UK ministers urge SMEs: use NCSC toolkit, adopt Cyber Essentials
Let’s keep this practical. The UK government has written to small businesses with two clear cyber steps. The open letter, published on 26 November 2025 and dated 24 November, says hostile activity is intensifying, with half of small firms hit in the past year and 35% of micro businesses facing phishing. We’ve turned that message into a plan you can start today.
Step one is simple: use the National Cyber Security Centre’s Cyber Action Toolkit. It’s free and personalised, guiding you through small, achievable tasks and tracking your progress so you can build protection at your own pace without needing a big IT team. This is the government’s recommended starting point for small organisations.
When you’re ready, step two is Cyber Essentials. This government‑backed certificate sets a UK‑recognised minimum standard against common attacks. It also brings free cyber insurance and access to a 24/7 emergency helpline, and the government notes organisations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance. It can open doors to contracts and new work.
If you’re dealing with an incident right now, act fast. For a live cyber attack affecting a business, charity or other organisation, call Action Fraud on 0300 123 2040 at any time, day or night. You can also report fraud or cyber crime online 24/7; in Scotland, contact Police Scotland on 101. If you already hold Cyber Essentials, use the scheme’s emergency helpline.
Here’s how to get moving this week. Open the Toolkit and complete the first tasks it suggests, then set a weekly reminder to come back to it. As you progress, make sure automatic updates are on for devices and software, turn on multi‑factor sign‑in for email and banking, and keep at least one backup that isn’t permanently connected.
This applies beyond limited companies. Sole traders, student‑led start‑ups, micro enterprises and small charities can all use the same approach. The Toolkit is designed as a starting point for all small organisations, so you can adapt it to your context and budget.
If you want to know who’s asking, the letter is signed by Liz Lloyd, Minister for the Digital Economy, Blair McDougall, Minister for Small Business and Economic Transformation, and Richard Horne, Chief Executive of the National Cyber Security Centre. That line‑up signals a coordinated push to help smaller organisations strengthen everyday defences.
Make it a team habit. Nominate someone to coordinate cyber tasks, keep key phone numbers and contacts in a shared note, and practise a ten‑minute drill on what you’d do if email or shared files suddenly stopped working. Small routines make the Toolkit smoother and put you in a stronger position for Cyber Essentials.
A quick glossary for your next team huddle: the NCSC is the UK’s national cyber authority; the Cyber Action Toolkit is its free step‑by‑step planner for small organisations; Cyber Essentials is a government‑backed certificate showing you’ve put basic defences in place; Action Fraud is the police‑run national reporting centre for fraud and cyber crime; phishing is when criminals try to trick you into sharing information or clicking a malicious link.
Take five minutes today to begin. Starting the Toolkit and scheduling your first Cyber Essentials discussion will lower risk and build confidence with customers and staff. That’s the government’s message: small steps, done regularly, protect your work and can open doors to new contracts.