Cyber Risk Archives - Northstar IT & Cyber Advisory Limited

Most SME boards are making decisions about cyber risk with incomplete information. Not because they’re careless – but because nobody has ever given them a clear, honest picture of what the real threats are, what the consequences look like commercially, and what good oversight actually involves.

This post attempts to do that.

The threat landscape for UK SMEs is not theoretical

There’s a persistent myth that cyber-attacks are primarily a problem for large organisations – banks, hospitals, government departments. The reality is the opposite. UK SMEs are targeted constantly, precisely because they tend to have weaker defences, less dedicated IT resource, and less capacity to respond when something goes wrong.

The National Cyber Security Centre’s annual report consistently shows that small businesses account for a significant proportion of reported incidents. Phishing remains the most common entry point – not sophisticated zero-day exploits, but convincingly written emails that persuade someone in your business to click a link or hand over credentials.

The consequences are not abstract. They include:

– **Ransomware** – where your systems and data are encrypted and a payment is demanded to restore access

– **Business email compromise** – where attackers intercept or spoof email communications to redirect payments

– **Data breaches** – where customer, employee or financial data is exfiltrated and potentially published or sold

– **Operational disruption** – where systems become unavailable for days or weeks, affecting your ability to trade

For a 20 or 50-person business, any of these is a serious commercial event. For some, it’s existential.

### What most SME boards actually know about their cyber risk

In my experience, most SME boards know very little – and what they think they know is often shaped by what their IT supplier has told them.

That’s not an accusation. IT suppliers are generally focused on keeping systems running. Security reassurance is often part of the sales relationship rather than an independent assessment. When the MD asks “are we secure?” and the MSP says “yes, we have antivirus and backups” – that answer is technically accurate but commercially meaningless.

What boards actually need to know:

1. **What are the specific threats most likely to affect a business of our type, size and sector?**

2. **What would happen operationally and financially if we experienced a significant cyber incident?**

3. **What controls do we currently have in place, and are they proportionate to our exposure?**

4. **What are the gaps, and what would it cost to close them?**

5. **What are our obligations – to customers, to insurers, to regulators – in the event of a breach?**

These are not technical questions. They are commercial and governance questions. And they deserve honest, independent answers.

The five controls that matter most for SMEs

Cyber risk management for SMEs does not need to be complex. The government-backed Cyber Essentials framework identifies five technical controls that, if properly implemented, protect against the vast majority of common attacks:

**1. Firewalls** – ensuring your network boundary is protected and that unnecessary ports and services are not exposed to the internet.

**2. Secure configuration** – removing default passwords, disabling unnecessary software and services, and ensuring devices are set up securely from the outset

**3. User access control** – ensuring people only have access to the systems and data they need for their role, and that access is removed promptly when someone leaves.

**4. Malware protection** – using up-to-date antivirus or endpoint detection software and ensuring it covers all devices, including personal devices used for work.

**5. Patch management** – keeping software, operating systems and applications up to date, so known vulnerabilities are closed promptly.

None of these are exotic. Most businesses are partially compliant with all of them. The gap is usually in the consistency and documentation – which is precisely what Cyber Essentials certification tests.

What board-level cyber oversight actually looks like

Good cyber oversight at board level does not mean the MD or FD becoming a technical expert. It means:

– Receiving regular, plain-English updates on the organisation’s cyber risk posture

– Understanding the commercial consequences of the most likely incident scenarios

– Having confidence that someone independent and competent is overseeing IT and cyber on behalf of the business

– Being able to demonstrate to insurers, clients and regulators that cyber risk is being actively managed

If your board cannot currently answer the five questions I listed above, that’s a governance gap – not a technical one.

Where to start

If you are an SME founder, MD, or Finance Director reading this and recognising that your business does not have adequate cyber risk oversight, the starting point is straightforward: get an independent assessment from someone with no interest in selling you products.

That assessment should tell you where you stand, what the real risks are, and what proportionate action looks like for a business of your size. It should be delivered in language your board can act on – not a 40-page technical report that sits in a drawer.

That is exactly what Northstar’s IT and Cyber Risk Review is designed to provide.

There was a time when Cyber Essentials felt like something for bigger organisations, a nice-to-have badge that enterprise procurement teams cared about, but not a pressing concern for a 15-person accountancy firm in Kent or a specialist manufacturer in the East Midlands. That time has passed.

