Five Things You Can Do This Week to Beat the UK Cyber Security Survey Average: No Budget Required
The Cyber Security Breaches Survey 2025/2026 is 612,000 reasons to feel worried. Here are five reasons not to be, provided you are willing to block out roughly three hours this week and make some slightly boring decisions.
Every number below comes from the survey published by DSIT and the Home Office on 30 April 2026. Each one identifies a specific gap. Each gap has a specific fix. None of the fixes require an enterprise budget, a strategy deck, or a consultant charging you a day rate.
Step 1: Turn On Multi-Factor Authentication Everywhere
The number: MFA adoption among UK businesses reached 47%. That means 53% still have none. Among micro businesses specifically, adoption rose from 35% to 43%, which is progress, but still leaves 57% of the smallest firms completely exposed.
Why it matters: Phishing was the most disruptive breach type in 69% of cases. Fifty-one percent of breached businesses experienced phishing and no other attack type. When phishing succeeds, the attacker typically obtains a username and password. Without MFA, that is all they need to walk straight into the account. With MFA, the stolen password alone is not enough.
How to do it:
For Microsoft 365, open the admin centre at admin.microsoft.com. Navigate to Settings, then Org settings, then Multifactor authentication. Enable security defaults if you have not already. This forces MFA for all users and requires the Microsoft Authenticator app or a phone number as a second factor.
For Google Workspace, open the admin console at admin.google.com. Go to Security, then Authentication, then 2-Step Verification. Set the enforcement date and choose your allowed second-factor methods.
Start with admin accounts and any account with access to email, payroll, banking, or customer data. Then extend to every user. Test with one account first to confirm the enrolment process works smoothly before rolling it out.
Time required: 30 to 60 minutes for initial setup, plus 5 minutes per user for enrolment.
Cost: Zero on most Microsoft 365 and Google Workspace licence tiers. MFA is included.
Step 2: Confirm Your Cyber Insurance in Writing
The number: Twenty-two percent of the most senior person responsible for cyber security in their organisation did not know whether the organisation had cyber insurance. That is not a minor paperwork gap. If the person responsible does not know the cover exists, they certainly do not know what conditions could invalidate a claim.
Why it matters: Cyber insurance is a contract with conditions. Many policies require specific controls to be in place: MFA, regular backups, staff training, patching cadence. If you do not know the conditions, you cannot know whether you are meeting them. A claim denied because of non-compliance with policy terms is a disaster on top of a disaster.
How to do it:
Send an email today to your insurance broker or insurer with these questions.
Do we have cyber cover as a standalone policy or as part of our existing business insurance? What specific events does it cover: ransomware, data breaches, business interruption, regulatory fines, third-party liability? What are the conditions we must meet for a valid claim: specific security controls, notification timeframes, incident response requirements? Is there a maximum payout, and does it have sub-limits for different event types?
Save the response in a shared location where at least two people in the business can access it. If your broker says you do not have cover, ask for a quote. If you do have cover, read the conditions and check whether your current controls meet them.
Time required: 15 minutes to send the email. 30 minutes to review the response.
Cost: Zero for the enquiry. Insurance premiums vary, but knowing what you have costs nothing.
Step 3: Write a One-Page Breach Contact List
The number: Only 25% of UK businesses have a formal incident response plan. Among micro businesses, the figure is 21%. Among small businesses, it is broadly stable after improvements last year were not sustained.
Why it matters: When systems go down or an account is compromised, the first hour determines the outcome. If nobody knows who to call, who can reset accounts, or where the backups are, the response is chaotic and slow. A one-page contact list is not a full incident response plan. But one page beats zero pages.
How to do it:
Open a document and include the following information.
Internal contacts: Who is the primary decision-maker? If that person is unavailable, who acts? Who has admin access to Microsoft 365 or Google Workspace? Who has access to the business bank account? Who manages the website?
External contacts: IT support provider: name, phone, email, out-of-hours number. Insurance broker or insurer: name, phone, policy number. Bank fraud line: phone number. ICO breach reporting: ico.org.uk/make-a-complaint, phone 0303 123 1113 (if personal data is involved). Action Fraud: 0300 123 2040 (for reporting cyber crime).
Critical systems: Where are backups stored? When were they last tested? What is the recovery time if email goes down? What systems can the business operate without, and for how long?
Print a copy and keep it somewhere that does not require the systems that might be down. A laminated sheet in the server room, the office safe, or the managing directorβs home is more useful than a file on the compromised SharePoint.
Time required: 45 to 60 minutes.
Cost: Zero.
Step 4: Set Three Basic AI Rules
The number: Thirty-one percent of UK businesses are using, adopting, or considering AI. Of that group, only 24% have any process or practice to manage the cyber security risks from AI technology. That means roughly three quarters of businesses engaging with AI are doing so with no house rules whatsoever.
