Cyber security threats are rising at an unprecedented pace in both frequency and sophistication. From phishing emails and ransomware to AI-powered attacks, businesses of all sizes are now at risk. Yet the reality is more reassuring than it might seem. According to the National Cyber Security Centre (NCSC), more than 80% of common cyber-attacks on UK organisations could be prevented with basic security measures.
This means that the majority of breaches are not caused by advanced hackers exploiting obscure flaws, but by weaknesses such as poor password practices, unpatched software, or misconfigured systems. The encouraging part is that with the right controls in place, most cyber threats can be stopped before they cause disruption, financial loss, or reputational damage.
Why 80% of cyber-attacks are preventable
Cyber-attacks are no longer rare. Recent data shows:
- 43% of businesses and 30% of charities reported a breach or attack in the last year
- That equates to around 612,000 businesses and 61,000 charities affected in just 12 months (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025/)
The consequences are significant, from downtime and financial losses to regulatory issues and reputational harm. With criminals increasingly using automation and artificial intelligence to find vulnerabilities and launch targeted phishing scams, the risks are only increasing.
Why most attacks are preventable
The majority of cyber incidents exploit basic gaps that can be fixed. Cyber Essentials addresses these weaknesses through five core controls:
- Firewalls – Securing your internet connection with firewalls to control access.
- Secure Configurations – Using secure default settings and Multi-Factor Authentication (MFA).
- User Access Control – Granting staff only the access needed to perform their jobs to minimise damage from compromised accounts.
- Malware Protection – Employing anti-malware software and whitelisting to defend against malicious software.
- Patch Management –Keeping all software, operating systems, and applications updated to close known vulnerabilities.
Implementing these measures ensures that your organisation is protected against common, low-complexity, high-likelihood attacks, the kind that are very common in cyber breaches.
Cyber essentials vs. cyber essentials plus
There are two levels of certification:
- Cyber Essentials (CE) – A self-assessment showing that your business has implemented the required controls
- Cyber Essentials Plus (CE+) – Includes independent testing and audits of your systems, providing stronger assurance for clients and stakeholders
For most businesses, Cyber Essentials provides a valuable baseline. Cyber Essentials Plus is recommended for organisations handling sensitive information, working with government contracts, or wanting the added credibility of independent verification.
Costs and support
Cyber Essentials certification is designed to be affordable for businesses of all sizes. Costs vary depending on company size and whether you do a self-assessment or get a consultancy to support you through the process.
Practical steps for businesses
Achieving Cyber Essentials is not just about certification, it is about creating a culture of cyber security. Organisations should ensure that employees understand basic security best practices, including:
- Using strong, unique passwords for all accounts
- Recognising phishing emails and suspicious links
- Updating devices and software promptly
- Securing remote working devices, especially laptops and mobile phones
Employee awareness combined with technical controls significantly reduces the likelihood of a successful attack and supports the 80% prevention rate highlighted by the NCSC.
Building long-term resilience
Implementing Cyber Essentials also helps organisations adopt a proactive approach to cyber risk management. Beyond immediate protection, it encourages regular review of IT systems, staff training, and incident response planning, creating a culture of continuous improvement in cyber security. This not only reduces the likelihood of breaches but also minimises downtime, protects company reputation, and can lower insurance premiums. By embedding these practices, businesses are better equipped to respond quickly to new threats and maintain resilience in an ever-changing digital landscape.
Maintaining cyber essentials certification
Certification is valid for one year, after which re-certification is required. Keeping systems up to date and maintaining security controls simplifies future assessments and ensures ongoing protection. Organisations that follow Cyber Essentials best practices will find re-certification quicker and easier.
Final thoughts
The fact that over 80% of cyber-attacks on UK businesses could be prevented shows that the majority of breaches are not inevitable, they are avoidable. Cyber Essentials provides a clear, cost-effective, and government-backed path to implement the fundamental controls that block most attacks.
By achieving Cyber Essentials or Cyber Essentials Plus certification, organisations can reduce risk, protect their data and build stakeholder trust.
Cyber-attacks are real, but Cyber Essentials ensures your organisation is ready.