A combination of tightening government procurement rules, a surge in cyber attacks targeting smaller businesses, and a growing expectation from larger private-sector buyers has transformed Cyber Essentials from a voluntary best-practice framework into something that looks, for many SMEs, a great deal like a business requirement.

If you haven’t engaged with it yet, this is the article that explains why now is the moment to act.

What Is Cyber Essentials?

Cyber Essentials is a UK Government-backed certification scheme, overseen by the National Cyber Security Centre (NCSC), designed to protect organisations against the most common cyber threats. It isn’t a comprehensive security overhaul – it’s a baseline. The scheme specifies five concrete controls that every organisation should have in place:

Firewalls and internet gateways – securing the boundary between your network and the wider internet
Secure configuration – hardening your devices and disabling services you don’t need
User access control – ensuring the right people have access to the right systems, and no more
Malware protection – defending against malicious software with up-to-date endpoint security
Security update management – patching known vulnerabilities within 14 days of a critical update being released

There are two certification tiers. The standard Cyber Essentials assessment involves completing a detailed self-assessment questionnaire that is independently verified by an accredited certification body. Cyber Essentials Plus goes further, requiring a hands-on technical audit in which an assessor actively tests your systems with vulnerability scans and verification checks. Both require third-party sign-off – the difference is the depth of scrutiny applied to your actual technical environment.

The Regulatory Shift: What Changed and When

The key turning point came through the UK Government’s procurement policy machinery. Central government has required Cyber Essentials certification for contracts involving the handling of personal data or the delivery of certain IT products and services since 2014 – but that obligation was relatively narrow in scope and not consistently enforced across the supply chain.

That picture has changed materially.

Procurement Policy Note 014 (PPN 014), which reflects the new terminology and obligations introduced by the Procurement Act 2023 and the Procurement Regulations 2024, took effect for procurements commenced on or after 24 February 2025. Under this note, in-scope public sector organisations must ensure that effective and proportionate cyber security controls are applied across their supply chains, and Cyber Essentials is explicitly identified as the baseline mechanism for demonstrating compliance at the standard tier.

Government contract requirements were further expanded in April 2025. Defence suppliers faced their own deadline in December 2024. The NHS has been enforcing Cyber Essentials across its vendor base, with figures suggesting that 85% of NHS trusts now require it as a condition of supplier approval.

The effect of these changes is felt most acutely by SMEs. If your business supplies services, software, consultancy, data processing, or anything that touches sensitive information to a public sector body – directly or as a sub-contractor further down the supply chain – you are increasingly likely to find Cyber Essentials certification is a gate you must pass before price or capability even enters the conversation.

The Numbers Behind the Risk

It would be easy to treat Cyber Essentials as a compliance exercise disconnected from real operational risk. The data says otherwise.

The UK Government’s own research found that 50% of UK businesses suffered a cyber attack or security breach in the 12 months covered by the 2024 Cyber Security Breaches Survey – up from 39% two years earlier. The threat is not declining; it is growing. Ransomware incidents surged by 70% in the same period. Phishing attacks affected 84% of businesses that reported breaches.

The financial impact is considerable. UK businesses reported an average cost of £10,830 per cyberattack in 2024 for medium-sized businesses, with remediation costs for small businesses estimated at around £25,700 when full clean-up costs – restoring systems, replacing hardware, improving security after the fact – are factored in. Across the economy, cybercrime costs the UK an estimated £27 billion annually.

For SMEs specifically, the consequences extend well beyond immediate financial loss. Research from Hiscox found that 43% of businesses lost customers following a cyber attack, and 38% reported damaging publicity. A significant proportion of small businesses that experience a serious breach never fully recover. The threat is existential for firms operating on thin margins and with limited IT resource.

The irony is that many of the attacks succeeding against SMEs are not sophisticated. They exploit exactly the vulnerabilities that Cyber Essentials addresses: unpatched software, weak or reused passwords, excessive user privileges, inadequate network boundaries. The certification does not protect against everything – it does not address advanced persistent threats or complex social engineering campaigns — but it closes the doors that the vast majority of opportunistic attackers use.

