Remember all that follows is my view of it all. I am NOT a cyber tech, but I have to work with all these things to be in business - and so do you whether you are aware of it or not. Can you imagine running a business and not being aware of all that follows? Most do.

Another expression or two are “attack vector” and “attack surface”.
When all’s said and done those are really a bit vague unless you are a cyber specialist. However, jargon has its place because it facilitates communications between those who know. Like a different language. So we can pick up a few of the terms to help us along. I am going to copy the list of common attack vectors from the wikipedia attack surface entry below.

Attack vectors include user input fields, protocols, interfaces, and services. There are over 100 attack vectors and breach methods that hackers can use. Here are some of the most common attack vectors: https://en.wikipedia.org/wiki/Attack_vector

Some common attack vectors:

exploiting buffer overflows; this is how the Blaster worm was able to propagate.

exploiting webpages and email supporting the loading and subsequent execution of JavaScript or other types of scripts without properly limiting their powers.

exploiting networking protocol flaws to perform unauthorized actions at the other end of a network connection.

phishing: sending deceptive messages to end users to entice them to reveal confidential information, such as passwords.

I have split them into two types, and initially put “misconfiguration” in both lists and then changed my mind. Then I will/have add my own take (attempt) on who or what needs our attention for each. All general of course, for example anyone can suffer a DDoS attack.

HUMAN weakness

Compromised credentials - user attitude and attention

Weak and stolen passwords - user haveIbeenpwned.com

Malicious insiders - beware traitors

Missing or poor encryption - owner and users

Misconfiguration - owner and users (byod)

Ransomware - owner and user training

Phishing - user training, “don’t click links!”

Trust relationships - beware MITM attacks.

COMPUTER weakness

Javascript Threats (Magecart) - web site owners

Distributed Denial of Service (DDoS) - enterprise service providers

Brute force attack - server admins

Zero-day vulnerabilities - software developers

Misconfiguration - once set, system issues.

That’s a long list, yet short in so far as it gives us the context of what we have to be aware of as regards “common” ones. Elsewhere in my pages here you can see I have a narrow focus on ransomeware, which is because there is no real time (that means right now, immediate, instant) defence yet. Zero-day is a bit worrying, but we have to rely on our confidence in our suppliers - which means that also needs our attention.

ok so that’s what “vectors” look like and now also copied from the wikipedia entry for Attack surface entry:

An attack surface ^[4] composition can range widely between various organizations, yet often identify many of the same elements, including:

Autonomous System Numbers (ASNs) - vast numbers of i p addresses are managed by typical ASNs, as in hundreds of thousands and they supply the suppliers that supply us.

IP Address and IP Blocks - still huge blocks of i p addresses, but managed by our direct suppliers, such as Heart Internet or 123-Reg.

Domains and Sub-Domains (direct and third-parties) - The registrant (i.e. you) so we manage registration details and maybe DNS.

SSL Certificates and Attribution - We validate and buy from them.

WHOIS Records, Contacts, and History - We manage these.

Host and Host Pair Services and Relationship unknown.

Internet Ports and Services - Firewall manager, me/you.

NetFlow - I think this is above our pay grade, i.e. an enterprise matter.

Web Frameworks (PHP, Apache, Java, etc.) - Web server manager.

Web Server Services (email, database, applications) - ditto esp email

Public and Private Cloud - Again us, but typically at the level of dropbox, gdrive and onedrive type of things, running your own cloud is out of my scope here.

I have not split the above because they are I think all computer matters, not human. However, we do of course have a human role that is usually responsible so I will have a crack at adding what I think these are, by reference to who is “hands on” as opposed to carries responsibiity, as that’s the IT director or similar name or maybe just you with that hat on.

So, from that list the ones where we interact directly in our “one-person non i.t. tech” business I draw out the following:

Domain registration management

Whois management

Firewall management

Email

Cloud storage

And more technical not for the feint hearted:
Server management PHP, Java, Apache, databases and applications.

Yes, and the most obvious is Google’s gmail and associated array of apps and services. However, it is possible to engage with them and fail to understand what you are buying, thinking there is no need to think - all perfectly normal. By way of an example if you are one of these go check their application of “DKIM” and how that affects your email security as in is it good, better or best. For multiple email accounts the issue with Google is cost-per-user so there is a temptation to share for example “sales” email between all sales staff, which is a cyber security risk - see Attack Vectors.

So as above it is possible to find service providers who offer to provide all of these things. Let us say you do that.

What that leaves is my (cut down wikipedia list) list of HUMAN weaknesses listed above. There really isn’t a dodge for those. You have to be aware of them and behave appropriately. For example never use the same password twice and preferably never use a login email more than once. Be aware that password strength is determined by length not complexity. The received wisdom is to use a “password manager” of which there are several.

Negotiation and population of contracts of sales and purchases, being aware of “pre-incorporation” contracts. Check companies house for existence

Take insurance policies, both required by law (motor and employer) and other risks mitigation (e.g. p.i.i and product liability etc) . Check START dates result in desirable renewal dates (so for NOT expiring weeks before the company year end (Accounting Period) where renewal can be required despite only a week or two’s cover is required.

