Why the Boring Stuff Catches the Bad Guys: Anomaly Detection for Businesses That Cannot Afford a SOC

Security Controls

Why the Boring Stuff Catches the Bad Guys: Anomaly Detection for Businesses That Cannot Afford a SOC

Clifford Stoll caught a KGB spy ring in 1986 because he refused to ignore a 75-cent billing discrepancy. He did it with printouts, a homemade beeper, and obsessive note-taking. No security operations centre. No threat intelligence feed. No vendor contract.

Forty years later, most UK small businesses have better monitoring tools built into their existing software than Stoll had in his entire lab. The problem is not capability. It is that nobody switches the tools on.

The DSIT Cyber Security Breaches Survey 2025/2026, published on 30 April, confirms the scale of the problem: 43% of UK businesses experienced a cyber breach or attack in the past twelve months, representing approximately 612,000 organisations. Phishing remains the dominant entry point, reported by 38% of businesses.

But here is the figure that should worry you more than the breach rate: only around a quarter of businesses using or considering AI have security practices in place to manage the associated risks. If organisations are adopting new technology faster than they are building basic visibility into what is happening on their own systems, anomaly detection is not keeping pace with the attack surface.

This article is about closing that gap without spending money you do not have.

What Anomaly Detection Actually Means for a Small Business

Strip away the vendor marketing and anomaly detection is a simple idea: does this look normal?

At enterprise scale, that question gets answered by machine learning algorithms processing terabytes of log data in real time. At small business scale, it gets answered by a human being noticing something odd and following up on it. Both are valid. The enterprise version is faster. The human version is available to you right now, for free.

An anomaly is anything that deviates from the established pattern of how your systems are normally used. A login from a country where you have no staff. An admin password change at 2am when your office closes at 6pm. A spike in outbound data transfer on a Sunday. A new device appearing on an account that has only ever been accessed from one laptop.

None of these things are necessarily malicious. But each one deserves a question. And the act of asking that question, of checking, is what separates businesses that catch problems early from businesses that find out they have been breached when the ICO letter arrives.

The Three Layers You Already Have

Most UK small businesses run on one of three cloud stacks: Microsoft 365, Google Workspace, or a combination of smaller SaaS tools. All three have built-in logging and alerting that most organisations never touch.

Layer 1: Identity logs. Every time someone signs into your cloud platform, a record is created. That record typically includes the user, the time, the device, the location (by IP address), and whether the login succeeded or failed. In Microsoft 365, this lives in the Azure AD sign-in logs. In Google Workspace, it is in the Admin Console under Reports. These logs exist whether you look at them or not. The question is whether you have configured any alerts to tell you when something looks unusual.

Layer 2: Admin change logs. When someone changes a password, adds a new user, modifies permissions, or adjusts security settings, that action is logged. These are the highest-value logs for detecting compromise, because attackers almost always modify accounts or permissions after gaining initial access. If you receive an alert every time an admin change occurs, you will know immediately when something happens that you did not authorise.

Layer 3: Network and device logs. Your firewall, router, and endpoint protection software all generate logs. The depth varies enormously depending on what you have, but even a basic broadband router logs connection attempts. If you use a managed firewall, your provider almost certainly has access to more detailed logs than you realise.

The Five Alerts That Matter Most

If you do nothing else after reading this article, configure these five alerts. They cover the most common indicators of compromise for small businesses and they are available in every major cloud platform.

Alert 1: Impossible travel. A user logs in from London at 10am, then from Lagos at 10:15am. Unless they have access to teleportation, that second login is not them. Microsoft 365 calls this “impossible travel” in its identity protection settings. Google Workspace flags it as a suspicious login. Switch it on.

Alert 2: New device or browser. When an account that has only ever been accessed from one Windows laptop suddenly appears on an Android phone in another country, that is worth a question. Both Microsoft and Google can notify you or the user when a new device accesses an account.

Alert 3: Failed login threshold. Ten failed password attempts in two minutes is not a user who forgot their password. It is either a brute force attack or a credential stuffing attempt. Set a threshold and get notified when it is exceeded.

Alert 4: Admin role changes. Any time a user is elevated to admin status, or admin permissions are modified, you should know about it immediately. This is often the first thing an attacker does after compromising a regular account.

Alert 5: Mail forwarding rules. A classic post-compromise move is to set up a mail forwarding rule that silently copies all incoming email to an external address. The user never notices because the emails still appear in their inbox. Both Microsoft 365 and Google Workspace can alert on new forwarding rules.

