On Tuesday 22 April 2026, the United Kingdom’s most senior security official issued what is now being described across Westminster and the City as the sharpest public warning of the year: British businesses and critical services must brace for a sustained rise in state-backed cyberattacks. The intervention, reported by Reuters and amplified within hours by the National Cyber Security Centre (NCSC), lands against a backdrop of heightened geopolitical tension, a war in Eastern Europe that refuses to cool, and a growing willingness by hostile states to reach directly into the UK economy to cause disruption, steal intellectual property, and undermine trust.

For UK small and medium businesses, the instinctive reaction to a warning about state-backed attacks is to assume it does not apply — that Russia, China, Iran and North Korea have bigger fish to fry. That instinct is three years out of date. In the 2026 operating environment, the most common entry point for a state-aligned operation is not a named defence contractor or a FTSE 100 bank; it is a 42-seat professional-services firm in Reading, a 120-employee logistics company in Hull, or a clinic group in Birmingham. Supply chains are now the battlefield, and every UK SME is somebody’s supplier.

Year-on-year increase in cyberattacks on UK firms

1 in 2

UK small businesses suffer a cyber incident each year

72 hrs

NCSC recommended response window for severe threat

67%

CISOs rank state-backed AI attacks as top 2026 concern

What this warning actually means

The UK security chief’s intervention is not hyperbole and it is not reserved for the defence sector. It is a direct instruction to every UK organisation — including SMEs, charities, local authorities and supply-chain providers — to raise baseline cyber-defence posture this quarter. The NCSC has simultaneously published new guidance on preparing for severe cyber threat conditions, and is asking leadership teams across the economy to read it, discuss it at board level, and act on the gaps it exposes. This article translates that guidance into concrete steps for UK SMEs.

What the 22 April warning actually said — and what it did not

The warning was delivered against a compound backdrop: Reuters-reported briefings from the UK’s security community, public remarks from the NCSC leadership, and a Severe Cyber Threat preparedness framework published by NCSC earlier this month. Read together, three threads stand out.

First, attribution is becoming less ambiguous. Over the last eighteen months, UK authorities have been willing to publicly name the states they believe are behind specific campaigns. Russia, China, Iran and North Korea all appear by name in recent NCSC and government communications. This is a material shift from the “sophisticated actor” language of 2020–2023 and it creates political as well as technical space for a stronger national response.

Second, the distinction between espionage and sabotage is blurring. The same access vectors that support intellectual-property theft — stolen VPN credentials, unpatched edge devices, over-privileged cloud identities — also support destructive action when a geopolitical trigger lands. An intrusion that sits quietly collecting information for nine months can, at ninety minutes’ notice, become a wiper that takes a UK business offline.

Third, SMEs are explicitly in scope. NCSC’s 2026 communications are unusually direct about small and medium businesses. The messaging no longer assumes that size insulates a company; it assumes that being connected to a larger customer, supplier, regulator or public-sector body is sufficient to place an SME on a target list.

The 12-month context — how we got here

The 22 April warning does not exist in a vacuum. It is the latest escalation in a trend that has been building visibly since Q2 2025. The timeline below summarises the headline events UK IT leaders should have on file when they explain the current threat level to their boards.

Apr 2025 UK public-sector data-breach wave

A series of UK public-sector breaches — including at local authorities and NHS supply-chain providers — triggers the first round of renewed NCSC messaging on state-aligned threat activity targeting national infrastructure and its suppliers.

Sep 2025 NCSC annual review released

NCSC’s annual review for 2024–25 records a sharp rise in the volume and severity of state-aligned cyber activity. Nationally-significant incidents, as tracked by NCSC, increase in both frequency and operational impact, and supply-chain compromise is named as the fastest-growing vector.

Jan 2026 Cyber Security and Resilience Bill progresses

The UK Cyber Security and Resilience Bill passes key committee stages. It extends statutory cyber obligations to a much broader range of UK organisations, including managed service providers and critical suppliers, and signals that the post-2026 UK regulatory baseline will require demonstrably stronger controls than Cyber Essentials alone.

Mar 2026 Cyber-Attacks on UK Firms: +4x global rate

Industry data (Infosecurity Magazine, Check Point Research) shows UK organisations experiencing a year-on-year increase in cyberattacks of nearly four times the global average — a statistic that features prominently in subsequent government and NCSC communications through spring 2026.

