Ministers and the National Cyber Security Centre have set out a simple plan for small firms. In an open letter published on 26 November 2025 and dated 24 November, DSIT’s Minister for the Digital Economy Liz Lloyd CBE and DBT’s Minister for Small Business Blair McDougall, joined by the NCSC’s chief executive, ask SMEs to do two things: use the NCSC’s free Cyber Action Toolkit and certify to Cyber Essentials. The message follows a run of high‑profile incidents and points to practical risk reduction.

The Cyber Action Toolkit gives a personalised to‑do list, turning cyber protection into small, manageable steps and tracking progress as you go. It’s designed for owner‑managers and teams without dedicated security staff, and it’s free. Cyber Essentials is described as the UK’s minimum standard for basic cyber hygiene. Beyond the badge, government highlights practical benefits: access to a 24/7 emergency helpline for certificate holders, stronger eligibility for public tenders and complimentary cyber insurance. For accuracy, note the insurance is available to eligible organisations that certify their whole organisation and have annual turnover under £20m, administered via IASME.

Why the nudge now? The letter notes that half of small businesses reported a cyber attack in the past year; 35% of micro firms reported phishing. That reflects what many owners tell us: the day‑to‑day noise - suspicious emails, spoofed invoices and fake login pages - drains time and confidence. Government’s Cyber Security Breaches Survey 2025 estimates the average total cost of the most disruptive breach at about £1,600 for businesses overall, and around £1,510 for micro and small firms when those with no cost are included. Among those that did incur costs, the average rises to roughly £3,400 for micro and small businesses - easily eclipsing entry‑level certification fees.

For a 10‑person consultancy, the official assessment fee for basic Cyber Essentials is £440 plus VAT. Micro firms pay £320 plus VAT; medium‑sized businesses £500; large £600. These fees are set by IASME, the scheme’s delivery partner, and are consistent across providers. Against the typical non‑zero breach cost above, the maths is straightforward.

Certification can also improve your route into public‑sector work. The government letter says Cyber Essentials opens doors to government contracts; defence is moving further with the new Defence Cyber Certification scheme, which starts from a Cyber Essentials baseline and is set to become a requirement across MOD supply chains. If public work is on your 2026 roadmap, this is a pragmatic early task.

Insurance is the other lever. The letter points to insurer data that organisations with Cyber Essentials are 92% less likely to make a claim on their cyber policy. For eligible UK organisations that certify their whole business and turn over under £20m, the scheme includes automatic cyber liability insurance and a 24/7 incident helpline - a useful backstop if the worst happens.

A workable plan looks like this. Start with the NCSC Cyber Action Toolkit and close the obvious gaps on updates, strong passwords, multi‑factor authentication and device settings. Map what’s in scope for certification - staff, devices and cloud services - and schedule a board‑level sign‑off so your answers carry weight. If you handle sensitive data or sit in a regulated supply chain, plan to step up to Cyber Essentials Plus after the self‑assessment to verify controls independently. The scheme’s technical requirements are due to refresh in April 2026, so starting now avoids a spring bottleneck.

If you are facing an incident today, help is available around the clock. Businesses suffering a live cyber attack can call Action Fraud’s 24/7 line on 0300 123 2040; online reporting is also open at any time, and in Scotland you can call 101. If you hold Cyber Essentials, you gain an emergency helpline through the scheme’s insurance provider.

Boards shouldn’t park this with IT. The 2025 Breaches Survey finds only 27% of businesses have a named board member responsible for cyber security, down from 38% in 2021. Cyber Essentials forces simple governance: an executive sign‑off, five basic controls and an annual renewal. It’s not a cure‑all, but it raises the floor for day‑to‑day risk.

For agencies, retailers, clinics and micro‑manufacturers, the payoff is clear. The NCSC toolkit costs time, not cash; basic Cyber Essentials costs a few hundred pounds and can strengthen tender readiness and insurance terms. With ministers framing this as essential housekeeping, the next step is straightforward: open the toolkit, book certification, and lock in a lower‑risk 2026.