Nobody runs a business to think about cyber security

A couple of weeks ago I was down the pub with a good friend. He runs a small business - under ten people, the sort of place where the office manager doubles as HR and his IT guy comes in two days a week, mostly to stop the printer from sulking.

Halfway through the second pint he got the phone out. Could I take a look at something.

He’d had an email from one of his bigger customers. Friendly enough tone, the usual procurement boilerplate, and three paragraphs in: “We require all suppliers to hold Cyber Essentials certification before contract renewal.” Six weeks to the renewal date. He hadn’t heard of it. His IT guy hadn’t heard of it. Neither, the customer’s procurement contact admitted on a follow-up call, had they - until about a month ago, when their parent company added it to the supplier framework.

This conversation is happening more often than I expected when I started watching for it. Some version of it lands in the inbox of a small UK business most weeks now.

If you’ve had the email, or you suspect you’re about to, the rest of this is for you. I’ll keep it in pounds and timelines, rather than in the jargon you get from the Google results - which, when I checked the next morning to send my friend something useful, are either sales pages or 28-page government PDFs depending on which way you scroll.

The “we’re too small to be a target” myth

The latest UK Government Cyber Security Breaches Survey 2025/2026 puts the figure at close to half of small businesses reporting a breach or attack in the last twelve months. Small there means ten to forty-nine staff. The number for businesses below that is lower, but not as low as you’d hope, and the gap is closing.

The attack that gets through is usually unglamorous. Somebody clicks an email that looks like it’s from Microsoft, or from the MD, or from the accountant. The median financial hit is small - most attacks fizzle. The ones that don’t fizzle cost the average affected business a few thousand pounds, plus a weekend nobody’s getting back, plus the customer phone call where you have to explain what happened, plus - if any personal data has gone walkabout - the breach notification to the ICO that’s now on a 72-hour clock.

Almost none of these are sophisticated. They get in because the basics aren’t in place. A password set in 2019. MFA on the email but not on the file share. A laptop that hasn’t pulled an update in eight months. An ex-employee who still shows up in the shared drive’s access list. Cyber Essentials, more than anything else, is a structured way to find those things and fix them.

If you want a free, no-purchase-required orientation before reading any further, the NCSC’s Small Business Guide and the newer Cyber Action Toolkit cover the same ground at a higher level. Worth twenty minutes.

What Cyber Essentials is

A UK government-backed scheme, run by IASME on behalf of the NCSC. Built around five practical areas: firewalls, device configuration, user access, malware protection, patching. Get those five right, demonstrate it, get certified.

Two flavours. Standard Cyber Essentials is a verified self-assessment. You answer the question set, an assessor reviews it, you pass or you don’t. Cyber Essentials Plus is the same scheme plus a technical audit by an independent assessor who actually tests a sample of your kit and your external footprint. Standard is the right starting point for almost everyone. Plus comes into play when you’re bidding for government work, or when a specific big customer asks for it by name.

One piece of the scheme catches people out, because nobody puts it on the front page. Certify the whole organisation, have UK turnover under £20m, and the certification automatically includes £25,000 of cyber liability insurance, with 24/7 incident response support, for the twelve months the certificate is valid. For a business the size of my friend’s, that pays for the certificate by itself.

The cost question

For ten to forty-nine staff, the IASME assessment fee for standard Cyber Essentials is £400 plus VAT. National fixed price, set by IASME, the same wherever you go. Smaller businesses pay less - my friend’s outfit is on the cheaper end of the IASME tiers. Cyber Essentials Plus, because it includes the audit, lands between about £1,500 and £3,000 plus VAT depending on the size of your environment.

The fee is the easy bit. The cost that actually varies is the work in front of the assessment. If your IT is already in decent shape - managed devices, MFA on the things that matter, patching that happens by itself, a current list of who has access to what - there isn’t much to do. If it isn’t, there’s a tidy-up. Turning on things that should already be on. Removing things that shouldn’t be there. Writing down things that are understood but unwritten. That’s where the time goes, and the time tends to surprise people.

Why most small businesses don’t do it themselves

You can do Cyber Essentials in-house. The documentation is public, the question set is clear, and a competent person with a few free weekends can get through it.

The reason most don’t, when they actually sit down with it, is that the person who’d have to do it is already running the business, or running the IT, or - in my friend’s case - both. Six weeks of evenings spent chasing whether every laptop has auto-updates enabled is rarely the best use of someone whose other job is selling the thing the company exists to sell.

That’s the whole pitch for getting outside help. Not “it’s complicated, you need a consultant” - it isn’t particularly complicated. It’s that competent people are expensive when measured in hours they aren’t doing the rest of their job.

If the email hasn’t landed yet, this is the cheap version of the problem. Use it.