Apr 2026 NCSC severe-threat preparedness guide

The NCSC publishes “How to prepare and plan your organisation’s response to severe cyber threat” — a guide aimed initially at Critical National Infrastructure but explicitly recommended to every UK organisation whose operational continuity matters to customers, staff or regulators.

15 Apr 2026 Open letter on AI cyber threats

UK government publishes an open letter to business leaders on AI-enabled cyber threats, confirming that the AI Security Institute has assessed frontier models as substantially more capable at cyber offence than any model previously tested. Businesses are asked to take cyber seriously, at the very top of the organisation.

22 Apr 2026 UK security chief’s public warning

The UK’s most senior security official publicly warns that the country must brace for a sustained rise in state-backed cyberattacks across the economy. The warning is widely interpreted as formal permission for UK organisations to elevate cyber to a board-level operational risk, not merely an IT concern.

27 Apr 2026 Cyber Essentials v3.3 goes live

Cyber Essentials v3.3 with the Danzell question set becomes the live assessment standard. Auto-fail triggers on internet-facing critical CVEs unpatched beyond 14 days, plus tougher MFA and cloud-scope rules, arrive on the same day the state-backed threat narrative is at its loudest in a decade.

Why SMEs are now squarely in the target set

Ten years ago, state-aligned cyber operations focused on defence primes, critical national infrastructure operators, and the top layer of the UK financial system. The calculus has shifted dramatically. Three forces have made the modern UK SME a first-class target, not an afterthought.

Supply-chain geometry. A single compromised IT managed service provider (MSP) reaches dozens or hundreds of customer tenants. A single compromised professional-services firm supplies intellectual property to larger buyers. A single compromised logistics SME provides live operational data on strategic commodities. State actors follow the shortest path to the data or disruption they want, and the shortest path increasingly runs through suppliers two, three or four hops removed from the named target.

AI economics of scale. Generative AI has collapsed the marginal cost of a credible phishing campaign, a convincing deepfaked voice note from a CFO, or a perfectly-worded CV that delivers malware to a hiring manager. Where once the economics of a state operation demanded a high-value target, in 2026 the same operational template can be run against a thousand UK SMEs in parallel at almost no additional cost. That industrialisation has taken SMEs from “uninteresting” to “comfortably in scope”.

Access brokers and criminal-state convergence. The lines between criminal ransomware affiliates and state-aligned operations have blurred, particularly where the host state tolerates or tacitly encourages outbound activity. Initial access brokers sell VPN credentials and Active Directory footholds on criminal forums; state-aligned buyers purchase the same access to pursue strategic goals. From the victim’s point of view, the intrusion looks identical until the end-stage payload lands.

What types of attack UK SMEs should expect to see more of

The 22 April warning is an umbrella term. Beneath it sit a small number of concrete attack patterns that UK IT and risk leaders should expect to encounter with rising frequency through the rest of 2026. The bar chart below reflects NCSC, Verizon DBIR 2026 and Mandiant M-Trends 2026 data on the relative prevalence of the top state-aligned attack techniques observed against UK targets.

State-aligned attack techniques observed against UK targets (share of incidents)

AI-enhanced phishing and business email compromise31%

31%

Edge device / VPN exploitation24%

24%

Identity & Microsoft 365 token theft17%

17%

Supply-chain / MSP compromise11%

11%

Living-off-the-land / on-prem AD abuse8%

Destructive wiper / pre-positioned payload5%

Hack-and-leak / data-extortion campaigns4%

Two observations matter more than the rankings. First, nearly every technique on the list has a direct mitigation that most UK SMEs could put in place within thirty days. Second, the destructive tail — wipers, pre-positioned payloads — is small in volume but catastrophic in impact. The purpose of the NCSC severe-threat guidance is precisely to ensure that UK organisations can absorb and recover from a 5%-probability, 100%-impact event.

The real cost of a state-aligned incident for a UK SME

Criminal ransomware is typically priced by volume: attackers want a payday and move on. State-aligned incidents tend to run longer, bury deeper, and cause secondary losses that do not appear on a ransom negotiation spreadsheet. The table below sketches typical total incident cost for UK SMEs, based on Cloudswitched’s engagement data and the ICO’s published casework through Q1 2026.

