The government has warned UK business leaders that AI is making cyber attacks faster, cheaper and easier to scale, and for small firms that should land as a practical prompt rather than background noise.
In an open letter published by the Department for Science, Innovation and Technology and the Security Minister, businesses were urged to treat cyber security as a board-level issue, use the National Cyber Security Centre’s free Early Warning service, and build around the government-backed Cyber Essentials standard. On the same day, ministers said a further £90 million will be invested over the next three years to strengthen cyber resilience, including support for small and medium-sized businesses.
Why this matters now
Big cyber stories often sound like problems for banks, telecoms groups or critical infrastructure. But the government’s message is that ordinary businesses are firmly in scope too. In the accompanying CYBERUK speech, Dan Jarvis said cyber attacks are increasing in volume and sophistication, and pointed to the risk of logistics systems, suppliers and high-street businesses being disrupted by hostile states and organised criminals.
That matters for SMEs because attackers do not need every target to be large. A smaller company with weak controls can still be a useful route into a bigger supply chain, an easy ransomware victim, or a soft target for invoice fraud, account compromise and operational disruption. For many owner-managed firms, the real business risk is not abstract espionage. It is payroll delays, locked systems, card payment problems, customer-data headaches and days of lost trading.
What the government is asking businesses to do
The letter is notable because the advice is not exotic. It focuses on three basics. First, put cyber security high enough in the organisation that someone senior is clearly accountable for it. In a small business, that may mean the owner, finance lead or operations lead taking responsibility rather than assuming “IT” has it covered.
Second, use Cyber Essentials. The government describes it as a proven baseline against common attacks and says businesses should also push those expectations into their supply chains where relevant. Third, follow NCSC guidance and sign up for the NCSC’s free Early Warning service so potential threats can be spotted sooner.
None of that is flashy, but that is the point. The government’s warning is really a reminder that the basics still do a lot of the heavy lifting. Small firms that have already been thinking more seriously about operational resilience after issues such as recent banking disruption and payment visibility problems should see cyber resilience as part of the same discipline.
What SMEs should check this week
If you run a small business, this is a sensible moment to ask a few blunt questions. Who is responsible for cyber security decisions? Are staff using multi-factor authentication on email and core systems? Are backups tested? Do you know which suppliers or software tools would cause the biggest disruption if they were compromised? Are scam-payment and password-reset requests being challenged properly?
For firms with no formal cyber framework, Cyber Essentials gives a clearer starting point than trying to assemble a policy from scratch. Businesses that rely on online banking, cloud accounting, e-commerce, field devices or connected security tools should also remember that cyber risk sits alongside wider physical and operational security concerns, including the sort of business-protection issues we covered in our piece on the UK signal jammer crackdown and what it means for shops, trades and local employers.
The practical takeaway
The government is not telling SMEs to become cyber specialists overnight. It is telling them that the threat is getting sharper while the baseline controls are still being missed.
For most small businesses, the best response is straightforward: assign ownership, work through the Cyber Essentials basics, sign up for NCSC Early Warning, and review the suppliers or systems that would hurt most if they failed. AI may be changing the threat landscape, but for SMEs the immediate job is still to tighten the boring essentials before an attacker turns them into an expensive lesson.
Sources
- GOV.UK, AI cyber threats: open letter to business leaders, updated 22 April 2026
- GOV.UK, Call to action for AI companies to work with UK Government on national cyber defence, 22 April 2026
- GOV.UK, Security Minister’s speech to CYBERUK 2026, 22 April 2026
