Cybercrime isn’t just a big business problem. From email scams to ransomware, SMEs are now prime targets – often without the time, tools or budget to fight back.
But this summer, the UK government is stepping in with £1.3 million in funding. Eligible SMEs can now get expert cybersecurity reviews worth £2,500 to help protect their systems, data, and customers – for just a £500 contribution.
Here’s everything you need to know about the scheme, why it matters, and how to apply.
Cybercrime is no longer just a “big business problem”
It’s easy to assume cyberattacks only happen to banks, tech giants, or large retailers. But the reality is that SMEs are now prime targets.
According to the UK government’s latest Cyber Security Breaches Survey, 43% of UK businesses reported a cyber breach or attack in the last 12 months. Among medium-sized firms, that figure jumps to 67%. And most worryingly, SMEs often lack the resources to recover.
A single breach can lead to:
- Costly downtime
- Lost customer trust
- Legal and regulatory consequences
- Damage to your brand reputation
The average cost of the most disruptive breach for a UK business is now £7,960 and can take months to recover from. That’s a big hit – especially for small businesses already juggling rising costs, inflation, and tight margins.
What is the security review scheme?
The programme, announced in July 2025, is part of a wider government initiative to help UK businesses build digital resilience across critical sectors.
The scheme sets aside £1.3 million to fund new “Secure Innovation Security Reviews” for 500 SMEs. For each review, £2,500 is covered by the government, while participating SMEs contribute £500 toward the cost. Security Minister Dan Jarvis said:
“Small businesses are the lifeblood of our economy and they need security to thrive.
With 98% of businesses reporting a lack of knowledge to identify security threats, it is crucial they are equipped with the tools necessary to protect themselves against increasingly volatile threats.
This initiative, spearheaded by the National Protective Security Authority and the National Cyber Security Centre, supports businesses to build the skills and the confidence they need to grow.”
These reviews involve accredited cybersecurity experts helping SMEs assess vulnerabilities and strengthen defences to build thriving businesses which create jobs and support the economy.
The support includes:
- Expert-led site visits and system audits
- Staff training on phishing and scam awareness
- Risk assessments and vulnerability scans
- Practical advice to improve IT security
- Follow-up recommendations tailored to your setup
- A £300 voucher towards Cyber Essentials certification
While the audit itself is fully funded, businesses may need to invest separately to implement the recommended changes.
With 98% of businesses reporting a lack of knowledge to identify security threats, it is crucial they are equipped with the tools necessary to protect themselves against increasingly volatile threats.Dan Jarvis, Security Minister
Who can access the scheme?
The programme targets UK SMEs operating in one of the following high-risk and innovation-led sectors:
- Advanced Manufacturing
- Advanced materials (including semiconductors)
- Advanced robotics
- Artificial intelligence
- Civil nuclear
- Clean Energy Industries
- Communications
- Computing hardware
- Critical suppliers to government
- Cryptographic authentication
- Data Infrastructure
- Defence
- Energy
- Life Sciences
- Military and dual-use
- Quantum Technologies
- Satellite and space technologies
- Suppliers to the emergency services
- Synthetic biology
- Transport
To qualify, you’ll need to:
- Be a UK-based small or medium business (under 250 employees)
- Be trading for at least 12 months
- Demonstrate a need for cybersecurity improvements
- Not have received similar support previously
- Belong to the 500 firms selected across critical sectors
- Contribute £500 towards the cost of the review
Applications are being managed by partners of the Cyber Essentials programme, with oversight from Innovate UK, NCSC, MI5, and GCHQ to ensure the chosen 500 applicants meet national security criteria.
Why this support matters more than ever
Digital transformation is no longer optional. Whether you're running an e-commerce site, taking card payments, or managing customer data in the cloud, you’re exposed to risk – even if you’re not in a “techy” industry.
And those risks are growing.
In 2025, there has been a spike in ransomware attacks against small firms, especially those in supply chain and retail sectors. Phishing emails are becoming more convincing. Criminals are using AI to write scam messages that look legitimate and are harder to spot.
Here’s what that means for SMEs:
- More attack attempts
- Less time to respond
- Bigger financial fallout
And if that wasn’t enough, customer expectations are changing too. People want to know their data is safe. So investing in cybersecurity is more than simply preventing disaster it’s also about building trust and credibility.
As Richard Horne, CEO of the National Cyber Security Centre, puts it: improving security across the business community is “no longer optional”. “It’s essential for business growth and survival.”
How to apply
Start by visiting the Innovate UK website. You’ll need to:
- Check your eligibility
- Choose a certified provider to work with
- Submit an application form (this may vary slightly by provider)
- Provide basic company details and your goals for the funding
Once approved, you’ll be contacted to schedule your audit. Some providers may request documentation or pre-assessment info.
How to use the support effectively
Even a small investment can go a long way when it comes to digital security. Here are a few ways you can get the most value from it:
Prep before the experts arrive
- Review existing systems, processes, and pain points
- Highlight past incidents (even minor ones) to inform the review
- Set clear goals: e.g., protecting customer data, improving remote access security
Ask for actionable priorities
- Ask for a breakdown of urgent vs long-term improvements
- Focus on fixes that are cost-effective but high-impact (e.g., patching outdated software, enabling MFA)
Involve your team
- Invite relevant staff to join the audit session or debrief
- Ensure findings get translated into updated internal policies or training
- Use the audit as a launchpad for ongoing cyber hygiene awareness
Implement and document changes
- Keep clear records of any changes made post-audit
- Some grant partners may ask for proof of implementation (receipts, logs, etc.)
- Documenting fixes also helps with future funding and certifications
Use it to plan next steps
- Treat the audit as a cybersecurity roadmap, not a one-off fix
- Identify areas where further investment (e.g., Cyber Essentials Plus certification) may be beneficial
- Use findings to build a case for budget or stakeholder buy-in
Final thoughts
Security might not be the most exciting item on your to-do list. But it’s one of the most important. And with support now available, there’s no reason to put it off.
If you’re planning to grow your business this year – whether that’s hiring, launching a new product, or expanding online – make sure cybersecurity is part of the plan.
Because growth should feel exciting, not risky.
Want to make sure your systems are ready for scale? We can help with funding for digital upgrades, tools, and team training.
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit.
If you do not allow these cookies you may not be able to use or see these sharing tools.