Cybersecurity: The basics businesses still cannot afford to ignore
Written by Naeem Arif, CEO of NA Consulting
The UK faces a high and persistent cyber threat. The National Cyber Security Centre (NCSC) says the threat to the UK remains high, and the government’s 2025 Cyber Security Breaches Survey found that 43 per cent of UK businesses and 30 per cent of charities identified at least one cyber security breach or attack in the previous 12 months.
A lot of discussion around cyber risk now points to geopolitics, hostile states, organised crime, and global instability. Those things absolutely matter. But on the ground, many businesses are not being compromised because attackers are unbelievably sophisticated. They are being compromised because the basics are still not being done well enough.
Weak controls, poor awareness, patchy backups, loose access, and inconsistent governance continue to leave organisations exposed. The UK government’s own survey shows that cyber risk management is still uneven across the market, especially among smaller firms.
What does all this actually mean?
Let’s start with the basics.
What is cyber security, and how is it different from digital security?
For many businesses, protecting passwords and websites is all part of their digital security plan. Cybersecurity is the protection of systems, devices, networks, applications, and data from unauthorised access, disruption, theft, or damage.
The NCSC describes it as reducing the risk of cyber attack and protecting the digital services and systems we all rely on.
Digital is broader. Digital is about using technology to transform how an organisation operates, serves customers, improves efficiency, and grows. It includes cloud platforms, websites, apps, automation, analytics, and AI.
Put simply: digital helps you move faster; cybersecurity helps you move safely.
Too many organisations still treat cyber as a side topic, separate from digital change. That is a mistake. If your business is becoming more digital, it is also becoming more exposed. Cybersecurity is not the enemy of innovation; it is what makes innovation sustainable.
What is cyber resilience?
Cyber resilience is bigger than prevention. NIST defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, attacks, or compromises involving cyber resources.
That matters because no business can assume it will prevent every incident.
A resilient business asks tougher questions:
- Can we keep operating if something goes wrong?
- Can we recover quickly?
- Can we protect critical services?
- Can we restore data and continue serving customers?
Cybersecurity is about reducing the chance of attack. Cyber resilience is about making sure the business survives and recovers when an attack succeeds.
What types of cyber attacks may happen to large organisations or government institutions?
Large organisations and public institutions face broad and increasingly serious threats.
These include phishing and spear phishing, where highly convincing emails target staff in order to steal credentials or gain access to systems. They include ransomware, which remains one of the most immediate and disruptive cyber threats.
They include supply chain attacks, where attackers compromise a trusted supplier or software provider to reach the real target. They also include denial-of-service attacks, exploitation of vulnerabilities, insider threats, credential theft, and data exfiltration.
For government institutions and major enterprises, the consequences can be severe: service outages, data loss, public disruption, reputational damage, regulatory consequences, and national security concerns.
What types of cyber attacks may happen to small businesses or individuals?
Small businesses and individuals often think they are too small to be targeted. In reality, they are frequently targeted because they are easier to compromise.
Common attacks include phishing emails, fake invoices, malicious links, account compromise, password attacks, malware, ransomware, and business email compromise.
For individuals, identity theft, banking fraud, social engineering, and account takeover are especially common. For small businesses, a single compromised email account or successful payment scam can cause serious financial and operational damage.
The UK government’s 2025 survey shows that phishing remains by far the most common type of breach or attack.
In other words, you do not need to be a global bank or a government department to be at risk. You just need to be exposed, underprepared, or trusted by customers.
What is cyberterrorism?
Cyberterrorism is generally understood as the use of cyber means to support terrorist objectives, often with the aim of causing fear, disruption, coercion, or damage for political, religious, or ideological reasons. It is different from ordinary cybercrime, which is more commonly driven by money, fraud, or extortion.
That distinction matters. A ransomware gang may want payment. A cyberterrorist or state-aligned actor may want disruption, fear, instability, or strategic harm.
For business leaders, the takeaway is simple: not every cyber threat is just about stolen money or a hacked inbox. Some threats are aimed at disruption, public confidence, and critical services at a much larger scale. The UK government’s cyber strategy reflects this by focusing heavily on resilience across government and critical services.
The UK response: Cyber essentials
The UK is trying to raise the baseline through Cyber Essentials, which the NCSC describes as the minimum standard of cyber security recommended by the government for organisations of all sizes. It is built around five control areas: firewalls, secure configuration, security update management, user access control, and malware protection.
This is important because many attacks do not succeed through exotic methods. They succeed because basic controls are missing or weak.
Cyber Essentials is useful not because it solves everything, but because it forces businesses to get the fundamentals right. Going forward, more and more businesses will be interested to know if business have Cyber Essentials certification in place. Importantly, in I believe that every company should look into this, because we are all working with in the cyber realm.
What companies should have in place
Every company should have a cyber security strategy that includes practical foundations such as risk assessment, incident response planning, disaster recovery, emergency contacts, regular patching, access control, staff awareness, and secure backups stored separately from live production environments.
Those principles align closely with the government-backed Cyber Essentials approach and broader resilience guidance.
And this is where many businesses still fall short.
My own experience is that businesses are often comfortable talking about cyber strategy. They will discuss annual self-assessments, policies, frameworks, and intentions. But they do not always put firm operational boundaries in place. They do not always enforce stronger controls. They do not always challenge poor habits. They do not always do the basics consistently.
That is the real issue.
Because in cyber, the basics are not glamorous. But they are decisive.
A business does not become secure because it says the right things. It becomes more secure because it puts controls in place, tests them, enforces them, and keeps improving them. Its important we do the right things, even when people are not watching.
Cybersecurity is no longer optional. It is part of modern leadership, modern operations, and modern trust.
Naeem Arif is an entrepreneur, management consultant and best-selling author, who has delivered over £2bn in business transformation projects for a multitude of global corporations and SMEs. A former Forbes Business Council member, Ambassador of Women in Tech and Honorary Chairman of his local Chamber of Commerce, Naeem has a passion for giving back to the business community alongside running his own successful company.
Connect with Naeem on LinkedIn.
References
National Cyber Security Centre (NCSC), What is cyber security?
https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security
National Cyber Security Centre (NCSC), Cyber Essentials Overview
https://www.ncsc.gov.uk/cyberessentials/overview
UK Government, Cyber Security Breaches Survey 2025
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025
National Cyber Security Centre (NCSC), NCSC Annual Review 2025
https://www.ncsc.gov.uk/files/ncsc-annual-review-2025.pdf
NIST, Cyber Resiliency Glossary Definition
https://csrc.nist.gov/glossary/term/cyber_resiliency
NIST, SP 800-160 Vol. 2 Rev. 1: Developing Cyber-Resilient Systems
https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final
NIST, About NIST
https://www.nist.gov/about-nist
UK Government, Government Cyber Security Strategy 2022 to 2030
https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030/government-cyber-security-strategy-2022-to-2030-html
UN Office on Drugs and Crime (UNODC), Cyberterrorism
https://www.unodc.org/e4j/en/cybercrime/module-14/key-issues/cyberterrorism.html
ENISA, Cyber Threats and Trends
https://www.enisa.europa.eu/topics/cyber-threats