Professional review of contracts preferably before, but can be after signature. Awareness of whether third parties can view the absence of such reviews to be an absence of business control (competence), so sometimes one may not think review is necessary, but the presence of that process is the more important in risk mitigation. There seems to be a certain irony in a legal contract review being important in risk management not for the result of the review, but for having been carried out regardless.

Consider use of “high street” or “Fintech” banks or indeed both. As regards Fintech the current experience is their reliability can be compromised because they make insufficient effort at the time of account opening in favour of ease of that process and then freeze a transaction while demanding documentary evidence for it. High Street banks tend to be more difficult to open but more reliable ongoing, subject to their later requests, but these do not involve freezing live transactions.

In view of the risk of a bank being unreliable it is wise to have more than one so that if one closes your account and sends you a cheque for the balance made payable to your company, you have somewhere to pay in this cheque.

Given you have two accounts, use one for larger and / or “formal” matters such as taxation, VAT, dividends, sales (low volume), payroll, rent and so on. Use the other for the “shrapnel” transactions; so these are relatively high volume low value, for example daily subsistence coffee, fuel purchases, small stationery and so on. Perhaps as a very rough rule of thumb this may be all amounts less than £5,000 unless “formal”.

AVOID using any of your personal accounts whether debit or credit. Do NOT engage in “re-imbursed expenses” which you may be accustomed to doing previously. Why? HMRC P.a.y.e. traps which are no problem until they are AND in any case require payroll operations when simply using a company card removes all of this red tape.

Clearly do not mix business and personal transactions between business and personal bank (and card) accounts. However, if in doubt use the company account because this can be simply allocated to (ceteris paribus) your director’s loan account, whereas a business payment paid personal leads you in to “re-imbursed expenses” as above. Keep it simplest.

More than two accounts? Sure, no problem. Make SURE you have the bookeeping sorted, preferably automatically using tech not people. Check for bookkeeping systems in the cloud that are offered free with one bank account or another, then check all your accounts can automatically feed this, including if that includes all or only some types of and level of account (such as “basic” versus “pro”). Some require their own proprietary system to be used for feeds and other offer nothing at all and must be manually exported and imported (which is easy enough as long as the cut off dates are always strictly checked).

In likely order of ability to enact by passage of time. The issue in these is that while we desire to get everything done immediately so we can no longer have to give it further attention, these matters are forcibly delayed by HMRC’s procedures

VAT - pre or at registration threshold

CT41G HMRC form arrives (eventually) making possible the following:

Payroll scheme if required.

Gov Gateway to HMRC account (immediate access) - personal identity controls can be very difficult, despite on the surface appearing simple enough.

Notify company “start of activity” date - this is intended to avoid doing more than ONE corporation tax return at the end of the first “year” of business.

Apply for and activate Corporation tax in the gateway - delay as code is sent by post.

Check the ARD (“year end”) date as companies house is as desired - keep in mind an extension can be done only ONCE every FIVE years while shortenings are not restricted.

Make sure your S.A. matters are all also working. I question mixing these two.

Date of formation shown on the COI (Certificate of Incorporation)

1st accounts filing date is EXACTLY 9 months later

2nd accounts filing date is 12 months to the year end date (the “A.R.D.)

1st CS01 is 12 months plus 15 days later.

These must be on or after the formation date, not before

End dates are as negotiated and need to be monitored.

Insurance policy dates should be carefully matched with contracts to avoid annual renewals a short time before a contract expires.

Legal reviews must be considered before or after start dates, depending on circumstances.

Similarly other legal aspects must be considered outside the contract terms, such as how business is conducted as compared to the contract. This is about the intentions of the parties as demonstrated rather than as written.

Domain name can be any time by you, but ownership should be transferred to the company when formed and all contact data managed to avoid exposing private details (especially home addresses) to the internet. E.g. also email addresses and telephone numbers.

Telephone numbers to be company related not personal numbers

Email as for phone numbers.

Companies house make sure SAIL addresses are used, not home addresses.

HMRC will send a form CT41G with company UTR (Unique Tax Reference), in due course and littel can be done until this arrives.

With UTR create Gov Gateway account to access HMRC (immediate) and details from any two of

UK Passport

UK Driving licence

Three answers from credit record (no one gets these right so get a copy of your credit record first)

P60

S.A. (make sure you have your own SA access set up first)

With Gateway account set “date of activity start” with HMRC (immediate)

With Gateway account activate Corporation Tax (a code is sent by post, so NOT immediate)

Set up paye if required.

Vat Registration if desired prior to registration threshold.

Applications require various authentications and these often request the following so make sure you have set these up first, there are no deadlines except to be ready for account applications:

Web page for the company

Linkedin profile for director(s)

Copies of contracts

Passports

Driving licences

Business activity description

Contrary to popular belief bank accounts may be less urgent because until money is due in their details are not required, for example in contracts and individuals personally wanting to complete the process is not the same as it being mandatory - stay in control and do not hand it over to others.

That said get two banks at least so that in any event your business can continue to operate.