Key Takeaways
- Cyber threats cost UK businesses an estimated £14.7 billion every year and no business is immune according to the summary of research on the economic impact of cyber attacks.
- Half of all small businesses in the UK experienced a cyber-attack in the past twelve months according to “lock the door” campaign press release.
- Most successful attacks exploit basic weaknesses, not sophisticated techniques
- Cyber Essentials is the UK government’s recommended cyber security baseline, achievable by any organisation of any size
- Certified businesses receive up to £25,000 in cyber insurance cover at no extra cost (subject to turnover and national registration)
- The scheme will be updated on 27 April 2026, with the Willow question set replaced by the Danzell question set. Plan your certification timeline now
- Free tools, advisors and resources are available today through the NCSC
Imagine leaving the front door of your business wide open every single day. No lock, no alarm, no one watching. That is, in effect, what thousands of UK businesses are doing on-line, and cyber criminals are walking straight in.
The UK government has had enough. In early 2026, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) launched a major national campaign with a simple, direct message: lock the door on cyber criminals. At Pera Prometheus, we think this campaign deserves every business owner’s full attention and we are going to explain exactly why.
The Scale of the Problem Is Bigger Than You Think
Cyber-attacks are not just a problem for large corporations or government departments. According to the Cyber Security Breaches Survey 2025, half of all small businesses in the UK experienced a cyber breach or attack in the past twelve months. Half of anything is not an outlier, it is the norm and that is worrying.
According to the summary of research on the economic impact of cyber attacks, the total cost to UK businesses is an estimated £14.7 billion every year! When a cyber incident hits a small or medium-sized business, the average cost of recovering from it is around £195,000. That is enough to derail years of growth or, in some cases, close the business altogether. For these reasons, surely, cybersecurity for small businesses is no longer optional due to the financial and reputational risks being simply too high.
As Cybersecurity Minister, Baroness Lloyd, put it plainly: “any business of any size can become a target“. Size, sector, turnover, none of it provides protection if the basics are not in place.
Most Businesses Know the Risk But Have Not Yet Acted
NCSC Chief Executive, Richard Horne, has highlighted what is arguably the most frustrating challenge in UK cybersecurity right now: the gap between awareness and action. Most business leaders know that cybersecurity risk management matters. Most have read a headline about a breach. But too few have taken the practical steps to protect their organisation.
This is something we see regularly when working with businesses across the manufacturing, engineering and defence sectors. Cybersecurity consulting is still viewed by many as complicated, expensive, or something to deal with later. The reality is the majority of successful attacks do not exploit clever, sophisticated technical techniques. They exploit basic weaknesses such as unpatched software, weak passwords, poor access controls, lack of multi-factor authentication, and social engineering techniques. As we cover in our Training and Awareness service, your people and your processes are just as important as your technology.
Attackers are not targeting your company by name. They are running automated scans across the internet, looking for any door that is unlocked. If yours is open, they will walk in. The Government’s campaign is a call to act and the tool they are pointing businesses towards is Cyber Essentials.
What is Cyber Essentials and What Does It Actually Cover?
Cyber Essentials is a government-backed cyber security framework developed by the NCSC and delivered by the Information Assurance for Small to Medium Enterprises (IASME). It was designed to be straightforward, affordable, and achievable for any organisation regardless of whether you have a dedicated IT team or not. It is the foundation of any credible information security management approach for a mall or medium-sized business but is also more frequently attained by large enterprises to meet HMG supply chain resilience requirements. Even large enterprises with their own corporate security departments identify vulnerabilities during Cyber Essentials assessments, which goes to show the value of certification.
The scheme is built around five core technical controls that address the most common cyber security risks:
- Firewalls keeping out unwanted traffic from the internet
- Secure configuration making sure devices and software are set up safely from day one
- User access control ensuring only the right people can access the right systems and data
- Malware protection defending against viruses, ransomware and malicious software
- Security update management keeping all software patched and up to date
There are two levels of certification: Cyber Essentials (self-assessed, verified by an accredited body) and Cyber Essentials Plus (independently tested by a technical assessor). Certified organisations also receive up to £25,000 in cyber insurance cover at no extra cost, which is a significant benefit for small businesses. Cyber insurance cover is provided so long as the business is UK registered and has a turnover of less than £20m.
