TL;DR:

  • The NCSC’s Cyber Action Toolkit is a free, self-guided resource that walks UK small businesses through the basics of protecting themselves online — no technical background required
  • The companion Cyber Resilience Pledge lets businesses publicly commit to a set of foundational security practices, with government recognition for those that complete it
  • Neither replaces Cyber Essentials certification, but both are a legitimate starting point if you’re doing nothing structured at the moment

If you run a small business in the UK and you’ve ever tried to get serious about cybersecurity, you’ll know the frustrating experience of looking for guidance. Most of what’s out there is either written for large enterprise IT teams or so generic it tells you to “have strong passwords” and nothing else.

The NCSC (National Cyber Security Centre) has been trying to fix this for a few years. Their Small Business Guide has existed since 2018. The Cyber Action Toolkit, launched more recently, is their attempt to make that guidance interactive and actionable rather than a static PDF most people read once and forget.

Here’s what it actually contains, and whether it’s worth engaging with.

What the Cyber Action Toolkit is

The toolkit is a free online resource on the NCSC website, structured as a guided self-assessment. You work through a series of questions about your current setup — email, devices, accounts, backups, and so on — and the toolkit generates a prioritised action list based on your answers.

The categories it covers map to the five areas of the government’s Cyber Essentials scheme: firewalls and boundary controls, secure configuration, access control, malware protection, and patch management. You don’t need to know what any of those mean to use the toolkit — it translates them into plain questions like “Do you use a password manager?” and “Are your devices set to update automatically?”

The output is a checklist of specific things to do, roughly ordered by how much they’d improve your security posture. You can save and return to it, and check items off as you complete them.

What it isn’t: it doesn’t test your actual systems, it doesn’t tell you whether you’re compliant with anything, and completing it doesn’t give you any kind of certification. It’s a self-reported guide, not an audit.

The Cyber Resilience Pledge

Running alongside the toolkit is the Cyber Resilience Pledge — a government initiative that asks businesses to commit to a set of foundational security practices in writing.

The pledge covers five commitments:

  1. Keeping software and devices updated
  2. Using strong, unique passwords and a password manager
  3. Enabling multi-factor authentication (MFA) on key accounts
  4. Backing up business data regularly
  5. Knowing how to report a cyber incident

If you sign the pledge and can demonstrate you’re doing these things (via the toolkit or otherwise), your business is listed on a public register of UK businesses that have made the commitment. There’s government backing and some public-facing recognition, though no formal verification process.

Whether the recognition matters to you depends on your customers. If you’re a B2B supplier, being able to say your business has signed the NCSC Cyber Resilience Pledge is a low-effort way to demonstrate you take security seriously. For B2C businesses, it’s less likely to be directly meaningful to customers.

Is this worth your time?

Honestly, yes — if you’re not currently doing anything structured. The Cyber Action Toolkit takes about 30 to 40 minutes to work through properly, and the action list it generates is typically accurate for where most small businesses have gaps.

The five areas it focuses on are the same ones that catch most small business breaches: outdated software, weak or reused passwords, no MFA, no backups, and phishing. If you’re solid on all five, the toolkit won’t tell you much you don’t know. If you’ve never sat down and properly reviewed any of them, it’s a useful forcing function.

The main limitation is that it’s entirely self-reported. There’s no verification that you’ve actually done what you claim, and nothing stops a business from ticking boxes they haven’t genuinely addressed. Treat it as a guide for your own benefit, not as a compliance exercise.

How it sits alongside Cyber Essentials

The toolkit is not the same as Cyber Essentials certification, and doesn’t replace it.

Cyber Essentials is a formal certification backed by the NCSC that involves an independent assessment of your systems. It’s increasingly required for government contracts and is becoming a standard ask in supplier due diligence questionnaires from larger buyers.

The toolkit is better thought of as preparation for Cyber Essentials, or as a baseline for businesses not ready to pursue formal certification yet. If your business handles government contracts, stores significant customer data, or operates in a sector with high cyber risk (healthcare, legal, financial services), Cyber Essentials certification is worth pursuing directly. The toolkit won’t substitute for it in those contexts.

For businesses that are genuinely starting from scratch, working through the toolkit first is a reasonable step before deciding whether to pursue certification.

Practical steps

This week: Go to ncsc.gov.uk and find the Cyber Action Toolkit. Work through it properly — be honest in your answers rather than optimistic. Note which action items are flagged as high priority.

This month: Work through the high-priority items on your action list. Most of them (enabling MFA, setting up automatic updates, checking your backup process) take less than an hour. The password manager setup takes slightly longer if you’re rolling it out to a small team, but it’s a one-time investment.

Consider: Signing the Cyber Resilience Pledge once you’ve genuinely addressed the five commitments. The register isn’t a major marketing tool, but it costs nothing and is a useful reference point to show customers or suppliers.

If you’re growing: Look at Cyber Essentials certification once you’ve completed the toolkit actions. The basic Cyber Essentials assessment costs around £300 and is the most credible single thing a small UK business can do to demonstrate it takes cybersecurity seriously.

The NCSC toolkit won’t make your business invulnerable. Nothing will. What it does is move you from unstructured and reactive to having at least covered the basics — and that’s where most breaches are stopped.