Concern Is Not a Control: Why UK Small Business Cyber Hygiene Went Backwards While Awareness Went Up
Hello, Mauven here.
The Cyber Security Breaches Survey 2025/2026 contains a contradiction that deserves more scrutiny than the headline numbers have received. Awareness of cyber risk increased. The practical measures that translate awareness into protection decreased. These two facts, sitting side by side in the same government dataset, tell a story that should make anyone involved in small business cyber security deeply uncomfortable.
The Contradiction in the Data
The survey’s qualitative interviews make the awareness picture explicit. Organisations reported that their perception of cyber risk had been heightened by high-profile attacks covered extensively in the media. The retail attacks on major UK brands were mentioned specifically. The atmosphere, as described by the businesses themselves, was one of increased concern.
Against that backdrop, here are the small business numbers for practical cyber hygiene measures, comparing 2024/2025 with 2025/2026.
Risk assessments covering cyber security: down from 48% to 41%. Formal cyber security policies covering risks: down from 59% to 52%. Business continuity plans that address cyber security: down from 53% to 44%.
That last figure is a nine-point decline in twelve months. Not on some advanced capability. On having a written plan for what happens when systems go down. After a year when disruption was on the evening news with regularity.
If awareness were the barrier, these numbers would have improved. They did not. Which means the standard prescription of “more awareness” is at best incomplete and at worst actively misleading.
Awareness Achieved Its Objective
It is worth pausing to acknowledge that the awareness message actually landed. The survey data supports this. Seventy-two percent of businesses said cyber security was a high or very high priority for senior management. Board-level responsibility for cyber security increased from 27% to 31%. Large businesses reported 100% saying cyber was a high priority.
Government awareness campaigns saw improved recognition. Cyber Aware was recognised by 30% of businesses. Cyber Essentials awareness stood at 17%. The Cyber Governance Code of Practice reached 16%.
These are not numbers that suggest a population ignorant of the risk. The stated priority is there. The governance indicators are moving upward. Senior people are talking about this.
And yet the administrative controls that turn talk into protection are declining. The gap between stated priority and operational reality is widening, not narrowing.
Three Explanations That Are Not Mutually Exclusive
The podcast discussion this week explored three overlapping explanations for why awareness and action are moving in opposite directions.
Overload. Owner-managed firms are under sustained pressure. Payroll, VAT, staffing, cash flow, supply chain management, and the ongoing economic squeeze all compete for the same limited pool of attention. Cyber security is one of many important things that is rarely the most urgent thing on any given day. The tyranny of the immediate wins repeatedly. The survey itself captures this through a quote from a small health and social care business that could not justify eighteen thousand pounds for new systems while under financial strain. Cyber arrives wearing a price tag before it arrives wearing a solution.
Inertia. Some of these controls are not expensive. Writing down who to call in the first hour of an incident costs nothing. Conducting a basic risk assessment using free NCSC templates requires time but not budget. Turning on MFA in Microsoft 365 or Google Workspace is a configuration change, not a procurement exercise. The financial barrier is real for some measures but does not explain the decline in controls that are essentially free. Having a plan costs nothing; not having one costs everything.
Mistaking concern for action. This is the explanation I find most troubling. A managing director watches the breach coverage, feels genuinely concerned, discusses it at a management meeting, and mentally files “cyber security” as something they have addressed. The concern feels like progress. Three meetings and a paragraph in the induction pack feel like implementation. But no risk assessment was conducted. No continuity plan was written. No MFA was enabled. The emotional response was confused with operational change.
The survey data is consistent with all three explanations operating simultaneously. Different businesses face different barriers. But the net effect is the same: a population that is more aware and less prepared.
The Conversion Problem
The useful framing is not awareness versus ignorance. It is awareness versus conversion. Awareness is knowing that cyber risk matters. Conversion is turning that knowledge into a specific, completed task with a date, an owner, and a verification step.
Every business owner who reads about a major breach and thinks “we should look at that” has experienced awareness. Every business owner who then opens a calendar, blocks ninety minutes, and completes a risk assessment template has achieved conversion. The survey tells us the first group is growing. The second group is shrinking.
This has implications for how the industry communicates about cyber security. If the goal is awareness, the current approach is working. Media coverage of major incidents creates concern. Government campaigns generate recognition. The atmosphere of “this matters” is established.
But if the goal is conversion, the approach needs to change. More alarming statistics will not close the gap. Another dramatic headline will not produce a continuity plan. The conversion problem requires a different kind of intervention: making the first step so small, so clear, and so immediately actionable that it competes successfully against the day’s other demands.
Why Small Businesses Specifically
The survey shows a clear size gradient. Large businesses maintained or improved their hygiene measures. Medium businesses held relatively steady. The declines were concentrated among small businesses.