For businesses in the defence supply chain, Cyber Essentials is, in most cases, a contractual requirement. It provides a clear, demonstrable baseline that your organisation takes cyber security compliance seriously. If you are new to compliance frameworks more broadly, our Cybersecurity Compliance Guide is a good place to start.
A Deadline You Should Know About: April 2026
If you are planning to become certified or renew your existing certification, there is an important date in your diary: 27 April 2026. From this date, the Cyber Essentials scheme moves to updated requirements (v3.3) with stricter marking criteria.
According to IASME’s guidance on the April 2026 changes, the five core controls remain the same but the assessment methodology is being tightened. The current self-assessment question set, known as Willow, will be replaced by a new version called Danzell. Any assessment account opened after 27 April must use Danzell. Organisations already working through the Willow question set will have until 27 October 2026 to complete their assessment. The key areas being tightened under Danzell are multi-factor authentication (MFA), now mandatory for all cloud services where available, and security update management, where failure to patch critical vulnerabilities within 14 days will now result in an automatic fail.
This is not a reason to panic but it is a reason to act now rather than later. Businesses that begin their cyber security assessment process before April will complete under the current Willow criteria. Those who wait must meet the Danzell standard. We have covered exactly what these changes mean in detail in our blog: Cyber Essentials is Changing in April 2026. Either way, the message is the same: do not put it off.
Free Tools Available Right Now
One of the most practical aspects of the government’s campaign is that it comes with real, free resources to help businesses get started. The NCSC Cyber Essentials pages offer a readiness tool so you can self-assess your current gaps, access to a free 30-minute consultation with an NCSC-assured Cyber Adviser, and the ability to preview the full Cyber Essentials self-assessment question set before you commit to certification.
These are low-barrier, no-cost starting points. There is no excuse for not knowing where you stand on cyber security risk. If you would like guided support rather than going it alone, our team at Pera Prometheus can walk you through a cybersecurity risk assessment and manage the full certification process from start to finish.
Ready to Lock the Door?
Don’t wait for a breach to make cyber security management a priority. Contact Pera Prometheus today for an initial free consultation and take the first practical steps towards protecting your business, your staff, and your clients.
Frequently Asked Questions
1. What is the UK government’s ‘lock the door’ cyber campaign?
Ans: Launched in early 2026 by DSIT and the NCSC, it urges businesses of all sizes to adopt basic cyber security measures, directing them towards Cyber Essentials as a practical, proven first step.
2. Is Cyber Essentials mandatory?
Ans: Not for most businesses, but it is a contractual requirement for UK government and MOD suppliers. It is also increasingly expected across private sector supply chains. Regardless of contracts, it is the minimum standard of cyber security compliance any responsible business should meet.
3. How long does it take to become Cyber Essentials certified?
Ans: Most businesses complete certification in two to four weeks. Pera Prometheus can assist you with this.
4. What is changing in April 2026 and should I be concerned?
Ans: From 27 April 2026, the current Willow question set is replaced by a new version called Danzell (v3.3). The five core controls stay the same but the marking becomes stricter, particularly around MFA (now mandatory for all cloud services where available) and patching (failing to apply critical updates within 14 days is now an automatic fail). If you are already underway with Willow, you have until 27 October 2026 to complete it. Not a reason to panic, but a clear reason to start now.
5. We are a small business with no IT department. Is Cyber Essentials realistic for us?
Ans: Yes. It was specifically designed as a cyber security solution for small businesses. Many of the controls can be addressed using tools already built into Windows or your existing cloud services. You do not need a dedicated IT team, just a structured approach.
6. What is multi-factor authentication and why does it matter?
Ans: MFA requires more than a password to log in, for example a password plus a code sent to your phone. It is one of the most effective defences against account takeover and a key part of cyber security risk management. Under the April 2026 Danzell update, if your cloud service offers MFA and you have not enabled it, you will automatically fail the assessment.
7. How can Pera Prometheus help us?
Ans: We are an accredited Cyber Essentials Plus certification body offering cyber security consulting services to businesses of all sizes. We carry out readiness assessments, guide you through certification, and provide ongoing information security management support. Get in touch today to find out how we can help.
Stay Safe, Stay Secure
