The uncomfortable truth he UK has never been short of cyber security guidance. Government-backed schemes such as Cyber Essentials and NCSC “small business” advice have been around for years, and yet the same basic weaknesses keep turning up in breach after breach. The most revealing bit isn’t that attackers are clever (they are). It’s that a lot of firms still treat cyber as optional admin — something to squeeze in when the “real work” is done. The most revealing bit isn’t that attackers are clever (they are). It’s that a lot of firms still treat cyber as optional admin — something to squeeze in when the “real work” is done. Official figures show the problem is widespread. The government’s Cyber Security Breaches Survey 2025 found 43% of businesses identified a cyber security breach or attack in the previous 12 months, and phishing remained the most common and disruptive type (experienced by 85% of those that had an incident). So why do so many organisations still fail to do the basics the government keeps recommending? 1) The “we’re too small to be worth hacking” myth refuses to die Criminals don’t “hunt trophies”; they hunt easy wins In the real world, attackers often don’t care about your brand name — they care about whether you’re easier to compromise than the next company. The Breaches Survey’s own findings reinforce this: phishing dominates because it works at scale, and it’s cheap for criminals to run. In other words: if your staff can be tricked, your size doesn’t matter. Advertisement Bestseller #1 Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity (Rheinwerk Computing) £48.49 Buy on Amazon 2) Cyber still isn’t treated as a leadership problem Boards approve budgets — but may not understand the risk they’re accepting A recurring theme in the Breaches Survey is that board-level involvement doesn’t automatically mean cyber competence. The report notes that organisations often said only one or two board members had technical knowledge — and sometimes the “responsible” person had little understanding, despite making decisions that shape budgets and priorities. That gap matters, because cyber spending competes with visible priorities (sales, hiring, expansion). Cyber often loses because the payoff is “nothing happens”. And when cyber is delegated downwards, it frequently lands with people who have plenty of responsibility but not much time or specialist support. For small businesses, the survey found the most common “cyber lead” roles included general office managers and CEOs, not dedicated security staff. 3) It’s not just money — it’s time, headspace and disruption Even when controls are cheap, they still cost effort The Breaches Survey’s qualitative interviews capture the lived reality: teams do the “easy bits” first, then stall when improvements start to bite. One interviewee put it bluntly: “Once we get the easy bits and pieces out of the way… [it] is a lot more expensive and will need more investment.” (Cyber Architect, medium business) Cyber advice often assumes you have: someone who can configure systems properly, someone who can test and monitor, someone who can keep policies current, someone who can train staff repeatedly. Many firms don’t. They have one IT supplier, or a stretched internal generalist, or nobody at all. 4) A lot of businesses don’t even know what protections they already have If you can’t measure it, you can’t manage it One of the most eyebrow-raising findings in the 2025 survey: 20% of businesses didn’t know whether they had cyber insurance (even though the survey was aimed at the person “most responsible” for cyber). That “don’t know” factor shows up in other areas too: policies exist but aren’t reviewed, controls are partly deployed, supplier access grows over time… and nobody has a single clear picture of the organisation’s exposure. Advertisement Bestseller #1 Apple iPhone 16e 128GB: Built for Apple Intelligence, A18 Chip, Supersized Battery Life, 48MP Fusion Camera, 6.1-inch Super Retina XDR Display; Black BUILT FOR APPLE INTELLIGENCE — Personal, private, powerful. Write, express yourself and get things done effortlessly. A18 CHIP. FAST INTO THE FUTURE — A18 chip powers Apple Intelligence, gaming, and regular iOS updates to keep your iPhone… SUPERSIZED BATTERY LIFE — Text, browse, and binge movies and shows with up to 26 hours of video playback — the best batt… £499.00 Buy on Amazon 5) Supply chains are the weak flank — and most firms barely look You can do the basics internally and still get hit via a partner Modern business is stitched together by vendors: IT support, payroll, CRM, e-commerce plugins, outsourced marketing, managed services. This is where “government advice” meets reality and breaks. A UK Parliament POSTnote on digital infrastructure resilience cites the Breaches Survey finding that only 14% of UK businesses reviewed risks from immediate suppliers, and 7% reviewed wider supply chains. The same POSTnote notes some stakeholders call supply chains a “weak link” attackers can exploit. Translation: a business can follow plenty of internal guidance and still be exposed if a supplier is lax — and most aren’t checking. 6) Guidance competes with “compliance fatigue” and confusing language Advice that isn’t usable gets ignored Some of the problem is cultural (“we’re busy”), but some is packaging: cyber language is often dense, technical, and intimidating — especially for SMEs. The Association of British Insurers (ABI), in launching an SME cyber guide, argued that take-up is hindered by “technical language” that makes it difficult for SMEs to understand cyber risks and the value of protection. When guidance feels like homework written by specialists for specialists, it gets postponed — indefinitely. 7) The incentive problem: consequences feel distant… until they’re immediate Cyber is a tax on today to avoid a disaster tomorrow There’s a brutal behavioural economics point here: many organisations only act after they’ve been hit, because that’s when cyber stops being abstract. The NAO’s work on government cyber resilience (public sector rather than private firms, but the themes are familiar) warns that improvement is hard until organisations address long-running issues like skills shortages, accountability, and legacy technology risk. Private businesses face the same forces: older systems, missing expertise, and nobody keen to volunteer for an expensive modernisation project. What “ignoring the advice” actually looks like on the ground It’s rarely outright refusal — it’s slow drift Most firms don’t say “no” to cyber security. They say: “Next quarter.” “After the website relaunch.” “Once we hire someone.” “We’ve never had a problem before.” And then a single phish, reused password, unpatched device, or supplier compromise does the job. Even with improvements in some areas for small businesses (risk assessments, policies, continuity planning) the 2025 survey still shows that, overall, only 36% of businesses reported having formal cyber security policies, and 29% reported conducting risk assessments (figures vary sharply by business size). The hard-nosed takeaway for UK firms If you’re “too busy” for the basics, you’re volunteering to be a victim Government guidance can’t force adoption in most of the private sector. That leaves a simple reality: cyber resilience rises when it becomes a business requirement — demanded by customers, insurers, regulators, or leadership. Until then, too many organisations will keep treating cyber like optional admin. And attackers will keep treating them like easy money. Reference material (source links) Primary UK sources UK Government, Cyber Security Breaches Survey 2025 UK Parliament POST, Cyber resilience of UK digital infrastructure (POSTnote 753) National Audit Office, Government cyber resilience ABI, Cyber guide for SMEs / insurance gap Post navigation AI in UK Cyber Security: How Many Firms Will It Wipe Out? UK Execs Warn About Cyber-Attack Weakness, Vodafone Survey Finds