This pattern makes sense when you consider the structural differences. Large businesses have dedicated cyber security staff, formal governance processes, and established reporting cadences. A CISO who reports to the board monthly does not allow risk assessments to lapse because they are too busy with payroll. Small businesses have the managing director, who is also the operations manager, the unofficial IT decision-maker, and the person approving invoices.
In a large business, cyber security has institutional momentum. Tasks are embedded in role descriptions, compliance calendars, and audit schedules. In a small business, cyber security depends on the personal bandwidth of one or two people who have fifteen other responsibilities that generate more immediate pressure.
The survey’s finding that staff training remained static at 19% across all businesses, while large businesses saw an increase from 76% to 84%, reinforces this. The organisations with dedicated resources improved. The organisations without them did not.
What Actually Closes the Gap
If the diagnosis is a conversion failure rather than an awareness failure, then the interventions need to target conversion specifically.
Time-boxed first steps. Do not present cyber security as a programme. Present it as a single task that takes sixty minutes. Conduct a risk assessment using the NCSC small business template. Write a one-page breach contact list. Enable MFA on three admin accounts. The psychological barrier is smaller when the commitment is finite.
Embedded triggers. Attach cyber tasks to existing business routines. Review your insurance renewal? Check whether cyber is covered. Onboarding a new employee? Add MFA setup to the onboarding checklist. Conducting quarterly accounts? Add a five-minute check of sign-in logs. Cyber security that runs alongside existing processes competes less directly for attention.
Accountability by default. The survey shows that board-level responsibility increased from 27% to 31%. But responsibility without a reporting mechanism is nominal. The most effective change is simple: name the person responsible, give them a specific quarterly checklist, and have them report completion to the senior decision-maker. Not a sophisticated governance framework. Just a name, a list, and a date.
External accountability. The survey reports that 44% of businesses sought external cyber guidance, with 27% using external IT consultants as their primary source. For businesses that already have a trusted IT provider, the simplest conversion mechanism is asking that provider to add a quarterly security review to the existing support agreement. The cost is modest. The accountability is built in.
NCSC Guidance Is Decent; Reach Is the Problem
Only 1% of businesses named the NCSC as an advice source when asked unprompted. The national cyber agency may as well be whispering into a storm, as the podcast put it. Prompted recognition is higher: 17% knew of Cyber Essentials, 17% knew of the 10 Steps guidance. But the gap between recognition and use remains wide.
This is not a quality problem. The NCSC’s small business guide is clear, practical, and free. The Cyber Essentials framework provides a structured approach to basic hygiene. The 10 Steps guidance offers a sensible roadmap for organisations ready to move beyond the basics.
The problem is distribution. Small business owners ask the person they already ring when the printer catches fire. Familiar, immediate, trusted. Government guidance can be solid and still lose if nobody remembers the name or knows where to start. Which means the most effective channel for NCSC guidance may not be the NCSC website. It may be the trusted local IT provider who translates government frameworks into specific actions for that specific business.
How to Turn This Into a Competitive Advantage
The awareness-action gap is your opportunity. If 59% of small businesses lack a formal cyber policy and 56% lack a continuity plan covering cyber, having both makes you visibly more prepared than the majority. During procurement, due diligence, or partnership discussions, evidence of completed controls carries weight precisely because the survey shows most organisations have not done them.
Being able to say “we completed our NCSC-aligned risk assessment in Q1 and here are the results” is a statement that fewer than half your competitors can make. That scarcity creates value.
How to Sell This to Your Board
The awareness argument is won. 72% of businesses already say cyber is a high priority. The board does not need more convincing that it matters. They need a plan that converts concern into completed actions.
The decline is measurable and documented. Government data shows small businesses going backwards. Presenting this data positions the proposed actions as course correction, not new spending.
The first steps are low-cost. Risk assessment: free NCSC template. Continuity plan: one page, internally produced. MFA: included in existing software licences. The budget ask is primarily for time, not money.
Accountability structures cost nothing. Naming a responsible person, creating a quarterly checklist, and scheduling a fifteen-minute board update requires no technology and no external spend.
What This Means for Your Business
-
Stop treating awareness as the objective. Your staff probably know cyber matters. The question is whether specific protective tasks have been completed. Check whether your risk assessment, continuity plan, and policy documents are current. If they lapsed, schedule time to update them this month.
-
Assign cyber tasks to a named person with deadlines. Concern distributed across the whole management team is concern owned by nobody. One person, one checklist, quarterly reporting.
-
Attach cyber reviews to existing business routines. Insurance renewal, staff onboarding, quarterly accounts. These are natural trigger points that do not require creating new calendar entries.
-
Ask your IT provider to include a quarterly security review. If you already use an external provider for IT support, this is the lowest-friction route to regular accountability.
-
Use the NCSC small business guide as your starting template. Free, government-backed, and designed for organisations of your size. The guidance is decent. The gap is execution, not information.