Cyber Essentials is once again in focus after the UK’s National Cyber Security Centre (NCSC) issued a direct warning to small and medium-sized enterprises (SMEs) to stop assuming they are too small to be targeted.

Richard Horne, CEO of the NCSC, has made it clear that the belief that cyber criminals only pursue large corporations is not just outdated, it is dangerous. In his view, the biggest cyber risk facing SMEs today is not lack of awareness, but lack of action.

For global readers, this message goes beyond the UK. The pattern Horne describes is universal. Around the world, SMEs form the backbone of national economies. Yet they often operate with limited cyber defences, making them attractive targets for opportunistic attackers.

Cyber Essentials and the Myth of “Too Small to Hack”

The misconception that cyber attackers only chase global brands persists across industries. But attackers rarely target logos — they target weaknesses. Poorly configured systems, unpatched software, weak passwords, and exposed services are what matter.

This is where Cyber Essentials becomes relevant. The UK government-backed certification scheme, developed by the NCSC, sets out five basic technical controls designed to prevent the most common internet-based cyber threats. It is positioned as the minimum standard of cybersecurity for organisations of all sizes.

Horne’s warning is blunt: the gap between knowing cybersecurity is important and actually implementing protective measures is widening. Many SME leaders acknowledge the growing threat landscape. They see ransomware headlines and supply chain breaches. But too many assume their own business won’t be affected.

That assumption, he argues, is wrong.

Cyber Risk Is Business Risk

The argument from the NCSC is straightforward: cyber risk is now business risk. Companies would not leave their physical offices unlocked overnight or operate without insurance. Yet many still leave digital doors wide open.

Most cyberattacks targeting SMEs are not highly sophisticated state-sponsored campaigns. They are basic, automated, and opportunistic. They scan for vulnerabilities and exploit weak configurations. As Horne describes it, they are the digital equivalent of a thief checking whether your front door is unlocked.

Cyber Essentials is designed to “lock that door.” By implementing baseline controls such as secure configuration, access control, malware protection, patch management, and firewalls, businesses significantly reduce their exposure to common threats.

From a global perspective, this approach reflects a broader shift in cyber security thinking. Governments are increasingly pushing minimum security standards rather than relying solely on voluntary best practices. The UK’s Cyber Essentials framework is one example of how public institutions are trying to raise the floor for cyber resilience across the private sector.

Why SMEs Remain Vulnerable

SMEs often lack dedicated security teams or large IT budgets. Cybersecurity can feel complex, technical, and resource-intensive. But Horne stresses that organisations do not need to become cyber experts overnight.

What they need is accountability.

The NCSC supports SMEs not only through Cyber Essentials, but also via a network of independently assessed, NCSC-assured Cyber Advisors who provide hands-on guidance. The goal is to make baseline protection achievable, not intimidating.

There is also a growing commercial incentive. Increasingly, larger organisations require suppliers to hold Cyber Essentials certification as a condition for bidding on contracts. In that sense, basic cyber hygiene is becoming not just a security necessity, but a business requirement.

A Global Wake-Up Call for SMEs

Although this warning comes from the UK, the underlying lesson applies globally. SMEs in Europe, Asia, North America, and beyond face the same structural vulnerabilities. They are embedded in digital supply chains, store valuable customer data, and rely heavily on cloud services and remote connectivity.

Cyber criminals understand this. Automated attack tools make it easy to scan thousands of small businesses simultaneously. Scale works in favour of the attacker.

By contrast, defensive investment among SMEs often lags behind. The perception that “we’re too small to matter” creates a false sense of safety.

Horne’s message is not alarmist — it is practical. No business is out of reach. The sooner SMEs treat cyber security as a core operational priority rather than a technical afterthought, the better positioned they will be to withstand disruption.

Closing the Awareness–Action Gap

The warning from the NCSC ultimately comes down to closing a single gap: awareness versus implementation.

Most SME leaders already know cyber security matters. What they need is structured, achievable guidance. Cyber Essentials provides that baseline.

The broader implication for the global business community is clear. Cyber resilience does not start with complex AI-driven defence platforms. It starts with locking the digital door.

For SMEs everywhere, the time to act is not after a breach — it is before.