Business size	Typical scope of impact	Median total cost	Business continuity impact
1–10 staff	Email takeover + financial fraud	£22,000 – £55,000	2–5 working days
10–50 staff	Identity compromise + data exfiltration	£68,000 – £160,000	5–10 working days
50–150 staff	Full AD compromise + ransomware	£210,000 – £480,000	10–20 working days
150–500 staff	Destructive payload / supply-chain breach	£560,000 – £1.6m	15–45 working days

These figures include incident response, legal and ICO notification, forensic imaging, credential rotation, reissued hardware, regulatory fines, customer-contract clawbacks and lost productivity during recovery. They exclude longer-tail reputational impact, which Cloudswitched typically sees add another 25–50% to total loss for regulated-sector clients over the twelve months following a significant incident.

69% of UK SMEs hit by a state-aligned or state-aligned-adjacent incident in 2026 had not conducted a tabletop exercise in the previous 12 months

Where UK SMEs are strongest — and where the gaps actually sit

Across more than 300 UK SME engagements between October 2025 and April 2026, Cloudswitched’s security audits have produced a consistent and uncomfortable pattern: businesses are reasonably well-defended on the controls that are easy to buy, and systematically under-defended on the controls that require organisational discipline. The scorecard below reflects the prevailing picture.

High-risk gaps — the controls state actors exploit first

MFA enforcement across every remote-access path High

Edge-device patch lag beyond 14 days on KEV CVEs High

Documented and tested incident-response playbook High

Offline, immutable backups of critical systems High

Medium-risk gaps — the controls most SMEs know about but rarely complete

Privileged access management for admin accounts Medium

Supplier and MSP security-posture assurance Medium

Staff security training refreshed in last 12 months Medium

Annual tabletop exercise at leadership level Low

The single most common finding is not the absence of any one control, but the absence of an owner. “MFA is on for most people”, “the backups were working last time somebody checked”, “patching is handled by the MSP, we think”. State-aligned attackers thrive precisely in the space between these sentences. They are not looking for a perfect breach; they are looking for an owner gap.

Reactive posture vs severe-threat posture — the side-by-side

The difference between a UK SME that absorbs a state-aligned campaign and one that is destroyed by it is almost never a single product choice. It is an organisational posture. The table below summarises the operational gap the 22 April warning is implicitly asking UK boards to close in the next ninety days.

Reactive posture

Most UK SMEs today

Cyber on the board agendaAnnual, if at all

Incident-response planTemplate, not exercised

MFA coverageMost users, most services

Backup strategyOnline-only, same vendor

Supplier security postureAssumed, not verified

Patch cadence for edge devicesMonthly, best-effort

Log retention30–90 days, local

Out-of-hours responseEmail only

Severe-threat postureWhat NCSC 2026 guidance asks for
Cyber on the board agendaQuarterly, with KPIs
Incident-response planLive, tested biannually
MFA coverageEnforced, phishing-resistant where possible
Backup strategyOffline / immutable copy, separate tenant
Supplier security postureContractual, evidence-based
Patch cadence for edge devicesKEV-driven, 72-hour target
Log retention13 months, central SIEM
Out-of-hours response24/7 retained IR partner

The 10-step 90-day action plan for UK SMEs

What follows is the structured plan Cloudswitched is recommending to every UK SME client this week, drawn from the NCSC severe-cyber-threat guidance, the current wave of Cyber Essentials v3.3 readiness work, and our own incident-response experience over the last eighteen months. The goal is a defensible posture by the end of July 2026.

90-day severe-threat readiness programme

1. Board-level cyber briefing & ownership

Week 1

2. Asset inventory & crown-jewel identification

Week 1–2

3. MFA enforcement audit & remediation

Week 2–3

4. Edge-device patch cycle to KEV rhythm

Week 2–4

5. Privileged access management rollout

Week 3–6

6. Immutable / offline backup implementation

Week 4–7

7. Central logging & SIEM onboarding

Week 5–8

8. Supplier & MSP assurance questionnaire

Week 6–9

9. Incident-response tabletop exercise

Week 10–11

10. Board review & ongoing KPI cadence

Week 12–13

Step-by-step detail

1. Board-level cyber briefing and ownership. The 22 April warning explicitly asks leadership teams to own cyber as an operational risk, not delegate it to IT. Schedule a one-hour briefing in the next seven days that covers the current threat landscape, the business’s crown jewels, and a single named executive accountable for severe-threat preparedness. Record the decision in the minutes.

