New joint ministerial letter urges small firms to act on cyber security

Two government ministers and the head of the National Cyber Security Centre (NCSC) have written directly to Enterprise Nation's members about cyber risk.

Their joint open letter sets out, in plain terms, both the scale of the threat and the practical tools now on offer.

Read the full joint ministerial cyber security letter.

Below is a short overview of what the government is doing, why this matters for small firms and how it fits with what we're seeing in our own research.

What the government is offering small businesses

The letter, signed by Liz Lloyd CBE (Minister for Digital Economy), Blair McDougall MP (Minister for Small Business and Economic Transformation) and Richard Horne (Chief Executive of the NCSC), starts with a blunt warning.

Cyber attacks against UK organisations are becoming more intense, frequent and sophisticated. Businesses of all sizes are being hit.

They highlight that around half of small businesses in the UK say they've suffered a cyber attack in the past 12 months, and that 35% of micro businesses report phishing attacks.

These are the smallest firms in the economy, often with no dedicated IT support, yet still firmly in the crosshairs of cyber criminals.

The ministers are clear that this isn't something small business owners can ignore as "a big business issue".

Whether you're a sole trader or running a growing team, a successful attack can disrupt operations overnight and damage customers' trust.

To help, the government is now pushing two core tools for small organisations:

1. Cyber Action Toolkit: The letter describes a free, personalised cyber security solution from NCSC experts that breaks cyber protection down into simple, achievable steps. It helps you build stronger protection at your own pace and tracks your progress as you go.

2. Cyber Essentials: For organisations ready to go further, Cyber Essentials is the government-backed certification that shows you meet the recognised UK minimum standard for cyber security and are protected against the most common threats.

The certification comes with free cyber insurance, access to a 24/7 emergency helpline and can open doors to government contracts and wider business opportunities.

The letter also reminds businesses that if they do face an incident, they should report fraud and cyber crime through Action Fraud (or by calling 101 in Scotland), and that Cyber Essentials certificate holders have access to additional support via the emergency helpline.

The scale of the cyber challenge for small firms

The ministers' warning is backed by wider evidence.

VodafoneThree's analysis found that more than a third (35%) of UK SMEs experienced a cyber incident in 2024, at an estimated yearly cost of £3.4 billion. For small firms, the average direct cost per attack was £3,398.

Other studies suggest that many SMEs still lack a fully actionable cyber security strategy. One recent analysis found that around two-thirds of UK SMEs don't have a practical cyber plan in place, even when they say they have policies on paper.

This gap between intention and execution leaves them exposed, and often reliant on external partners in the middle of an incident.

Taken together, these figures show that cyber risk isn't abstract. It hits cash flow, customers' confidence and growth.

What Enterprise Nation's research tells us

Our own research earlier this year, based on a survey of more than 1,000 small businesses, looked at AI adoption, open banking and cyber security. It painted a similar picture of under-investment and low awareness.

Three key findings stand out:

1. Low reported incidents, but likely under-protection: Only 13% of small businesses said they'd experienced a cyber incident in the past 12 months.

   Most of these were phishing attacks (69%) or compromised business email (32%), usually with little or no financial loss. That may look reassuring, but it risks complacency while the underlying threat level keeps rising.

2. Very low spend on cyber security: 43% of businesses allocate some budget to cyber security, but typically less than 1% of turnover, and 31% spend nothing at all. Many firms still see cyber protection as optional rather than a basic cost of doing business.

3. Data security anxiety without matching action: A quarter of businesses (26%) claim data security is a key concern when they adopting new tech, yet their spending and planning on cyber security says otherwise.

Taken together, this suggests that many small firms are now experimenting with powerful digital tools, often handling sensitive customer and financial data, while still treating cyber security as a secondary issue.

The ministerial letter is a clear signal that this needs to change.

If you want to act on this, the joint letter sets out simple, practical steps small firms can take now, including:

• using the Cyber Action Toolkit for a personalised action plan

• working towards Cyber Essentials certification to meet a clear minimum standard and reassure customers

• following NCSC's Small Business Guide for basic good practice

Many founders want to embrace digital tools but feel uncertain about where to start. For clear and derailed guidance, we strongly encourage you to read the full letter from ministers and NCSC.

People also read

• Cyber resilience: A wake-up call from the M&S incident

• How small businesses can stay secure in a world of cyber threats

• Too small to target? Why cyber security is vital for all SMEs

Make your small business more secure with the free Tech Hub tool

Get tailored recommendations, join virtual workshops, connect with expert advisers and find practical resources. Take me to Tech Hub now