Cyber Essentials: A nice-to-have or a business necessity?

Earlier this year, a Plymouth community radio station announced it was shuttering its operations as a result of a cyber attack.

The attack wasn’t on the scale of Marks and Spencer or Jaguar Land Rover. To enterprises like these, the cost of the breach was pocket change, but to a local radio station it was enough to shatter its solvency beyond repair.

When business leaders read about cyber attacks, their information is often gathered via reports and news headlines around large-scale incidents that damage the economy or put critical infrastructure at risk. 

The impacts on small businesses are largely unreported. 

While this can be comforting on one level, it is highly dangerous on another.

No business leader wants to see their organisation facing negative headlines, but when attacks on smaller organisations go unreported, it can also make these business leaders naively believe the threat doesn’t apply to them.  This is not the case. 

The unfortunate reality of cyber crime

While attacks on large businesses tend to make the headlines, SMEs are not immune to the threat. Threat actors do not target businesses purely based on size or equity, they target organisations based on ease and convenience. Ultimately, if they see a route in, they will exploit it. 

This was clearly evidenced in the attack on the Plymouth radio station. The attack  wasn’t sophisticated. It wasn’t a nation-state operation. It was likely automated, low-effort, and moderately profitable for the attacker. The station just happened to have the “unlocked door”.

Undoubtedly an attack on a large organisation can bring greater financial returns for cyber criminals, but small organisations still remain attractive targets, as they often present profitable opportunities with fewer resources required to compromise them. 

As a result, it is vital all organisations, regardless of their size, take steps to improve their defences. 

However, recent data from the UK government Cyber Security Breaches Survey shows this isn’t happening in practice. 

The Cyber Security Breaches Survey

The recent annual breaches survey revealed that UK organisations remain under continued threat of attack, with larger organisations facing the greatest risks.

While large organisations experience attacks more frequently, SMEs are still being impacted at significant scale.

Phishing remained the most common attack method identified in the survey, demonstrating attackers are still heavily exploiting human behaviour and weak security practices rather than relying purely on sophisticated technical exploits.

The survey also highlighted ongoing weaknesses around incident response planning, supplier risk management, and cyber governance.

Perhaps the most concerning finding, however, was how few organisations are independently validating their security posture.

Examining the data

The Cyber Security Breaches Survey showed that 43 percent of UK businesses experienced a cyber breach or attack in the last 12 months. 

It also highlighted that only five percent of UK businesses currently have Cyber Essentials accreditation – a UK Government-backed certification scheme, developed by the National Cyber Security Centre (NCSC), that sets the minimum recommended standard of cyber security for all organisations. 

The framework focuses on five technical core controls that protect against approximately 80 percent of common cyber attacks. 

While uptake has increased from three percent  last year, the number of the certifications issued remains worryingly low. 

The  survey noted that 24 percent of businesses claim to have  the technical controls associated with Cyber Essentials. But claiming controls and having them independently verified are very different things. The worst moment to discover your security controls don’t actually work is during a live attack – when it’s already too late.

Unless organisations have their cyber security posture audited by experts, they can never be fully confident in the effectiveness of their controls. 

This is precisely why independent validation matters – and why Cyber Essentials represents an essential starting point.

Cyber Essentials: A strong foundation

The government is clearly trying to promote the uptake of Cyber Essentials, and rightly so. It addresses the most common attack vectors, it gives organisations a structured baseline, and for many SMEs it will meaningfully reduce their risk exposure.

Yet, the growing importance of Cyber Essentials is no longer being driven solely by security concerns or government guidance. Today it is increasingly becoming a commercial issue.

The recently launched Cyber Resilience Pledge is expected to accelerate its uptake. The pledge encourages organisations to strengthen resilience not only within their own environments, but also throughout their wider supply chains.

As part of this, organisations signing the Pledge are expected to only work with suppliers and partners that can demonstrate recognised baseline cyber security controls, including Cyber Essentials accreditation.

This means Cyber Essentials is evolving from a nice-to-have to a need-to-have.

Organisations without Cyber Essentials could find themselves excluded from procurement opportunities, partnerships, or supply chain relationships with businesses that have signed the Pledge.

For SMEs, this means Cyber Essentials is no longer only about improving security posture, today it is becoming directly linked to trust, credibility and commercial eligibility. 

There is also another dimension to Cyber Essentials that many businesses have yet to fully absorb, and it sits squarely in the boardroom.

In version 3.3 of the scheme launched in April 2026, a company director or board-level representative must personally confirm that the organisation will maintain all required security controls throughout the entire certification period. 

This is a significant shift which reinforces that Cyber Essentials is no longer purely a technical exercise delegated to an IT team. It is now a formal, board-level governance commitment. If controls lapse and an incident occurs, the board confirmed on record that they were in place.

For directors, this presents a different kind of exposure. It means that signing off on Cyber Essentials is not a formality, it is a personal declaration of accountability.

This also makes the question of whether your controls are genuinely effective, and not just assumed to be, more critical than ever.

The question your board needs to answer

Cyber security should not be viewed as a luxury investment reserved for large corporations with dedicated security teams. Instead, it should be treated as a core business survival issue.

The collapse of a local radio station reinforces that even relatively small incidents can have devastating consequences for organisations with limited financial resilience. It shows that cyber disruption can be equally damaging regardless of organisation size.

As a result, the conversation is now shifting. It is no longer just: “Can we afford to invest in cyber security?”

It is: “Can we afford to operate commercially and legally without it? And are we, as a board, prepared to put our names to the controls we say we have in place?”

Cyber Essentials Certification gives organisations the foundation. What they build on top of it, and the seriousness with which their board owns it, determines whether it actually protects them. It is no longer simply a government-backed certification designed to encourage better security practices, but, through initiatives like the Cyber Resilience Pledge, it is gradually becoming a trust marker organisations may need in order to do business.

For many SMEs, the question is no longer whether cyber security investment is necessary, but whether the business can genuinely survive without it.