The 10-Minute Weekly Review

Alerts handle the obvious signals. But some anomalies only become visible in context, when you look at a week’s worth of activity and notice something that does not fit the pattern.

Set aside ten minutes once a week. Pick a consistent time. Open your cloud admin console and look at three things.

Sign-in activity. Scan the list of recent logins. Are there any locations you do not recognise? Any times that seem unusual for your team’s working patterns? Any accounts logging in that should not be active?

Admin changes. Review any changes to user accounts, permissions, or security settings. Did anyone create a new account you were not expecting? Did anyone modify MFA settings?

Failed login attempts. Look at the volume and pattern of failures. A steady trickle of failed attempts against multiple accounts may indicate credential stuffing using passwords from a data breach.

This is not forensic analysis. It is pattern recognition. You know what normal looks like for your business. When something does not match, investigate it.

When Something Looks Wrong

Suppose you spot something. A login from an unfamiliar location, or a forwarding rule you did not set up. What do you do?

Do not panic, and do not start deleting things. Evidence is your friend. If you delete the suspicious account or clear the logs, you destroy the information investigators will need.

Capture what you see. Screenshots, exported logs, timestamps. Write down what you found and when you found it.

Contain the account. Reset the password. Force sign-out from all sessions. Disable the forwarding rule. If you use MFA, verify that the MFA method has not been changed.

Call someone. Your IT support, your cyber insurance incident line, or if it looks like data theft or fraud, Action Fraud (0300 123 2040). The NCSC’s Small Business Guide also provides a clear incident response process.

Do not assume it is nothing. The entire point of the Cuckoo’s Egg story is that Stoll’s colleagues wanted to write off the 75-cent error. He refused. Be the person who refuses.

How to Turn This Into a Competitive Advantage

Win contracts with evidence. When a prospective client or procurement team asks about your security posture, being able to say “we have active logging with defined retention periods, alerting on five key risk indicators, and a documented weekly review process” puts you miles ahead of competitors who mumble about antivirus software.

Reduce insurance premiums. Cyber insurance underwriters are increasingly granular about logging and monitoring capability. Demonstrable alerting and log retention can affect both eligibility and pricing.

Build client trust. In a market where the M&S, Co-op, and Harrods attacks are still fresh in public memory, the ability to show that you take monitoring seriously is a meaningful differentiator for any business that handles customer data.

How to Sell This to Your Board

Cost: zero to minimal. The logging and alerting features described in this article are built into Microsoft 365, Google Workspace, and most enterprise firewalls at no additional cost. The only investment is time: approximately one hour to configure, ten minutes per week to review.

Regulatory expectation. The ICO expects organisations to demonstrate they can detect and respond to data breaches. The NCSC’s 10 Steps to Cyber Security includes logging and monitoring as a core requirement. Having no logging means having no answer when the regulator asks how you detected the breach.

Business continuity. The mean dwell time for attackers inside compromised networks is measured in weeks or months. Every week you do not detect them is a week they are exfiltrating data, studying your systems, and preparing for maximum impact. Basic alerting shortens that window dramatically.

Board-level metric. Track and report a simple number each month: the count of alerts generated, reviewed, and resolved. It gives directors a concrete measure of security monitoring activity without requiring them to understand the technical detail.

What to Do This Week

  1. Log into your cloud admin console. Microsoft 365: admin.microsoft.com then Security. Google Workspace: admin.google.com then Reports.
  2. Find the alerting settings. Search for “alert policies” or “security alerts” in your admin console.
  3. Turn on the five alerts listed above. It takes less than thirty minutes.
  4. Set a weekly calendar reminder. Ten minutes, same day and time each week, to review sign-in activity, admin changes, and failed logins.
  5. Document what you have done. A simple note in your security file: “Logging and alerting configured on [date], retention period set to [period], weekly review scheduled for [day/time].” That note may save you with insurers, auditors, or regulators.

Sources

SourceArticle
DSIT / Home OfficeCyber Security Breaches Survey 2025/2026
NCSCIntroduction to Logging for Security Purposes
NCSC10 Steps: Logging and Monitoring
NCSCLogging and Protective Monitoring
NCSCSecurity Monitoring Guidance
NCC GroupUK Breaches Survey 2025/2026 Reaction
NCSCDigital Forensics and Protective Monitoring

Related Posts:

Filed under

  • smb-security
  • uk-business
  • incident-response
  • business-risk
  • cloud-security
  • remote-access
  • compliance-failure