Why ISO 42001 has now become a priority
February 20, 2026The scale of cyber attacks on UK businesses
Every day in the UK, thousands of businesses are successfully hit by cyber attacks, and most of them are preventable.
According to the UK government’s Cyber Security Breaches Survey 2025, businesses experienced around 8.58 million cyber crimes in a single year. Spread across the calendar, that works out to roughly 21,000 cyber attacks on UK businesses every day. The reality behind those numbers is even starker - nearly half of UK businesses reported experiencing at least one breach or attack in the past 12 months. And those are only the incidents we know about... There are plenty we don’t!
Constant cyber threats: Why businesses are always a target
Telemetry from internet service providers suggests the average UK company now faces an automated attack attempt roughly every 40 seconds. Firewalls block most of them, but the message is clear: businesses are under constant, industrial-scale probing by cybercriminals looking for the easiest way in.
In plain terms, almost every UK organisation is tested for weaknesses all the time, and thousands of them fail that test every day.
Why Cyber Essentials should be the minimum standard
This is exactly why Cyber Essentials should be the minimum standard for UK business above a certain size.
For those unfamiliar, Cyber Essentials is a UK government-backed cyber security certification scheme designed to protect organisations against the most common internet-based threats. It focuses on secure configuration, access control, patch management, malware protection, and network security.
The real reason cyber attacks succeed
It raises an uncomfortable question: if cyber attacks are this common, why aren’t we mandating even the most basic levels of cybersecurity?
For all the discussion about nation-state threats, ransomware gangs, and sophisticated cybercrime, the uncomfortable truth is that many successful attacks still rely on simple weaknesses and most commonly, a lack of basic security processes. In other words, the kinds of issues that Cyber Essentials is designed to address.
Should Cyber Essentials be mandatory in the UK?
That’s why I believe Cyber Essentials should be mandatory for UK businesses, or at the very least the default baseline expected of any organisation handling data, systems, or customers online.
My view is simple: if you are operating digitally, you should meet a minimum cybersecurity standard. A practical starting point would be to tie that baseline to company size. Organisations with a turnover above £250,000 should be required to achieve Cyber Essentials, while those with a turnover above £1 million should meet the higher Cyber Essentials Plus standard. Given, there are a lot of legacy applications in operation still which would never allow a company to pass Cyber Essentials but a potential 5-year ramp might be an allowance for organisations to get sufficiently ready.
Making cybersecurity a standard cost of doing business
If you run a business, you should secure it, and it shouldn’t be an unreasonable burden. It would simply make cybersecurity a routine cost of doing business, much like registering with the ICO, paying taxes, or meeting health and safety requirements. Over time, the expectation would become normalised.
What would a more secure UK look like?
Ask yourself what the UK's cyber posture would look like if those thresholds were actually introduced? The answer is, of course, incredibly better!
How Economit can help with Cyber Essentials certification
Economit can help your business implement Cyber Essentials, providing the guidance and support to achieve certification, reduce cyber risk, and demonstrate your commitment to cybersecurity. To discuss Cyber Essentials or any of Economit's services, call us on 01332 447447 or email hello@economit.co.uk.