How common are cyber attacks on UK businesses?

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, according to the DSIT Cyber Security Breaches Survey 2025. For medium-sized businesses, this figure rises to 67%. Phishing remains the most common attack type, affecting 85% of businesses that reported a breach.

What is ransomware and should UK businesses be worried?

Ransomware is malicious software that encrypts your data and demands payment for its return. Approximately 19,000 UK businesses were hit by ransomware in 2025. The median UK ransom demand has doubled to $5.37 million, and average recovery costs reach $2.58 million excluding the ransom itself.

What are the biggest cybersecurity threats for UK SMEs in 2026?

The top threats are phishing (85% of breaches), ransomware (doubled year-on-year), business email compromise (increased 33% in 2025), and supply chain attacks (35.5% of all breaches now originate from third parties). AI-powered attacks are accelerating all of these threat categories.

How quickly should a business respond to a cyber incident?

The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.

ISO 27001 vs Cyber Essentials: Which Standard Is Right for Your Business?

Cyber Essentials covers five technical controls. ISO 27001 covers your entire information security management system. For most UK SMEs, start with Cyber Essentials and pursue ISO 27001 when clients or regulators require it.

Key Facts

43%of UK businesses experienced a cyber breach in 2025 (DSIT)

612,000UK businesses affected by cyber breaches in the past year

49%of UK businesses have a basic cyber security skills gap (DSIT)

£8,260average breach cost for businesses with negative outcomes

Last updated: March 2026

ISO 27001 vs Cyber Essentials: Comparison

How these two standards compare across scope, cost, and requirements.

Feature	Cyber Essentials£300–£5,000	ISO 27001£10,000–£50,000+
Scope	5 technical controls	Entire ISMS
Assessment method	Self-assessment / external test	Multi-day external audit
Time to certify	1–4 weeks	6–12 months
Annual surveillance audits	Annual renewal	Annual + re-certification every 3 years
Internationally recognised	UK only	Global
Covers policies and processes
Covers risk assessment
UK government requirement	Yes (many contracts)	Some contracts

Costs vary significantly by business size and complexity.

When to Choose Each Standard

Choose Cyber Essentials if...

You need a quick, affordable baseline. You want to meet government contract requirements. You want a structured starting point for cybersecurity improvement.

Choose ISO 27001 if...

Your clients or regulators require it. You operate in a regulated sector. You need a comprehensive security management framework that covers people, processes, and technology.

Cost-Benefit Analysis

Cyber Essentials delivers immediate value at minimal cost — certification in weeks for under £5,000. ISO 27001 requires significant investment (£10,000–£50,000+ for initial certification) but opens doors to enterprise clients and regulated markets. The two standards complement each other — many businesses hold both.

Discuss your compliance requirements

The AMVIA Recommendation

Start with Cyber Essentials — it is achievable in four to eight weeks and satisfies most UK government and insurance requirements. Pursue ISO 27001 only when contracts or clients explicitly require it, as the implementation and maintenance cost is significant. AMVIA manages Cyber Essentials on a fixed-price basis and can advise on the ISO 27001 pathway when you are ready.

Book a Cyber Essentials Readiness Call