2. Asset inventory and crown-jewel identification. The NCSC guidance leans heavily on knowing what you are defending. Produce a written list of every system, dataset and external dependency whose loss or compromise would materially harm the business. Prioritise the top ten. Every subsequent step in this programme targets the protection of that top ten.

3. MFA enforcement audit and remediation. Close the gap between “MFA is turned on” and “MFA is enforced on every remote-access path for every user”. Pay particular attention to legacy protocols (IMAP, POP, SMTP AUTH), break-glass accounts, service accounts, and any admin portal that still permits password-only sign-in. Phishing-resistant factors (FIDO2 / passkeys) for privileged users, wherever feasible.

4. Edge-device patch cycle to KEV rhythm. Move from monthly best-effort patching to a CISA KEV-driven cadence. Every appearance of a perimeter-product CVE on the KEV list triggers a 72-hour patch SLA. Document which appliances, which owners, which change-control process. The events of the past week (the Fortinet and Cisco zero-days covered in yesterday’s Cloudswitched article) are precisely the failure-mode this step is designed to close.

5. Privileged access management rollout. Separate day-to-day user identities from administrative ones, require MFA on every elevation, and put every admin action through a central audit path. Most UK SMEs do not need an enterprise PAM platform; they do need a discipline that prevents Bob from logging into the domain controller with the same credential he reads his email with.

6. Immutable / offline backup implementation. The backup strategy that protects you from criminal ransomware is not the backup strategy that protects you from a state-aligned wiper. Ensure at least one copy of every critical dataset is held in an immutable or truly offline form — outside the identity plane, vendor and tenant of the primary environment. Test restoration quarterly and record the test result.

7. Central logging and SIEM onboarding. In a severe-threat scenario, the single most valuable asset in the first forty-eight hours is logs. Every edge device, every identity provider, every production server, every mailbox. Ship to a central store — cloud-hosted SIEM is usually appropriate for SMEs — with at least thirteen months of retention. Costs are moderate; absence is catastrophic.

8. Supplier and MSP assurance questionnaire. The NCSC severe-threat guidance names supply chain as the fastest-growing vector, and the 22 April warning leans into this. Send a short, pointed assurance questionnaire to your top-ten suppliers and managed providers: what is their Cyber Essentials status, how is your data segregated from other clients, what is their incident-notification SLA, what happens to your data if they are breached. Keep the responses on file.

9. Incident-response tabletop exercise. Once per year is a compliance answer. The NCSC severe-threat framework implicitly asks for more: a half-day, scenario-led, cross-functional walkthrough of what happens when the worst case lands at 03:00 on a Sunday. Bring IT, operations, finance, legal and communications into the same room. Record every gap the exercise exposes and close them on a named-owner basis.

10. Board review and ongoing KPI cadence. Close the programme with a formal board review at week twelve, and lock in a quarterly cadence of cyber KPIs thereafter. The KPIs that matter are boring and measurable: percentage of users with enforced MFA, median time-to-patch for KEV CVEs, percentage of crown-jewel systems with tested offline backup, number of tabletop exercises completed in the last twelve months. Those four numbers, reviewed four times a year, are the difference between severe-threat readiness and a press release.

How Cloudswitched is responding to the 22 April warning for UK SMEs

Cloudswitched’s managed Cyber Security service was designed around the assumption that the UK threat baseline would rise, not fall, through 2026. The service wraps the ten-step programme above into a single continuously-maintained capability, aligned with Cyber Essentials v3.3 (effective 27 April 2026) and with the NCSC severe-cyber-threat framework. Clients receive asset and edge-device discovery and reconciliation, KEV-driven patching, identity-hardening and MFA enforcement, privileged-access management rollout, immutable backup implementation, centralised SIEM with thirteen-month retention, supplier assurance, biannual tabletop exercises, and a 24/7 incident-response retainer with named engineers.

For UK SMEs who are not ready to take on a full managed programme, the same ten steps are available as a structured 90-day consultancy engagement. The deliverables are identical — asset list, MFA audit, patch cadence, backup architecture, SIEM onboarding, supplier assurance, tabletop exercise, board review — and are designed to be handed over to an in-house IT team at the end of the engagement. Whichever path fits the business, the destination is the same: a UK SME that can look the 22 April warning in the face and answer honestly that it has taken reasonable, proportionate, and testable steps to prepare.

