Ministers and the National Cyber Security Centre have issued an open letter to small businesses and business representative organisations setting out immediate steps to strengthen cyber resilience. The correspondence was published on 26 November 2025 and dated 24 November 2025, citing increasingly frequent and sophisticated attacks affecting organisations of all sizes.
The letter asks owners and entrepreneurs to begin with the National Cyber Security Centre’s new Cyber Action Toolkit. The free, personalised service translates recommended protections into straightforward, achievable steps for each organisation and records progress over time so businesses can see what has been completed and what remains.
Government then encourages adoption of Cyber Essentials, described as the recognised UK minimum standard for basic cyber defences and a frequent requirement in public sector procurement. The letter highlights that organisations implementing the scheme’s controls make 92% fewer insurance claims relative to non‑participants, and notes access to a 24/7 emergency helpline and, for eligible organisations, free cyber insurance.
Where incidents do occur, the letter reiterates official reporting routes: fraud and cyber crime should be reported to Action Fraud in England, Wales and Northern Ireland, or to Police Scotland via 101. Certified organisations can also draw on the Cyber Essentials emergency helpline for immediate support.
For procurement leads, the policy context is long‑standing. Central government introduced mandatory Cyber Essentials certification for certain contracts-particularly those involving personal data handling and relevant ICT-via Procurement Policy Note 09/14. For small suppliers, this makes early progress towards certification a practical step in bid readiness as well as basic risk management.
Cyber Essentials focuses on five technical control areas: firewall configuration, secure configuration, user access control, malware protection and security update management. Government evaluations describe these controls as a cost‑effective baseline designed to reduce exposure to common, internet‑borne attacks.
The risk case set out by ministers is explicit. The letter cites statistics indicating that half of UK small businesses reported a cyber attack in the past 12 months, and 35% of micro businesses reported phishing attempts-underscoring the need for accessible, entry‑level protections.
This intervention aligns with wider messaging to larger companies earlier this autumn. On 13 October 2025, ministers and security agencies wrote to FTSE 100 and FTSE 250 firms urging board‑level oversight using the Cyber Governance Code of Practice, sign‑up to the NCSC Early Warning service, and the use of Cyber Essentials across supply chains. The small business letter provides an equivalent on‑ramp for smaller organisations.
Trade associations and representative bodies are asked to circulate the guidance across their memberships without delay so that firms can start with the NCSC toolkit now and plan a route to Cyber Essentials over the coming months. The government frames this as a practical, low‑cost sequence: begin with the free toolkit, then move to certification as capacity allows.
In operational terms, eligible UK‑based organisations that certify can opt into a no‑cost cyber insurance policy offering £25,000 of cover and 24‑hour legal and technical incident response; this sits alongside the 24/7 helpline referenced in the ministerial letter. Businesses should confirm eligibility criteria, which include being domiciled in the UK and having turnover below £20 million.