Governing question: What is the threat?
Industry forecasts put the UK cybersecurity market at ~£14 billion in 2025 and £17–18 billion by 2026 (Mordor Intelligence, Beagle Security / Micro Pro). Globally the market is accelerating well into the hundreds of billions as AI-driven attacks expand the attack surface.
612,000 UK businesses identified at least one cyber breach or attack in the last 12 months (GOV.UK 2025). Despite this, only 3% hold Cyber Essentials certification and only 1% hold Cyber Essentials Plus. Only 27% of businesses have board-level cyber responsibility.
Small-business cyber-insurance adoption jumped from 49% to 62% year-on-year, and 45% of all businesses now have some form of cyber cover. Insurers are increasingly asking for evidence of controls before quoting.
GOV.UK estimates the mean cost per most-disruptive breach at £1,600 for all businesses and £3,240 for charities. When excluding organisations that reported zero cost, the figure rises to £3,550 for businesses and £8,690 for charities. Mean cost among breaches with a material outcome is £8,260.
Phishing remains the most common breach vector: 35% of micro businesses and 42% of small businesses reported phishing attacks. Overall, 43% of businesses and 30% of charities reported any cyber breach or attack. Ransomware cyber-crime prevalence doubled from under 0.5% to 1% of all businesses (~19,000 businesses) between 2024 and 2025.
Incident response plans are rare in SMBs. 50% of finance/insurance firms have a plan, but only 27% of businesses overall have board-level cyber accountability. Small businesses improved hygiene in 2025, yet formal response procedures lag.
Administered by NCSC and delivered through IASME-accredited bodies. Certification starts at £320+VAT for micro-organisations and scales to ~£600+VAT for larger firms. The technical fail rate is only ~1.1%, yet national uptake sits at just 3% (21% among large businesses). 95% of certified organisations say they would recertify.
UK GDPR and the Data Protection Act 2018 require appropriate technical and organisational security measures. URM analysis shows two-thirds of ICO monetary penalties in H1 2025 were for UK GDPR security breaches, reflecting a clear enforcement shift away from marketing-consent fines toward actual security failures.
NIS2 is reshaping EU/UK cyber obligations. UK suppliers to larger regulated customers, and businesses handling personal data, face rising expectations for documented controls, supply-chain risk reviews and 72-hour breach reporting.
CyberSmart positions itself as the leading SME compliance and certification platform, bundling Cyber Essentials tooling, active protection and insurance. Sophos, Microsoft Defender and Kaspersky compete on EDR/XDR and managed detection. Traditional MSPs package M365 security, backups and email filtering into per-user contracts.
Published 2025/26 UK price points: Cyber Essentials certification £320–600+VAT by size; managed cybersecurity £20–120/user/month depending on tier; managed EDR £8–15/endpoint/month; full SOC/MDR for a medium business £4,000–12,000/month; incident response £80–120/hour.
Our published prices (£497 one-off scan, £1,497/month Cyber Essentials tier) sit above commodity EDR but below full SOC retainer, aligning with trades businesses that need hands-on help, not just software. AI triage and WhatsApp-led reporting differentiate from MSP helpdesk models.
Plumbers, electricians, builders and property services typically operate from phones and vans, share passwords informally, and rely on cloud accounting, scheduling and payment apps. These behaviours raise phishing and account-takeover risk but the sector rarely employs dedicated IT.
Insurers are requiring Cyber Essentials or MFA for cyber cover. Larger contractors and housing associations increasingly ask suppliers for security questionnaires. The GOV.UK survey shows cyber-insurance uptake rising fastest among small businesses (49% to 62%).
A £497 external scan lowers the entry barrier, the £1,497/month tier delivers continuous monitoring plus incident response readiness, and custom enterprise retainers serve multi-van firms. The AI operator interface removes the need for clients to interpret alerts.