SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
265 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Uk high street office dusk security key mfa glowing padlock scene
#
Ransomware
#
MFA
#
Phishing

UK campaign targets small firms' growing cyber risk

Thu, 19th Feb 2026
Author image
By Kaleah Salmon, News Editor

The UK government's latest campaign urging companies to "lock the door on cyber criminals" has won support from security experts, who warn that small businesses remain exposed due to gaps in training, authentication, and governance.

The drive aims to improve cyber resilience across UK firms and boost adoption of the Cyber Essentials scheme. It follows new government figures estimating cybercrime costs UK businesses £14.7 billion a year, with around half of small businesses reporting a breach or attack in the past 12 months.

Industry research suggests many smaller firms underestimate their appeal to attackers. It also indicates uneven adoption of basic protections such as staff training and strong authentication.

Small firms exposed

Data from Yubico's 2025 Global State of Authentication Report suggests small businesses are facing what it calls a "new wave of vulnerability", driven by resource constraints and the assumption that cyber criminals focus mainly on larger enterprises.

The study found that 57% of employees at small businesses with 1-99 staff received no cybersecurity training in 2025, leaving many unprepared for AI-driven phishing and social engineering.

Only 36% of small-business employees said their companies use multi-factor authentication across all applications, despite a continued rise in credential theft.

Niall McConachie, Yubico's Regional Director for the UK and Ireland, said many smaller firms still do not see themselves as targets.

"Small businesses are currently operating under a dangerous misconception: believing they're too small a target for attackers. In the age of AI-driven cyber crime, automated tools target all employees and businesses the same. Every unsecured entry point is a target, and our data confirms that SMEs are leaving the front door wide open by neglecting basic training and not implementing multi-factor authentication (MFA)."
"For small businesses - which represent the backbone of our economy - the key to ensuring resilience against cyber threats is the widespread adoption of enterprise-grade security. We need to abandon the idea that robust authentication is 'too expensive' or 'too complex' for smaller teams. In reality, it's too expensive not to protect systems and data. Implementing phishing-resistant MFA, such as device-bound passkeys like hardware security keys, is the only scalable way to level the playing field and immunise small businesses against the commercialised threat landscape they now face."

Basic hygiene push

The campaign emphasises foundational security practices for organisations of all sizes. It promotes Cyber Essentials as a baseline for secure configuration, access control, patching and malware protection.

Security professionals say the focus reflects how widespread and routine cyber incidents have become.

Chris Dimitriadis, Chief Global Strategy Officer at ISACA, said the campaign "highlights how relentless, damaging and spread cyberattacks have become for UK businesses".

Government data show that half of small firms have experienced a breach or attack over the past year, with many incidents involving phishing emails, compromised credentials, and ransomware.

Misconceptions and entry points

Experts warn that attackers do not distinguish between large and small organisations when using automated tools. Criminal groups scan the internet for exposed systems, weak passwords and unpatched software across all sectors.

Dimitriadis said: "What's often misunderstood is that cybercriminals don't just go after household names - all businesses are at risk. In fact, with half of all small firms in particular having suffered a breach or attack over the past 12 months, it's clear that bad actors are constantly scanning for smaller targets who might be more vulnerable to their attacks. Cybercriminals seek out easy entry points, meaning that even the smallest business without basic protections is at risk of significant financial loss and reputational damage if hit."

The growth of AI-enabled attacks and ransomware-as-a-service has lowered barriers for cyber criminals, allowing them to automate many stages of intrusion. This has increased the volume of attempts against organisations with limited defences.

Beyond Cyber Essentials

Industry figures broadly support the government's message on baseline protections but argue that Cyber Essentials and related guidance are only a first step toward building broader cyber resilience.

Dimitriadis said: "It's encouraging to see the Government's campaign focus on practical measures businesses can use to build resilience. Adhering to guidance such as the Cyber Governance Code of Practise is a first big step. These are essential ways to 'lock the door' on cybercriminals and build defences that deter many attacks before they happen."

Security bodies advocate layered defences that combine phishing-resistant multi-factor authentication, regular staff training, incident response planning, and board-level oversight. They also call for clearer governance frameworks to enable organisations to assign ownership and accountability for cyber risk.

Legislative scope

Attention is also turning to regulation as the UK updates its cyber policy framework. The forthcoming Cyber Security and Resilience Bill focuses on Critical National Infrastructure sectors, including energy, water, and transport.

Some experts want the bill's scope extended, arguing that other employers sit at the heart of digital supply chains and that disruption at those firms can have significant knock-on effects across the economy.

Dimitriadis said: "But while businesses must take responsibility for strengthening their own defences, they also need clear legislative support to raise security standards across the UK economy. For example, upcoming legislation such as the Cyber Security and Resilience Bill can have an extended scope. At present, it remains confined to protecting Critical National Infrastructure (CNI), failing to extend coverage to major employers whose disruption would have equally severe consequences to the economy. Robust regulation can help to close gaps, improve incident reporting, and ensure that protections are implemented across supply chains. This means that fewer businesses become the weak link that cybercriminals are looking for."

Related stories
Bridging the gap: Cybersecurity breakthroughs and imbalances
In a cost-pressured AI race, operational maturity is now the competitive advantage
UK AI budgets shift to data infrastructure & storage
Teramind launches AI governance to tackle shadow AI
AI cyber threats outpace staff readiness, report warns

Top stories

Safe AI needs all voices: Celebrating the women who help drive CSA's AI safety initiative
Autonomous AI 'agentic customers' set to reshape banks
How women in cyber change the conversation at board level
The weight women carry
Preserving our voice: Why women must shape the future of AI and cybersecurity