“We’re only a small business. Who’s going to target us?”
We hear this all the time and we understand why. When cyber attacks make the news, it’s usually the big names — Marks & Spencer, Capita, the NHS. It’s easy to assume that if you’re running a 10-person firm in Yorkshire, you’re not on anyone’s radar.
The reality is very different. According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of all UK businesses experienced a cyber breach or attack in the past 12 months. For small businesses specifically, that figure was 42%. The National Cyber Security Centre handled 204 nationally significant incidents in the year to August 2025 — a 129% increase on the previous year.
Cyber criminals don’t discriminate by size. They discriminate by vulnerability.
Your idea on a laptop could be worth a million pounds
Here’s a scenario we’ve seen more than once. An individual has an idea. It lives on a laptop — maybe a spreadsheet, a proposal, a prototype design. Today it’s worth nothing on paper. Next week, after a client meeting or a successful pitch, it could be worth a million pounds.
That’s intellectual property. And it’s exactly what state-backed threat actors and organised cyber criminals are looking for. The UK’s National Cyber Security Centre has been clear: hostile states are actively targeting British businesses — not just defence contractors and government departments, but SMEs in technology, manufacturing, professional services, and beyond. The goal is simple: steal intellectual property and use it to advance their own economies.
If your business creates anything of value — and it does, or you wouldn’t be in business — then you have something worth protecting.
Best practice today supports growth tomorrow
Let’s set aside the threat for a moment and talk about opportunity.
The commercial landscape has changed. Large organisations now treat their supply chain like gold. Before they’ll share data with you, before they’ll put you on a tender list, before they’ll trust you with a subcontract — they want to know you take security seriously.
Look at what happened with the Sony Pictures attack. A breach at one point in the supply chain cascaded across the entire network. The damage wasn’t contained to one business — it spread to partners, suppliers, and customers. The lesson was brutal and clear: your security is only as strong as the weakest link in your supply chain.
That lesson hasn’t been forgotten. Today, 54% of large organisations cite supply chain challenges as their biggest barrier to cyber resilience. Increasingly, winning a contract means proving your cyber security credentials. Cyber Essentials certification is already mandatory for certain UK Government contracts under Procurement Policy Note 014. The private sector is following suit.
A solid cyber security foundation doesn’t just protect you — it opens doors.
Cyber Essentials: the foundation of compliance
Cyber security and compliance go hand in hand, and the starting point is Cyber Essentials.
Developed by the NCSC, Cyber Essentials is the UK Government’s baseline certification scheme. It covers five straightforward technical controls — firewalls, secure configuration, access control, malware protection, and software updates. It’s designed to protect against the most common internet-based threats, and the NCSC estimates it addresses around 80% of them.
From Cyber Essentials, the path to broader compliance becomes clearer. ISO 27001, the international standard for information security management, builds on these foundations. So does the NHS Data Security and Protection Toolkit, PCI DSS, and sector-specific frameworks. But that’s a whole other story — the point is that Cyber Essentials is where it starts.
It’s not a tick-box exercise. It’s a structured way to get the basics right, and once the basics are right, everything else becomes easier.
It’s more affordable than you think
One of the biggest misconceptions about cyber security is that it’s expensive. It doesn’t have to be.
Cyber Essentials basic certification starts from around £300 plus VAT for micro businesses. For a small business with 10 to 49 employees, the assessment fee is approximately £440 plus VAT. And here’s something that surprises many business owners: any UK organisation with a turnover under £20 million that certifies their whole organisation automatically receives free cyber liability insurance up to £25,000, including a 24-hour incident response helpline. Compare that to the cost of getting it wrong.
The average cost of a cyber attack on a UK SME is over £3,000. For those hit by ransomware, the figure can reach six figures when you factor in downtime, data recovery, regulatory fines, and reputational damage. In 2025, the ICO’s average fine jumped to over £2.8 million — seven times higher than the previous year. Capita was fined £14 million. Even smaller penalties — like the £60,000 fine issued to law firm DPP Law after a cyber attack — would be devastating for a small business.
The ICO can impose fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. The ICO also publish every enforcement action, regardless of business size.
Cyber security is an investment. A breach is a cost. The maths isn’t complicated.
Technology alone isn’t enough
You can invest in the best firewalls, the most advanced endpoint protection, the most sophisticated monitoring tools. If your employees don’t understand how to work securely, none of it matters.
A single click on a phishing email can bypass every technical control you have in place. A weak password, reused across personal and business accounts, is an open door. A sensitive document shared over an unsecured network undermines everything.
This is why Cyber Essentials works. It’s not just about technology — it’s about behaviour. It asks whether your people have the right access controls, whether your systems are configured securely, whether your software is up to date. These aren’t expensive technical challenges, they’re habits. Good habits that protect the person, the business, and every customer who trusts you with their data.
Cyber security isn’t just for big business
We want to be clear about something: this applies to every organisation. Every size. Every sector. Every level of organisational maturity. Whether you’re a two-person startup, a 50-person manufacturer, or a growing professional services firm. Whether you work in healthcare, construction, education, finance, or technology.
If you hold data (other people’s data) — and every business does — you have a responsibility to protect it. And if you want to grow, you need your customers and partners to trust that you will.
The National Cyber Security Centre provides free resources specifically designed for small businesses, including the Small Business Guide, the Cyber Action Toolkit, and the Cyber Essentials Readiness Tool. These aren’t expensive consultancy reports — they’re practical, plain-English guides that any business owner can follow.
Take the time, we promise, it’s worth it
Cyber security isn’t a one-off project, it’s a foundation. Like any foundation, it takes time to build properly — but once it’s in place, everything you build on top of it is stronger.
A solid cyber security posture supports growth. It enables customers and potential customers to share data with confidence. It opens up supply chain opportunities. It demonstrates to regulators, insurers, and partners that you take your responsibilities seriously. And it protects the ideas, the people, and the reputation that make your business what it is.
The threats are real, but the solutions are accessible. Cyber Essentials certification starts from a few hundred pounds. The NCSC’s guidance is free. And the return — in resilience, in confidence, in opportunity — far outweighs the investment.
Don’t wait for a breach to take cyber security seriously. Take the time now. Your business — and your customers — will thank you for it.
Useful resources
Bespoke Support Solutions helps businesses of all sizes build practical, affordable cyber security foundations.
Book a Free Consultation