The DSIT (Department for Science, Innovation and Technology) and the NCSC (National Cyber Security Centre) have launched a campaign urging organisations to “lock the door” on cyber criminals by adopting Cyber Essentials, a set of five security controls designed to protect against common cyber attacks.
The campaign was launched alongside the release of Wave 5 of the CSLS (Cyber Security Longitudinal Survey) – a multi-year study that aims “to explore how and why UK organisations are changing their cyber security practices and how they implement and improve their cyber defences”.
The CSLS focuses on medium and large businesses and high-income charities, but its findings are still relevant to SMEs (small and medium-sized enterprises) because of the supply chain implications.
This survey provides new data on how common incidents are, while the campaign positions Cyber Essentials as a practical baseline to reduce exposure to common attacks throughout supply chains.
For example:
- 82% of medium and large businesses experienced a cyber incident in the past year.
- Significant cyber incidents cost an average of £195,000 and are estimated to cost UK businesses £14.71 billion every year.
- Last year, organisations with Cyber Essentials in place made 92% fewer insurance claims.
Phishing and other social engineering attacks
The CSLS results show the repetitive nature of the threat landscape:
- Phishing affected around three quarters of organisations (76% of businesses, 73% of charities).
- Email impersonation scams affected over half of businesses (56%) and nearly half of charities (46%).
- Takeovers or attempted takeovers of websites, social media or email accounts were reported by 11% of businesses.
These findings point to a simple pattern: most organisations face high-volume social engineering attempts, which succeed when basic controls are missing.
That matters beyond your own organisation. If you rely on suppliers for IT support, finance services, logistics, maintenance or professional services, their security posture affects yours. The survey data shows that formal supplier risk checks are still uncommon.
Supplier risks
For SMEs (small and medium-sized enterprises), one of the most useful aspects of the CSLS data is what it says about third-party risk.
Less than a third of organisations said they formally assessed the cyber security risks presented by suppliers in the past 12 months (28% of businesses, 26% of charities).
This matters because SMEs are often both:
- A supplier to larger organisations
- A customer of smaller providers and contractors.
If you can’t show evidence of baseline controls, procurement gets harder. And if you don’t require baseline controls from your own suppliers, you share their vulnerabilities.
Cyber Essentials gives you a practical starting point in both directions: it helps you meet customer expectations and creates a clear standard you can apply to your own supply chain.
If you’re being asked for security assurances during procurement, Cyber Essentials is often the fastest route to an answer that third parties recognise.
Why Cyber Essentials is the sensible first step
SMEs are typically constrained by a lack of time and resources when it comes to cyber security.
Cyber Essentials recognises those pressures and is designed to be accessible to all, with clear requirements that help smaller organisations close the common gaps that attackers exploit first.
Its five controls address:
- Firewalls
- Secure configuration
- Software updates
- User access control
- Malware protection
As the Cyber Security Minister Baroness Lloyd said:
“No business is out of reach from cyber criminals. SMEs play a vital role in our economy, and business owners work incredibly hard to build something valuable, but too many still assume cyber criminals only go after big brands. The reality is criminals look for easy opportunities, and without basic protections in place, any business of any size can become a target.
“I know smaller firms don’t have large IT teams, and that is exactly why Cyber Essentials matters. It provides a straightforward checklist to lock the door on cyber criminals, without needing specialist expertise. Cyber risk is business risk, just like fire or theft, and the protections are just as essential. I urge businesses to take action and adopt Cyber Essentials now.”
Free webinar: Stay ahead of Cyber Essentials changes – what you need to know
The scheme is updated each year to reflect the changing risk environment. This year’s updates take effect from 27 April, when new Cyber Essentials certifications will be assessed according to version 3.3 of the NCSC Requirements for IT Infrastructure and must use the new Danzell Question Set.
Join our expert-led webinar, in which our cyber security advisor Ashley Brett and head of information security Adam Seamons explain what this year’s changes mean in practice and how your organisation can prepare.
Date: Tuesday, 24 March 2026
Time: 3:00–4:00 pm (GMT)
