Government wages cyber campaign as half the UK’s SMEs are breached

The government is urging businesses, especially small and medium-sized enterprises (SMEs), to “lock the door” to fend off cyber attackers.

Its campaign is being launched on the back of government research that revealed cyber threats cost UK businesses £14.7bn a year, with half of small firms experiencing one in the past 12 months. And while large companies are taking action, the government wants smaller ones to bolster their defences.

The campaign will exhort SMEs to engage with the government’s Cyber Essentials scheme, which is said to spell out clear, practical steps to foil cyber attacks. This includes keeping software up to date and controlling who has access to accounts and data.

Alongside the campaign, but with less of an SME focus, the Department for Science, Innovation and Technology (DSIT) is publishing its Cyber security longitudinal survey, which shows 82% of medium and large businesses suffered a cyber incident in the past year, as did 77% of charities.

The survey first took place in 2021. The report published today, 16 February 2026, covers findings from the fifth wave of study. The survey was carried out between June and August 2025 and interviews were conducted between September and October 2025.

The interviews explored cyber incidents, uptake of government products, cyber security policies, cyber security processes, cyber security budgets and understanding cyber security behaviour change, according to the report’s executive summary.

Other government research, also being cited in support of the “lock the door” campaign, shows that incidents cost an average of £195,000; and, according to the Cyber security breaches survey 2025, that half of all small businesses suffered a cyber breach or attack in the year-long period up to mid-2025.

The Cyber security longitudinal survey indicates that the proportion of organisations reporting adherence to the Cyber Essentials programme rose significantly in the past year, for both businesses (30% vs 23%) and charities (28% vs 19%). DSIT has also stated that 92% fewer insurance claims were made last year by organisations with Cyber Essentials in place.

However, the new survey shows that supply chain management remains a weakness among both charities and businesses.

Less than a third of organisations stated they carried out formal assessment of suppliers in the past 12 months (28% of businesses and 26% of charities). Organisations also “generally lacked awareness about cyber security incidents in their supply chains, acknowledging they likely happen without their knowledge”.

Liz Lloyd, Parliamentary under-secretary of state at DSIT and the Department for Business and Trade, and member of the House of Lords, said: “No business is out of reach from cyber criminals. SMEs play a vital role in our economy, and business owners work incredibly hard to build something valuable, but too many still assume cyber criminals only go after big brands. The reality is criminals look for easy opportunities, and without basic protections in place, any business of any size can become a target. 

“I know smaller firms don’t have large IT teams, and that is exactly why Cyber Essentials matters. It provides a straightforward checklist to lock the door on cyber criminals, without needing specialist expertise. Cyber risk is business risk, just like fire or theft, and the protections are just as essential”.

Developed by the National Cyber Security Centre (NCSC) and DSIT, Cyber Essentials focuses on firewalls, secure configuration, software updates, user access control and malware protection.

Richard Horne, chief executive of the NCSC, said: “Many small business owners assume their business is too small to be on cyber criminals’ radar, but in reality, we know most attackers don’t care about size, reputation or logos – they are looking for opportunity and weaknesses. 

“Small businesses do not need to go to the ends of the earth to put baseline cyber security measures in place, as the Cyber Essentials scheme can help them take practical steps today. I urge all businesses to implement the five key security controls to help protect themselves against the most common, damaging online threats.”