Small organisations often assume cyber risk is a problem for larger enterprises. Over the past 12 months, our work with organisations with fewer than 50 users across the UK and New Zealand suggests something very different.

As you would expect, most organisations are focused on staying operational, supporting customers, and keeping the business moving. Cyber security often sits in the background until a tender, supplier requirement, or insurance conversation forces it to the front.

This article looks at what we are seeing in practice, how the Cyber Essentials framework acts as a useful baseline, and why mindset is becoming the biggest gap in cyber risk management.

Why Cyber Essentials Remains A Strong Baseline

For smaller UK organisations, Cyber Essentials continues to provide one of the clearest minimum security baselines available. It focuses on the controls that prevent the majority of opportunistic attacks.

The framework centres on:

• Secure configuration
• Boundary firewalls and internet gateways
• Access control and least privilege
• Patch and vulnerability management
• Malware protection

These are not advanced controls. They are the minimum needed to reduce exposure to phishing, ransomware, and credential compromise.

What is interesting is how closely this baseline aligns with what we see in New Zealand, even though the framework itself is UK-based.

What We Have Seen In The Last 12 Months

Working with smaller organisations, several consistent themes appear across both regions.

Operational pressure outweighs cyber focus
Most teams are stretched. Keeping systems running and customers supported comes first. Security becomes reactive rather than planned.

Cyber investment is delayed

Security improvements are often postponed until:

Cyber Essentials becomes a checkbox
Some organisations pursue certification purely to win work, rather than to improve security in practice.

This creates a growing gap between certification and real-world protection.

The New Zealand Perspective

Although New Zealand does not have a direct equivalent to Cyber Essentials, the same drivers exist.

Across NZ organisations we often see:

• Cloud-first environments adopted quickly
• Smaller IT teams managing broad responsibilities
• Increasing reliance on supplier and partner trust

Because of this, many NZ organisations are now looking to Cyber Essentials as a useful benchmark, even without a formal requirement.

The motivation is often:

• Meeting international customer expectations
• Supporting cyber insurance conversations
• Demonstrating baseline security maturity

In practice, the challenges mirror the UK:

• Cyber security competes with operational priorities
• Controls exist but are not consistently maintained
• Certification or frameworks are seen as milestones, not ongoing commitments

The Risk Of Treating Cyber Essentials As A Tick Box

Cyber Essentials was never designed to be the finish line. It is the starting line.

A growing concern is organisations achieving certification and assuming the job is done. In reality, the controls require continuous attention and ownership.

Common gaps include:

• Patch processes drifting over time
• Admin privileges expanding quietly
• Endpoint protection not actively monitored
• Security awareness fading after initial training

Certification reflects a point in time. Threats evolve continuously.

Why Mindset Is Becoming The Real Challenge

The biggest issue we see is not technology. It is perception.

Many smaller organisations still view cyber security as:

• A technical task rather than a business risk
• A compliance exercise rather than operational resilience
• A cost rather than protection of revenue and reputation

This mindset is increasingly risky as attackers scale activity using AI in cyber security, automated phishing, and credential harvesting.

Small organisations are attractive targets because attackers expect weaker controls and faster compromise.

What Is Motivating Change

Encouragingly, awareness is improving across both the UK and New Zealand.

Common triggers include:

• Supply chain requirements from larger customers
• More demanding cyber insurance questionnaires
• Greater media coverage of ransomware incidents
• Boards asking more informed questions

These pressures are beginning to shift the conversation from compliance to resilience.

Why Cyber Essentials Should Be The Beginning

Using Cyber Essentials as a baseline provides:

• A clear minimum benchmark
• A shared language for leadership discussions
• A practical starting point for cyber security for small business

But stopping at the baseline leaves organisations exposed as threats continue to evolve.

The real value comes from asking a simple question:
Are these controls embedded in daily operations?

Turning Minimum Controls Into Operational Reality

Moving beyond a checkbox approach means:

• Reviewing controls regularly, not annually
• Treating cyber risk as business risk
• Ensuring leadership understands operational impact
• Embedding security into everyday processes

This does not require enterprise budgets. It requires consistent ownership and prioritisation.

The Bigger Picture

Cyber Essentials remains a powerful starting point for smaller organisations in the UK and an increasingly useful benchmark for those in New Zealand. The challenge is maintaining momentum after certification or initial alignment.

The organisations that succeed treat cyber security as part of running the business, not an additional task, and the shift begins with mindset.

👉 ITogether offers Cyber Health Checks to help measure your organisation’s cyber readiness, which we can align to national or global cybersecurity accreditations, to find out more about how we can help, contact us below…

📞 UK +44 (0) 113 341 0123

📞 NZ +64 (0)9 802 2444

📧 hello@itogether.com