Why it matters: Staff are already using AI tools. They are summarising customer emails, drafting tenders, cleaning up spreadsheets, and generating reports. If nobody has set boundaries, somebody is pasting customer personal data, contract terms, or financial information into a public AI tool with no idea where that data goes or how it is stored.
How to do it:
Write three rules and communicate them to every member of staff. You can refine them later, but these three cover the highest-risk scenarios immediately.
Rule 1: Do not paste customer personal data into any AI tool without explicit approval from management. This includes names, addresses, email addresses, phone numbers, health information, financial details, and anything covered by GDPR.
Rule 2: Do not paste contracts, financial documents, board papers, or confidential internal information into public AI tools. If the business has not approved the tool and reviewed its data handling, treat it as public.
Rule 3: If AI produces something that will be sent to a client, submitted to a regulator, or published externally, a human must review and approve it before it goes out. AI output is a draft, not a deliverable.
Send these three rules in an email, discuss them at the next team meeting, and add them to the staff handbook or acceptable use policy. That is not a full AI governance programme, but it is worlds better than nothing.
Time required: 30 minutes to write and communicate.
Cost: Zero.
Step 5: Review Your Three Most Important Suppliers
The number: Only 15% of UK businesses formally review the cyber risks posed by their immediate suppliers. Just 6% review the wider supply chain. Among small businesses, the figure for immediate suppliers drops to around 12%.
Why it matters: If your payroll provider, CRM system, or outsourced helpdesk gets breached, your customers do not care that the failure happened in someone elseβs cloud. They know your logo, your invoice, and your apology email. Supply chain risk is your risk, even when the technical failure is not yours.
How to do it:
Identify the three suppliers with the greatest access to your business. These are typically the ones that handle your staff identities (Microsoft 365, Google Workspace), your customer data (CRM, booking systems, email marketing), or your financial systems (payroll, accounting software).
Send each supplier the following questions.
Do you require multi-factor authentication for all staff accessing our data or systems? Do you hold Cyber Essentials certification or equivalent? How would you notify us if you experienced a data breach or security incident, and within what timeframe? Do you have a formal incident response plan? Can you provide a summary of your data protection measures?
You do not need a formal supplier risk framework to start. Three emails with five questions each is a practical beginning. The responses will tell you whether your suppliers take security seriously or whether they have never been asked.
Time required: 30 minutes to identify suppliers and send the emails. Follow-up time varies.
Cost: Zero.
Where to Draw the Line Between DIY and Paying for Help
These five steps are designed for businesses that can manage them internally. But there are clear triggers for bringing in professional help.
Technical uncertainty. If nobody in the business can confidently navigate the Microsoft 365 admin centre or Google Workspace security settings, get competent help to configure MFA and review the security posture. Misconfigured controls are worse than no controls because they create a false sense of security.
Legal uncertainty. If you handle special category data under GDPR, including health data, biometric data, or criminal records, or if you process payment card data, the regulatory requirements are specific and the consequences of getting them wrong are significant. Professional advice is worth the cost.
Persistent inaction. If the business has been saying βweβll do it next monthβ for six months, the barrier is not knowledge; it is momentum. Paying someone to force the issue, whether an IT provider adding a security review to the support agreement or a consultant conducting a half-day assessment, can break the cycle.
Spend money where mistakes are expensive. Identity controls, backups, incident response, and anything involving customer data. Save money on cosmetic nonsense. A lot of firms buy shiny awareness packages before they have even got MFA turned on. That is like buying a fancy umbrella when the front door is missing.
How to Turn This Into a Competitive Advantage
Completing these five steps puts you ahead of the majority. The survey data provides the benchmarks: if 53% lack MFA, 75% lack an incident response plan, and 85% do not review their supply chain, having all three makes you visibly more prepared than most of the market.
For businesses responding to tenders, procurement questionnaires, or due diligence requests, these are concrete, verifiable controls. βWe enabled MFA across all accounts in May 2026, we have a documented breach contact list, and we have reviewed our three principal suppliersβ is a statement that fewer than one in five UK small businesses can make.
How to Sell This to Your Board
Total cost: zero. All five steps can be completed with no additional spending. The ask is for three hours of management time spread across the week.
Measurable improvement against government benchmarks. Each step moves the business from the wrong side of a specific survey statistic to the right side.
Reduced risk of the most common attack. MFA directly addresses the attack path that caused 69% of the most disruptive incidents in the survey.
Defensible compliance posture. Following NCSC guidance and government survey recommendations is a position that holds up under regulatory scrutiny, insurance claims, and customer due diligence.
What This Means for Your Business
These five actions are not the end. They are the starting line. But the survey data shows that most small businesses have not crossed it yet. The difference between zero and one is larger than the difference between one and ten. Start this week, and next month you can build from a position of basic coverage rather than one of documented decline.
Pick one. Do it today. Then do the next one tomorrow. By Friday, you are ahead of the average. That is not a sales pitch. It is arithmetic.