Busy owner‑managers are being asked to “lock the door” on cyber crime as the UK government launches a new campaign today (17 February 2026) aimed squarely at SMEs. The push meets firms where they are - on social, radio, podcasts and business networks - and points them to Cyber Essentials, a simple set of baseline controls designed to stop the most common attacks by tightening access, patching software and checking device configurations. (gov.uk)

The business case is straightforward. Independent research commissioned by the Department for Science, Innovation and Technology (DSIT) estimates that a significant cyber incident costs a UK firm almost £195,000 on average, with the annual bill to business running to roughly £14.7 billion. For owners weighing time and budget, those numbers frame cyber risk as a routine P&L issue rather than a distant IT headache. (gov.uk)

Prevalence data back this up. The government’s Cyber Security Breaches Survey 2025 shows half of small businesses reported a breach or attack in the previous 12 months, even after a year‑on‑year fall. Among bigger organisations, the Cyber Security Longitudinal Survey (wave five) records incidents at 82% of medium and large firms over the same period - and also finds more are adopting basic standards. (gov.uk)

Cyber Essentials is the starting line, not a maze. Co‑developed by the National Cyber Security Centre (NCSC) and DSIT, it focuses on five controls - firewalls, secure configuration, software updates, user access control and malware protection - and the campaign highlights a free readiness tool, a preview of the question set and a 30‑minute consultation with an NCSC‑assured adviser to help SMEs over the line. (gov.uk)

Insurance is where many owners feel the impact first. Government guidance says organisations with Cyber Essentials are 92% less likely to make a claim on their cyber policy, and the scheme’s delivery partner offers eligible SMEs free cyber insurance with a 24/7 incident‑response helpline - a practical safety net when hours count. Eligibility typically includes being UK‑domiciled with turnover under £20m and certifying the whole organisation. (gov.uk)

There is also a procurement upside. Cyber Essentials (or an equivalent set of controls) is required for certain central government contracts that handle personal data or OFFICIAL‑level ICT, with evidence needed before any data flows. The rule is proportionate - it is not a blanket demand - and sits alongside long‑standing guidance that certification helps firms signal trust to customers and buyers. (gov.uk)

What does it cost? Government procurement guidance indicates smaller companies typically pay in the £300–£500+VAT range for the basic certification, while the Plus audit depends on size and complexity. Against that, DSIT’s breaches survey shows that among micro and small firms experiencing an incident with a tangible outcome, the average total cost of the most disruptive case was around £8,000 - so even modest probability quickly outweighs the one‑off fee. (gov.uk)

For boards and finance leads, the near‑term plan is practical. Use the readiness tool and adviser call to check scope, switch on multi‑factor authentication where available, enforce updates, tighten admin rights and confirm backups. Most of this is process and configuration rather than new spend - with the certificate providing proof for insurers, customers and tenders once those basics are in place. (gov.uk)

Momentum is improving but supply‑chain gaps remain. DSIT’s longitudinal study shows adherence to Cyber Essentials among larger businesses rising from 23% to 30% and flags supplier management as a persistent weak spot. Extending baseline controls across key vendors can reduce operational risk and simplify due diligence when customers ask about your own resilience. (gov.uk)

Looking ahead, the scheme is tightening. IASME has confirmed updates for assessment accounts created after 27 April 2026, with stricter marking around essentials such as multi‑factor authentication and timely patching - another reason for SMEs to start now and avoid a last‑minute scramble. In parallel, Parliament is scrutinising the Cyber Security and Resilience Bill, which would update rules for essential and digital services and harden supply‑chain defences. (iasme.co.uk)