Britain is telling businesses to "lock the door" on cybercrims as new government data suggests most still haven't even found the latch.

Officials today kicked off a public push urging companies to tighten their digital defenses, complete with familiar advice about basic controls and adopting the long-running Cyber Essentials scheme, after new data showed incidents remain routine and baseline protections are still patchy.

According to the government's latest Cyber Security Longitudinal Survey, a multi-year study tracking policies, behaviors, and incident impacts, 82 percent of businesses and 77 percent of charities in the UK reported experiencing some form of incident over the past year, reinforcing the idea that when it comes to getting poked, prodded, or outright compromised, this is now less a question of if and more a question of how often.

The data also shows that risk profiles tend to stick, with 54 percent of organizations reporting the same experience of incidents, or similar impacts, across multiple surveys – suggesting the gap between the security haves and have-nots isn't closing quickly.

At the same time, adoption of the government's flagship baseline standard remains stubbornly low. While adherence to Cyber Essentials ticked up, it's still only at 30 percent among businesses, up from 23 percent in the previous study, and 28 percent among charities, up from 19 percent. This means roughly seven in ten larger organizations still aren't following what ministers routinely describe as the digital equivalent of locking the front door.

That disconnect is exactly what the new campaign aims to address, with officials once again warning that attackers aren't just targeting household names.

Cybersecurity minister Baroness Lloyd said in a statement:

"No business is out of reach from cybercriminals. SMEs play a vital role in our economy, and business owners work incredibly hard to build something valuable, but too many still assume cybercriminals only go after big brands. The reality is that criminals look for easy opportunities, and without basic protections in place, any business of any size can become a target.

"I know smaller firms don't have large IT teams, and that is exactly why Cyber Essentials matters," she added.

• Legacy systems blamed as ministers promise no repeat of Afghan breach
• London boroughs limping back online months after cyberattack
• Ministry of Justice splurged £50M on security – still missed Legal Aid Agency cyberattack
• UK injects just £210M into cyber plan to stop Whitehall getting pwnd
• Ministers confirm breach at UK Foreign Office but details remain murky

The campaign will run across social media, podcasts, radio, and business networks to reach busy SMEs where they are, with the usual pitch to get on board with Cyber Essentials and sort out the basics. Officials say the scheme focuses on practical steps such as patching software and tightening access controls — the kind of housekeeping that many attacks still rely on. 

To nudge firms along, the government is also pointing to a handful of freebies, including an online readiness check, free 30-minute chats with NCSC-assured advisors, and a preview of the certification question set so companies can see what's involved before signing up.

The accompanying survey paints a picture of gradual improvement but persistent unevenness, with governance, planning, and insurance coverage varying widely depending on the organization. Cost pressures and competing priorities continue to show up as barriers to doing more, even as threats keep piling up.

Ultimately, the government is once again telling businesses to check the locks, while its own data suggests plenty still haven't found the keys. ®