via his email an**@**********co.uk