57%

Share of UK SMEs that rate themselves “not confident” in their ability to withstand a severe cyber incident (Q1 2026)

The executive sentence to take from this week

If you remember one line from the 22 April warning, make it this: the UK state has formally signalled, at the highest level, that your organisation is now part of the national cyber defence posture. That is not marketing; it is an operational instruction. Treat it accordingly, and the controls required to honour it will also be the controls that pass Cyber Essentials v3.3, satisfy your cyber insurer, and genuinely reduce the probability of a business-ending incident.

Want the 22 April warning translated into a 90-day plan for your business?

Book a free 30-minute call with a Cloudswitched security engineer. We will walk through your current posture against the NCSC severe-cyber-threat framework, identify the three highest-impact gaps, and hand you a prioritised action plan aligned with Cyber Essentials v3.3. No sales pitch, no jargon, no commitment — just an honest view of where you stand and what to do next.

Book a severe-threat readiness review

Quick reference — UK SME severe-threat checklist

If you need a single page to carry into a leadership meeting tomorrow, the table below is the minimum-viable version of the 90-day programme, phrased as questions a non-technical director can realistically answer.

Question	Acceptable answer	Owner
Is MFA enforced on every remote-access path for every user?	Yes, audited in the last 90 days	IT lead / MSP
Do we patch internet-facing critical CVEs within 14 days?	Yes, with written evidence of the last two	IT lead / MSP
Do we hold an immutable or offline backup of our crown-jewel data?	Yes, with a restore test in the last 90 days	IT lead
Do we have a named incident-response partner and a retainer?	Yes, with contact numbers on file outside email	Named director
Have we run a leadership tabletop exercise in the last 12 months?	Yes, with documented actions and owners	Named director
Do we know which of our suppliers have access to our data?	Yes, with assurance evidence on file	Named director
Are our logs retained for 13 months and stored centrally?	Yes, in a SIEM or equivalent	IT lead / MSP
Is cyber on the board agenda at least quarterly?	Yes, with documented minutes	Board

Every “no” on that checklist is a gap a state-aligned or state-aligned-adjacent actor is currently able to exploit against a UK SME. None of the items are exotic; all of them are within reach of any business with the organisational will to close them in ninety days.

Frequently asked questions

We are a small business, not a defence contractor. Does this warning really apply to us?

Yes. The 22 April warning and the NCSC 2026 guidance are explicit about this. State-aligned operations use supply-chain geometry and AI-enabled phishing to reach targets that are two, three or four hops removed from their strategic objective. If you supply any larger organisation, handle any sensitive data, or operate in a regulated sector, you are a credible target. If you depend on Microsoft 365, Google Workspace or any internet-facing VPN, you share the same attack surface as every other UK organisation — including the ones state actors are explicitly interested in.

How is a state-backed attack different from regular criminal ransomware?

From the victim’s point of view, the first 80% of the intrusion often looks identical. The differences sit in objectives and duration. Criminal ransomware wants a fast payday. State-aligned operations tend to persist quietly for months, collect intellectual property or operational intelligence, and may pivot to destructive action when a political trigger lands. The defensive implication is that detection and log retention matter even more than they do for criminal activity — a state-aligned intrusion that is spotted at month seven can still be meaningfully contained; the same intrusion detected at month nineteen often cannot.

We already hold Cyber Essentials. Is that enough?

Cyber Essentials is a strong baseline but it was designed to defend against commodity attacks. Against a determined state-aligned actor, Cyber Essentials gets you past the first gate; the NCSC severe-threat framework is designed to get you past the remaining ones. The good news is that v3.3 of Cyber Essentials (effective 27 April 2026) pulls several severe-threat controls forward — tighter MFA, 14-day patching, stricter cloud scope — which narrows the gap considerably. Treat Cyber Essentials v3.3 as the floor and the 10-step programme above as the direction of travel.

Our cyber insurer asks us about this — does it affect our cover?

Yes. 2026-vintage UK cyber policies have tightened security warranties across the board. Most policies now require MFA on all remote-access paths, patching of CISA KEV CVEs within 14 or 30 days, and centralised logging. Some are beginning to add explicit clauses about supplier-security assurance and tabletop exercises. An incident that exposes a gap on any of these warranties can reduce payout or void cover altogether. The 10-step programme in this article is almost exactly the list most insurers now expect to see in place.

What if our IT is fully outsourced to an MSP?

