Locking the Door: Why Basic Cyber Hygiene Still Matters in 2026

Cyber EssentialsCyber ResilienceCyber SecurityLocking the Door
Written By Jordan Stewart

If you walked out of your office at the end of the day and left the front door unlocked, you’d probably expect someone to point it out.

That same principle applies to cyber security.

Yet despite years of warnings, guidance and real-world incidents, many businesses are still leaving the digital equivalent of that door wide open. That’s why the UK government has recently launched a campaign urging organisations to “lock the door” on cyber criminals and take basic steps to improve their cyber resilience

It’s a simple message, but the numbers behind it show why it matters.

The Scale of the Problem

Despite being the ones more likely to make headlines, cyber threats aren’t a niche issue affecting only major corporations. They’re now a routine part of the business risk landscape.

Recent figures show that cyber crime costs UK businesses around £14.7 billion each year, while half of small firms report experiencing a cyber breach or attack within the past 12 months

When those incidents escalate into significant attacks, the financial consequences can be substantial. The government estimates that serious cyber incidents cost organisations an average of £195,000 per event

Those numbers explain why policymakers are now treating cyber risk in the same way as more traditional threats such as fire, theft or physical security.

The uncomfortable reality is that cyber criminals are not just targeting household names. In many cases, smaller organisations are actually the preferred target.

Why Smaller Businesses Are Often the Target

There is still a lingering assumption that cyber criminals are only interested in large companies with deep pockets.

In practice, attackers tend to look for the volume of opportunities rather than prestige or names - although you only have to look to your JLR, M&S and Co-op breaches in 2025 to see that’s not always the case.

The reason smaller businesses find themselves in crosshairs is simply because they often have fewer resources dedicated to cyber security, fewer formal processes, and less visibility over what is happening across their systems. That combination can make them easier targets.

Automated attack tools reinforce this trend. Phishing campaigns, password-guessing bots and ransomware kits can be deployed at scale, scanning thousands of organisations for weaknesses and exploiting whichever ones respond. 

In other words, attackers don’t need to choose you personally. They simply need to find that unlocked door.

The Surprising Role of Basic Security Controls

What makes the government’s campaign particularly interesting is that it does not focus on advanced cyber defence.

Instead, it emphasises the basics.

The initiative encourages organisations to adopt the Cyber Essentials framework, a government-backed scheme developed with the National Cyber Security Centre that outlines five key protections against common cyber attacks. 

These include:

  • Firewalls

  • Secure configuration of devices and systems

  • Regular software updates

  • Controlled user access to accounts and data

  • Malware protection

None of these controls are particularly exotic, or even groundbreaking. They’re quite literally the digital equivalent of locking the doors, closing the windows and installing an alarm system. It’s routine, mundane and simple security measures anyone can do.

Yet many breaches still occur because one or more of these fundamentals are missing.

Why the Basics Still Get Overlooked

For many organisations, cyber security can feel overwhelming.

The news is full of ransomware attacks, data breaches and sophisticated hacking techniques. It is easy to assume that protecting against those threats requires equally complex solutions.

But a large proportion of attacks succeed because of simple gaps:

Unpatched software.
Shared or weak passwords.
Excessive user access rights.
Outdated systems that have not been reviewed in years.

In those situations, attackers do not need advanced techniques. They simply walk through the open door.

This is why frameworks like Cyber Essentials exist. They focus on the controls that prevent the majority of common attacks before they ever become serious incidents.

Cyber Security as a Business Responsibility

One of the more important points raised by the campaign is that cyber risk should be treated like any other operational risk.

In other words, it is not purely an IT problem.

It affects financial stability, customer trust, regulatory compliance and operational continuity. When a cyber incident occurs, the consequences often extend well beyond the technology department.

That is particularly true for smaller organisations, where a single serious breach can disrupt operations or damage relationships with customers and partners.

Treating cyber security as a business responsibility rather than a purely technical issue is an important shift.

Security as Part of Everyday Operations

The government’s campaign is ultimately about normalising cyber hygiene.

Just as organisations routinely check fire alarms, review insurance policies and maintain physical premises, digital environments need the same level of attention.

That means:

Keeping systems updated.
Controlling who has access to sensitive information.
Reviewing security settings periodically.
Ensuring staff understand common risks, such as phishing.

These practices are not glamorous, but they are effective.

In many cases, strong fundamentals make organisations significantly less attractive targets.

A Simple Message with Real Consequences

The phrase “lock the door” might sound simplistic, but it captures an important truth.

Most cyber criminals are opportunistic. They look for weaknesses and exploit them quickly. When basic protections are in place, attackers often move on to easier targets.

The challenge for many organisations is not awareness, but action.

Cyber security rarely feels urgent until something goes wrong. By then, the cost of fixing the problem is far greater than the cost of preventing it.

Final Thought

The government’s new campaign is not introducing a revolutionary approach to cyber security. It is reminding businesses of something that has always been true.

Security starts with the basics, and we’re launching our ‘Lock the Door’ series over the next weeks ahead to futher offer real-world, practical insight into how you can play your part.

It’s 2026 - organisations don’t need to become cyber security experts overnight. But they do need to ensure the digital equivalent of their front door is properly closed.

Because when it comes to cyber crime, the easiest targets are often the ones that simply forgot to lock it.

Jordan Stewart
Next

When Technology Stops the Game: Why Invisible Infrastructure Matters