The Commercial Dimension: Lost Contracts and Missed Tenders

Beyond the regulatory requirement, there is a straightforward commercial reality that many SME owners are discovering too late: the absence of Cyber Essentials certification is costing them business.

Research suggests that the compliance gap costs non-certified regional SMEs over £250 million in lost tenders annually. The mechanism is simple. When a public sector buyer or a large private-sector contractor reviews a supplier’s credentials, they are increasingly checking certification status first. An SME without Cyber Essentials – however competitive on price, quality, or experience – may simply not make it through the initial screening stage.

This is particularly relevant in sectors where data handling is central to the work: professional services, healthcare supply, legal, financial advisory, IT services, education, and anything touching the Ministry of Defence supply chain. In these areas, Cyber Essentials has moved from differentiator to threshold requirement.

The practical rule is worth stating plainly: if a contract involves sensitive data, regulated information, or public sector procurement, assume you will be asked for evidence of certification – not good intentions.

What Has Changed in 2025 and 2026

The technical requirements are also evolving, which means the certification you achieved 18 months ago may need attention.

The April 2025 update introduced a revised question set (version 3.2) with more detailed requirements around multi-factor authentication enforcement, privileged access management, and cloud security policies. The biggest shift in the current cycle is the move towards treating passwordless authentication as the preferred approach – recognising that compromised passwords remain the most common vector for successful attacks on SMEs.

Looking ahead to April 2026, the most significant change is the tightening of MFA requirements. What was previously described as “where supported” and “where technically feasible” will become, in practice, mandatory wherever cloud services support MFA. That means email, file-sharing platforms, finance applications, CRM tools, and other SaaS services – any cloud tool your business uses that has MFA capability will need it enabled, documented, and evidenced. For the many SMEs already relying heavily on Microsoft 365, Google Workspace, or similar cloud platforms, this is achievable – but it requires a process, not just a setting.

The patching requirement also continues to demand attention. Critical and high-rated vulnerabilities must be patched within 14 days of release. This is not simply “turn on automatic updates.” It requires knowing what devices and software are in scope, tracking update status, and having a process to handle devices that fall behind – the laptop that hasn’t connected to the corporate network in a fortnight, the back-office application that staff avoid updating because it sometimes causes problems.

A Practical Path Forward

If your business hasn’t started, the steps are more manageable than many owners expect.

Start with an honest inventory. Map the devices, software, and cloud services that fall within the scope of your network boundary. Many SMEs discover gaps here – forgotten subscriptions, personal devices used for work, cloud services that IT wasn’t aware of.

Choose your certification level strategically. If you are targeting government contracts, public sector frameworks, or large corporate clients, plan for Cyber Essentials Plus from the outset. The additional investment in a technical audit pays back quickly through contract access that self-assessment alone cannot unlock, and avoids the need to upgrade later when a buyer asks for it.

Don’t treat it as a one-time exercise. Certification is annual. The threat landscape changes, your technology stack changes, and the requirements themselves are being updated. Build the renewal into your annual planning cycle rather than scrambling at the last minute.

Use it commercially. The certificate is a credible, independently verified signal to customers, partners, and insurers that your business meets baseline security standards. The certificate holder search on the NCSC website is publicly accessible – buyers check it. Make sure your certification is current and visible in your own marketing materials and supplier questionnaire responses.

The Bottom Line

For UK SMEs, Cyber Essentials has crossed the threshold from recommended to required – at least for any business that wants to compete for public sector work, sit in the supply chain of a large government contractor, or supply services to the NHS. The penalties for non-compliance now reach £17 million in the most serious cases. The compliance gap is already costing the SME sector hundreds of millions in lost contracts each year.

The certification is not a guarantee against every cyber threat. But it closes the vulnerabilities that most attacks actually exploit, it satisfies the procurement requirements that are now embedded in government policy, and it sends a clear signal to clients, insurers, and partners that your business treats security as a business function rather than an afterthought.

The businesses winning public sector contracts in 2026 will have had Cyber Essentials in place for years. The ones scrambling to get certified at the point of tender – or worse, discovering they don’t qualify for an opportunity they would otherwise have won – are the ones for whom it stayed optional for too long.

For more information on Cyber Essentials certification, visit the NCSC’s official guidance at ncsc.gov.uk/cyberessentials or the IASME Consortium at iasme.co.uk.