Small businesses are being pushed to treat cyber security as a board-level and owner-level issue, after the government warned that AI-enabled attacks are changing the speed and scale of online threats.
The message is not just aimed at large companies. The government is encouraging organisations across the economy to prepare for a new Cyber Resilience Pledge, built around practical steps such as using the National Cyber Security Centre’s free Early Warning service and strengthening supplier expectations through Cyber Essentials.
What has changed
In a new announcement published on 12 May 2026, ministers said businesses should strengthen their cyber defences as AI tools make it easier for criminals to find vulnerabilities, automate attacks and move faster than many traditional security processes can handle.
The government says the Cyber Resilience Pledge will launch later this year. Its three core actions are to make cyber security a board-level responsibility, sign up to the NCSC’s free Early Warning service, and require Cyber Essentials certification across supply chains. For a small firm, that translates into a simple but important point: cyber security can no longer sit quietly with one outsourced IT supplier or a single staff member who “knows the computers”.
The announcement also sits alongside the Cyber Security and Resilience Bill, which is continuing through Parliament, and £90 million of government backing aimed at improving resilience across the wider economy.
Why SMEs should pay attention
Many small firms still assume they are too small to be targeted. That is risky. Criminals do not need to know your business personally to attack it. They can exploit weak passwords, exposed systems, fake invoices, stolen credentials, compromised suppliers and mass phishing campaigns at scale.
The government cited recent figures showing that 43% of UK businesses experienced a cyber breach or attack in the past year. For a small employer, the damage does not have to be dramatic to hurt. A locked laptop, a hijacked email account, a spoofed payment request or a day without access to booking, payroll or stock systems can quickly become a cash-flow and customer-service problem.
That is why this matters beyond the technology sector. Shops, trades, hospitality firms, clinics, small manufacturers and professional services businesses all rely on digital systems to invoice, order, advertise, take payments and store customer details. We have already looked at how security risks can disrupt shops, trades and local employers; cyber risk is part of the same operational resilience picture.
Cyber Essentials could become more important in supply chains
The most practical part of the pledge for SMEs may be Cyber Essentials. It is the UK government-backed standard designed to block common cyber threats, covering basics such as secure configuration, access control, malware protection, software updates and firewall settings.
If larger companies and public-sector buyers start expecting Cyber Essentials across their supply chains, smaller suppliers may find certification becomes a useful trust signal as well as a defensive step. It may also help firms that handle customer data, operate online shops, provide B2B services or want to reassure clients that basic protections are in place.
This does not mean every microbusiness needs an expensive security programme overnight. But it does mean owners should check whether their current setup would stand up to basic questions from a customer, insurer, bank or larger client.
What small businesses should do now
First, assign ownership. In a small firm, that may be the founder, finance lead, operations manager or office manager, but someone needs to be responsible for cyber basics and for keeping a simple action list up to date.
Second, sign up for the NCSC’s free Early Warning service if the business is eligible. It can alert organisations to known vulnerabilities, malicious activity and exposed services linked to their systems.
Third, review Cyber Essentials. Even if certification is not needed immediately, the framework is a useful checklist for the basics: patch devices, control admin access, use multi-factor authentication where possible, remove unused accounts and keep backups separate from everyday systems.
Fourth, talk to suppliers. Ask payroll, payment, booking, website, email and IT providers what protections they have in place, what happens if their service goes down, and how they would contact you during a security incident. This is especially important for businesses already tightening finance processes because of fraud, late payment and working-capital pressure; our recent piece on late payments and SME cash flow covered how quickly payment friction can put pressure on small firms.
The practical takeaway
The government’s new cyber push is a useful reminder that resilience is not just a big-company issue. For SMEs, the goal should be proportionate protection: clear responsibility, fewer obvious gaps, better supplier checks and a plan for what happens if something goes wrong.
AI may be making cyber attacks faster, but the first line of defence for most small firms is still getting the basics right before criminals find the weak spots.
Sources
- UK government news release, Government steps up action to strengthen cyber defences as UK cyber industry continues to grow, published 12 May 2026
- UK government research, Cyber security sectoral analysis 2026, published 12 May 2026
