This is Part 2 of OTUSYN’s Small Business Cybersecurity Guide.
← Read Part 1: Cybersecurity Basics for Small Businesses
Once user access is protected, the next priority is the technology people use every day.
Laptops, desktops, mobile phones, email platforms, cloud services and shared files all need to be managed in a consistent way. These systems support day-to-day work, but they can also create risk when they are not visible, updated or properly configured.
This guide explains the practical steps small businesses can take to improve device, email, cloud and backup security.
Devices and endpoint security
Laptops, desktops, tablets and mobile phones are often the main way staff access business systems and information.
A lost, stolen or unpatched device can create risk, especially when it contains business files, saved passwords or active access to cloud services.
For most organisations, device security should include a clear answer to a few important questions:
- Which devices are active?
- Who is using each device?
- Are devices encrypted?
- Are software updates applied?
- Is antivirus or endpoint protection installed?
- Can a lost device be locked or wiped?
- Are former employee devices returned and reviewed?
- Are personal devices being used for business data?
A device inventory does not need to be complicated. It can begin with a simple list of devices, assigned users, operating systems, ownership status and support arrangements.
Over time, organisations may use endpoint management tools to make security settings more consistent across laptops and mobile devices. This can help with patching, encryption, security policies, application control and device visibility.
The main benefit is consistency.
Instead of relying on each user to keep devices secure, the organisation can apply a baseline that is easier to manage and review.
Learn more about Endpoint Management.
Email, collaboration and cloud services
Email remains one of the most important areas of cybersecurity.
Most phishing attacks, account compromise attempts and fraudulent payment requests begin with email. Staff may receive messages that appear to come from customers, suppliers, banks, colleagues or senior leaders.
The message may ask them to open an attachment, click a link, reset a password, make a payment or share sensitive information.
Email security is not only about filtering malicious messages. It is also about making sure the organisation’s email platform is configured correctly and that staff know how to respond to suspicious activity.
A strong email and cloud security baseline should include:
- Multi-factor authentication for all users
- Anti-phishing and spam protection
- Admin account reviews
- Secure external sharing settings
- Clear rules for forwarding business email
- Monitoring for suspicious sign-in activity
- Guidance for staff on reporting suspicious messages
- Regular review of old accounts and mailboxes
Many organisations use Microsoft 365, Google Workspace or a combination of cloud services. Both platforms can be secure when they are configured and managed properly.
The key is to make sure ownership is clear and settings are reviewed as the business changes.
Explore OTUSYN Microsoft 365 Support for practical support with Microsoft 365, identity, collaboration and cloud security.
Backups and recovery
Backups are an important part of a strong technology foundation, but they are often misunderstood.
A backup is not simply a copy of files. It is part of a recovery plan.
The organisation should understand what is backed up, how often backups run, where the backup data is stored and how recovery would work if information was deleted, encrypted or unavailable.
A useful backup review should answer:
- Which systems are backed up?
- Are cloud files included?
- Are email and mailbox data included?
- How often do backups run?
- How long is backup data retained?
- Who checks whether backups are successful?
- Has recovery ever been tested?
- How quickly could important information be restored?
A backup that has never been tested may not provide the confidence the organisation expects.
Even a small recovery test can be valuable. For example, restoring one file, one mailbox item or one folder can show whether the process works and whether the business knows what to do during a real incident.
Backups should support the wider cybersecurity approach. They do not replace good access control, device security or staff awareness. They are one important layer in a broader security baseline.

What to do next
Devices, email, cloud services and backups need the right technical controls. However, technology works best when staff understand their role and there are clear processes behind it.
Continue reading:
Part 3: Cybersecurity Processes, Staff Awareness and Ongoing Support →