Cyber threats are no longer something that happens to larger organisations. The latest data from the UK’s own National Cyber Security Centre (NCSC) makes uncomfortable reading for any MD, CEO or FD running a small or medium-sized business in England.

The average cost of a cyberattack for a small business now ranges from £3,400 to £5,000 per incident and for medium-sized businesses it reaches £10,830. That figure does not include reputational damage, lost clients or regulatory fines. Perhaps most concerning: 67% of small businesses that experienced a cyber attack reported financial difficulties within six months. (Source: Eclarity, UK SME Cybersecurity Guide, 2025, citing DSIT data.)

At a national level, the picture is equally stark. The NCSC handled 429 cyber incidents in the 12 months to August 2025, an average of four nationally significant attacks every single week, a 130% increase on the previous year. As NCSC CEO Dr Richard Horne put it: “cybersecurity is now a matter of business survival and national resilience.” (Source: NCSC Annual Review 2025.)

The threats evolving fastest in 2026

• Phishing: Remains the most prevalent threat, affecting 84% of businesses that reported breaches in 2024. AI is now being used by criminals to craft near-perfect phishing emails with no spelling errors or odd formatting, making them far harder to spot. (Source: DSIT Cyber Security Breaches Survey 2024.)
• Ransomware: Incidents increased by 70% compared to previous years. Criminals increasingly use ‘double extortion’, stealing your data before encrypting it, then threatening to publish it publicly even if you have backups. (Source: Eclarity / DSIT 2025.)
• Supply chain attacks: Only 14% of UK businesses currently review their suppliers’ cybersecurity practices, yet supply chain attacks are increasing rapidly. The NCSC now recommends that businesses require Cyber Essentials certification across their supply chains. (Source: Eclarity / NCSC Annual Review 2025.)
• Skills and awareness gap: Only 19% of UK businesses provided any cybersecurity training to staff in the past year, leaving the majority exposed to preventable human-error incidents. (Source: Eclarity, citing DSIT 2025.)

🏫  A Note For Schools, Academies & Dental Practices Education and healthcare organisations are high-value targets. Schools must protect pupil data under UK GDPR and the DfE’s Cyber Security Standards for Schools. Dental practices hold sensitive patient records subject to both GDPR and CQC requirements. The NCSC’s 2025 Annual Review specifically highlights education as a sector experiencing ‘high disruption from phishing and ransomware’ with significant operational impact. Do you have a documented Incident Response Plan? If not, you need one.

How HBT Communications Can Help: Cyber Essentials Accreditation

HBT Communications is proud to support businesses through Cyber Essentials accreditation, the UK government-backed certification scheme that demonstrates your organisation meets the recognised minimum standard for cybersecurity.

Cyber Essentials is not just a badge. It delivers real, practical protection against the most common cyber threats and carries significant additional benefits:

• Proven protection: Cyber Essentials certification guards against the vast majority of common cyberattacks, including phishing, ransomware and unauthorised access.
• Free cyber insurance: Any UK organisation that certifies their whole organisation and has less than £20 million annual turnover receives complimentary cyber liability insurance automatically. (Source: NCSC, October 2025.)
• Supply chain credibility: The NCSC now recommends that businesses require Cyber Essentials from their suppliers. Being certified makes you a more trusted partner and can open doors to contracts you may currently be excluded from.
• Competitive advantage: 69% of Cyber Essentials-certified organisations believe it made them more competitive. 89% would recommend the scheme. (Source: NCSC / UK Government Cyber Growth Action Plan, September 2025.)
• Board-level assurance: It provides your MD, CEO and FD with documented evidence that foundational cyber controls are in place, increasingly expected by insurers, regulators and larger clients.

✅  What Cyber Essentials covers

The scheme assesses five key technical controls: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management (keeping software up to date). HBT will guide you through every step of the assessment process, ensuring you are fully prepared before submission.

Three actions every business leader should take now

• Enable Multi-Factor Authentication (MFA) across all business systems; email, finance platforms, and cloud tools. This single step blocks the vast majority of credential-based attacks.
• Brief your team. With only 19% of UK businesses providing cybersecurity training (DSIT, 2025), a single one-hour awareness session puts you ahead of the majority and significantly reduces your risk.
• Talk to HBT about Cyber Essentials. We will assess your current position, identify any gaps, and guide you through certification including securing your free cyber insurance.

Ready to get Cyber Essentials certified? Contact HBT Communications for a no-obligation assessment.