What is business email compromise (BEC)?

BEC is a type of fraud where attackers impersonate executives or suppliers to trick employees into transferring funds or sharing sensitive data. BEC attacks increased 33% in 2025. The average loss per BEC incident is $137,000. Even organisations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt.

How much does a cyber breach cost a UK business?

The average cost of the most disruptive breach is £3,550 for UK businesses. For businesses that experienced negative outcomes such as data loss or financial theft, the average cost rises to £8,260. Medium and large businesses face average costs of £10,830 per disruptive incident.

What is multi-factor authentication and why do we need it?

MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.

How much should a small business spend on cybersecurity?

UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.

Comparison

Cyber Essentials vs ISO 27001 vs IASME: Which Does Your Business Need?

A practical comparison for UK businesses — covering features, costs, and which option suits different requirements.

Key Facts

204%increase in AI-powered phishing emails in 2025

85%of breaches involved phishing as the attack vector (DSIT 2025)

241 daysaverage time to identify and contain a breach (IBM 2025)

82.6%of phishing emails now use AI-generated content (KnowBe4)

Last updated: March 2026

Cyber Essentials vs ISO 27001

Feature	Cyber Essentials	ISO 27001
Best For	Depends on requirements	Depends on requirements
UK Availability	Widely available	Widely available
Typical Cost	Varies	Varies
Complexity	Varies	Varies

When to Choose Each Option

Guidance based on your business requirements.

Choose Cyber Essentials When

Your business has specific requirements that favour this approach. Budget and resources align with this solution. Your existing infrastructure supports it

Choose ISO 27001 When

Your business needs a different approach. You have different budget considerations. Your team has relevant experience

Cost Considerations

Both Cyber Essentials and ISO 27001 have different cost profiles. The right choice depends on your business size, existing infrastructure, and specific requirements. AMVIA can help you evaluate which option delivers the best value for your situation.

The AMVIA Recommendation

Start with Cyber Essentials. It takes two to eight weeks, costs £300–£1,500 managed, and demonstrates security credibility to insurers and procurement teams. Once certified, use it as a foundation for ISO 27001 if your client base or data sensitivity demands it. AMVIA manages both pathways and can advise which fits your current risk profile.

Book a Cyber Essentials Readiness Call