In early July, the UK government unveiled its new Cyber Resilience Pledge aimed at hardening business defences as security threats grow.
It comes after the government unveiled a £90 million cybersecurity funding package at the CYBERUK conference. The sum is earmarked primarily to bolster the defences of small and medium-sized enterprises and accelerate adoption of Cyber Essentials.
How will the measures impact SMEs, and what steps can they take to improve resilience?
Cyber Resilience Pledge
The Cyber Resilience Pledge includes mandates in three areas: It asks organisations to elevate security oversight to the board level, enrol in the National Cyber Security Centre’s (NCSC's) Early Warning service, and mandates Cyber Essentials across supply chains. According to the government, 60 businesses and strategic suppliers have already committed to boosting resilience as part of the pledge.
While the measures might appear to be aimed at larger firms, experts say they will have a direct impact on SMEs that supply these businesses. “If your organisation provides goods and services to a large firms that sign the pledge, you may soon find Cyber Essentials certificate is a commercial prerequisite, rather than a nice-to-have,” says Tracey Hannan-Jones, consulting director in information security, UBDS Digital.
It’s clear SMEs need to improve their resilience, and experts say the pledge and funding will push them towards this by further encouraging Cyber Essentials adoption. Many SMEs know cybersecurity is important, but they aren't always sure where to start, says Doug Jewitt, security consultant at Infinity Group.
Because SMEs are often balancing security with limited internal resources, there can be gaps in visibility, monitoring and governance, points out Jewitt.
SMEs face unique security challenges, agrees Hannan-Jones. “They are disproportionally targeted by cybercriminals precisely because they are perceived as softer targets. Limited IT budgets, lean teams without dedicated security professionals, inconsistent patching disciplines, and a tendency to prioritise operational continuity over security investment all create exploitable conditions.”
Jewitt thinks the pledge and funding are “an important signal that good cybersecurity is becoming a business expectation, particularly as larger organisations increasingly look for evidence that suppliers take security seriously.”
Greater investment in initiatives such as Cyber Essentials helps make security “more accessible and achievable” for SMEs, Jewitt says.
Evolving Techniques
The pledge and funding also come at a time when attack techniques are evolving, making it difficult for SMEs to keep up. “The biggest challenge we see is that cyber threats are becoming more sophisticated at the same time as businesses are adopting new technologies like AI at pace,” says Jewitt. “AI is helping attackers create more convincing phishing emails, impersonation attempts and social engineering attacks, making it harder for employees to spot threats.”
At the same time, ransomware incidents affecting SMEs continue to rise. “Supply chain compromise has become one of the most damaging threat patterns in recent years – so the supply chain mandate within the pledge is a direct response to the very vulnerabilities that SMEs represent in enterprise security,” Hannan-Jones adds.
SMEs also suffer from a compliance knowledge gap, which can make security incidents more difficult to manage when they do take place. “Many SME leaders understand they need to do something about cybersecurity, but lack clarity on where to start, what is proportionate for their size, and how existing frameworks actually map to their operation,” says Hannan-Jones.
Measures For SMEs
Experts say all three commitments within the Cyber Resilience Pledge are good practice, regardless of organisation size. Emran Ali, associate director of cyber security at Bridewell, describes the measures as “sensible, practical actions that many mature organisations should already have in place.”
Nick Dyer, RVP solutions engineering UKI and Benelux, Arctic Wolf thinks the focus on supporting SMEs to increase adoption of the Cyber Essentials scheme and reach a baseline standard of threat protection is “positive as an achievement to obtain.”
He believes one of the main barriers to increasing cybersecurity is a lack of education at a senior leadership level. “And this targeted outreach should help more businesses recognise cyber security as a strategic priority.”
Raising awareness and increasing adoption of Cyber Essentials will “undoubtedly help,” agrees Jewitt. “We’ve seen first-hand how effective strong foundational controls can be in reducing risk.”
However, Jewitt warns, SMEs’ commitment to security needs to be ongoing. Cyber security “isn't a one-off exercise,” he points out. “Certification is a great starting point, but organisations also need ongoing monitoring, user awareness and governance to stay resilient as threats continue to evolve.”
Shoring Up Security
As cyber-attacks continue to hit SMEs, some simple steps will help improve resilience in line with regulation and the pledge. Jewitt advises starting with the fundamentals. “Achieving Cyber Essentials gives businesses a proven framework for reducing common risks while demonstrating trust to customers, partners and suppliers.”
SMEs can also assess their current position against Cyber Essentials and identity any gaps, says Hannan-Jones: “Enrol in the NCSC’s Early Warning service – it’s free and provides actionable intelligence,” she advises.
The government is very much focused on Cyber Essentials uptake. However, Hannan-Jones advises treating the certification as “your bare minimum baseline”.
“If you hold sensitive client data or operate in a regulated environment, undertake an ISO27001 GAP analysis. Ensure your leadership team understands cyber risk in business terms, not just technical ones.”
Beyond that, Jewitt thinks organisations should be reviewing how AI is being used across the business, as well as strengthening identity and access controls. “SMEs should also be enabling multi-factor authentication and ensuring they have the monitoring capabilities needed to detect and respond to threats before they become incidents.”
Written by
Kate O'Flaherty
Cybersecurity and privacy journalist