UK businesses are being warned not to leave themselves exposed to cyber criminals as the government launches a new nationwide campaign aimed at boosting
basic cyber security across organisations of all sizes.
The campaign, rolling out across social media, podcasts, radio and business networks, is designed to meet busy small and medium-sized enterprises (SMEs) where they already are. Its message is simple: most cyber attacks exploit basic weaknesses, and many of them can be stopped by putting a few essential protections in place.
At the heart of the push is Cyber Essentials, a government-backed scheme that sets out clear, practical steps businesses can take to defend themselves against the most common online threats. These include keeping software up to date and tightly controlling who has access to accounts and sensitive data – straightforward actions that can immediately strengthen cyber resilience.
The timing is deliberate. New figures underline just how costly cyber crime has become. Cyber threats are estimated to cost UK businesses £14.7 billion every year. A single significant cyber incident costs businesses an average of £195,000, and half of all small firms have suffered a breach or attack in the past 12 months alone.
While larger companies are increasingly taking action, ministers say too many smaller firms still believe cyber criminals only target big brands. In reality, attackers tend to look for easy opportunities, regardless of a company’s size.
Cyber Security Minister Baroness Lloyd said: “No business is out of reach from cyber criminals. SMEs play a vital role in our economy, and business owners work incredibly hard to build something valuable, but too many still assume cyber criminals only go after big brands. The reality is criminals look for easy opportunities, and without basic protections in place, any business of any size can become a target.
I know smaller firms don’t have large IT teams, and that is exactly why Cyber Essentials matters. It provides a straightforward checklist to lock the door on cyber criminals, without needing specialist expertise. Cyber risk is business risk, just like fire or theft, and the protections are just as essential. I urge businesses to take action and adopt Cyber Essentials now”.
The scheme, developed by experts at the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology, focuses on five key controls:
- Firewalls
- Secure configuration
- Software updates
- User access control
- Malware protection
Together, these measures tackle the most common routes used by attackers and help businesses demonstrate to customers and suppliers that they take cyber security seriously.
The evidence suggests the approach works. Last year, organisations with Cyber Essentials in place made 92% fewer cyber insurance claims than those without it. Certification can also open doors to government contracts, and eligible firms can access free cyber insurance, including a 24/7 emergency helpline.
To help businesses get started, the campaign is highlighting a range of free support, including an online Cyber Essentials Readiness Tool, free 30-minute consultations with NCSC-assured cyber advisers for SMEs, and the ability to preview the Cyber Essentials question set before applying for certification.
New research published alongside the campaign reinforces the scale of the threat. The Cyber Security Longitudinal Survey shows that 82% of medium and large businesses experienced a cyber incident in the past year, proving that size offers no protection.
Encouragingly, uptake of Cyber Essentials among larger firms has risen from 23% to 30%, showing growing awareness of the need for baseline protections. The government now wants to accelerate that momentum among smaller businesses, strengthening supply-chain security and supporting long-term growth and resilience.
NCSC CEO Dr Richard Horne said: “Many small business owners assume their business is too small to be on cyber criminals’ radar, but in reality, we know most attackers don’t care about size, reputation or logos – they are looking for opportunity and weaknesses.
Small businesses do not need to go to the ends of the earth to put baseline cyber security measures in place as the Cyber Essentials scheme can help them take practical steps today.
I urge all businesses to implement the five key security controls to help protect themselves against the most common, damaging online threats”.
Alongside the awareness campaign, the government is also pressing ahead with the Cyber Security and Resilience Bill, which aims to strengthen cyber defences across essential services and key suppliers. The reforms are intended to reduce the risk of disruption from cyber attacks and protect the services people rely on every day – from energy and water to healthcare and data centres.
For many businesses, ministers warn, a single serious cyber attack could be the difference between survival and closure. The message from government is clear: locking the door to cyber criminals starts with the basics, and the time to act is now. Photo by jaydeep_, Wikimedia commons.