You still own the risk as the data controller and the policyholder. Ask your MSP, in writing, for: their Cyber Essentials Plus status; evidence of their own severe-threat readiness; the contractual incident-notification SLA; how your data is segregated from other tenants; what happens to your data if they are themselves breached. If the answers are vague or slow, that is itself a finding. An MSP compromise is one of the fastest-growing entry points to UK SMEs, and supplier assurance is explicitly called out in the NCSC 2026 guidance.

How much does the 90-day programme actually cost for a 50-seat UK SME?

Delivered as a structured Cloudswitched consultancy engagement, the 90-day programme typically sits in the £12,000 to £22,000 range depending on complexity and existing tooling. Delivered as part of the ongoing Cloudswitched managed service, the programme is embedded in the monthly fee — typically £1,200 to £2,600 per month for a 50-seat business — and is refreshed continuously rather than as a one-off project. Either route is materially cheaper than the median cost of a single significant incident for a business of that size (£68k – £160k).

Does this mean we need to rip and replace our Microsoft 365 setup?

No. For the large majority of UK SMEs, Microsoft 365 is exactly the right productivity platform; the work is in hardening how it is used, not in migrating away from it. The controls that matter most are: enforced phishing-resistant MFA for privileged accounts, Conditional Access policies that restrict legacy protocols, Defender for Office 365 with mailbox-auditing enabled, centralised sign-in log retention, and tight control over OAuth application consent. These settings are available in most standard M365 tiers and can typically be tuned in a single week of focused engineering work.

We have not done a tabletop exercise before. What does one actually look like?

A half-day, scenario-led workshop. A facilitator introduces a plausible incident — typically a ransomware encryption event, a supplier breach, or an identity compromise — and the leadership team works through the response in real time: who communicates with whom, who makes the pay-or-don’t-pay decision, how external stakeholders are notified, what the business does while systems are down. The output is not a certificate; it is a list of surfaced gaps, each with a named owner and a closure date. Cloudswitched runs tabletop exercises for UK SME clients at a flat fee, independent of any wider engagement.

Where can we read the official sources behind this article?

The Reuters report of the 22 April warning is at reuters.com. The NCSC severe-cyber-threat preparedness guidance is at ncsc.gov.uk/blogs and ncsc.gov.uk/guidance. The UK government’s 15 April open letter on AI cyber threats to business leaders is at gov.uk. The NCSC small-organisations guide referenced throughout is at ncsc.gov.uk/collection/small-organisations-guide-to-cyber-security. All four are free, authoritative, and short enough to be read in a single sitting by anyone responsible for cyber risk in a UK business.

What is the single most useful thing we can do by end of day today?

Schedule the board-level briefing from step one of the programme, and produce a first-draft crown-jewel list to bring to it. One hour of leadership time and a single A4 page of systems and datasets will do more to set the direction than any amount of tooling purchased in isolation. The rest of the ten-step programme is an organised way of working through the gaps that page will expose.

Final word

The 22 April warning was not a sensational headline. It was a carefully-timed, deliberately-public instruction from the United Kingdom’s security community to every UK organisation with a digital footprint: the threat environment has changed, the old baseline is no longer enough, and leadership teams are being asked to lift their game this quarter. For UK SMEs the message is unusually direct — you are not too small to be a target; your suppliers, your customers and your data make you part of a larger picture the UK state is now explicitly defending.

The reassuring news is that none of the controls required to meet this moment are exotic. An honest asset list, enforced MFA, KEV-rhythm patching, an immutable backup, a tested incident-response plan, a named MSP partner, quarterly cyber KPIs at board level. That is the list. Close it in ninety days and your business is in a materially stronger position than the vast majority of UK SMEs — and is squarely within the severe-threat posture the NCSC 2026 guidance is asking for. Ignore it, and the next warning may not arrive with a Reuters headline; it may arrive with a ransom note, a regulator’s letter, or a customer terminating a contract.

If you would like help translating the 22 April warning into a ninety-day plan that fits your business, Cloudswitched is running short, honest readiness reviews this week and next. The deliverable is a prioritised action plan, mapped to Cyber Essentials v3.3 and the NCSC severe-cyber-threat framework, with named owners and realistic timescales. Whether you implement it with us or on your own, the document is yours to keep. Given what 22 April 2026 just asked of every UK business, it may be the most useful hour your leadership team spends this quarter.

Tags:Cyber SecurityCybersecurityIT Support

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.