Using the NCSC Cyber Action Toolkit to build a practical security plan for your business.
Most small businesses know they should be doing more about cyber security. The problem is rarely a lack of awareness. It is knowing where to start. The sheer volume of advice, frameworks, products, and acronyms in the security space can make the whole subject feel overwhelming, particularly for organisations without dedicated IT teams or security expertise.
The National Cyber Security Centre recognised this challenge and created the Cyber Action Toolkit specifically to address it. It is a free, structured resource that helps small and medium businesses assess their current security posture and build a practical action plan to improve it. No jargon. No sales pitch. No assumption that you have a background in information security.
This guide explains what the toolkit covers, how to use it effectively, and how to turn its recommendations into a plan that actually gets implemented. Whether you are starting from scratch or looking to formalise practices you already have in place, the toolkit provides a structured path forward that is proportionate to the risks small businesses face.
What is the NCSC Cyber Action Toolkit?
The toolkit is part of the NCSC’s broader mission to make the UK the safest place to live and work online. It sits alongside other NCSC resources like Cyber Essentials and the Small Business Guide, but it differs in one important respect: it is interactive, personalised, and designed to produce an actionable output rather than general guidance.
A free, government-backed resource
The Cyber Action Toolkit is developed and maintained by the National Cyber Security Centre, which sits within GCHQ. It costs nothing to use. There is no registration, no paywall, and no sales pitch. It exists because the UK government recognises that small businesses are disproportionately affected by cyber attacks and often lack the resources to know where to start. The toolkit provides that starting point in a format that does not assume any technical expertise.
Designed for small and medium businesses
This is not a framework built for enterprises with dedicated security teams and six-figure budgets. The toolkit is specifically written for organisations with between one and 250 employees, many of which have no in-house IT function at all. The language is straightforward. The recommendations are practical. The actions can be implemented by anyone willing to invest a few hours, regardless of their technical background.
A structured self-assessment
The toolkit walks you through a series of questions about how your organisation currently handles data, devices, passwords, and software. Based on your answers, it generates a personalised action plan that highlights where you are doing well and where the gaps are. The output is not a generic list of best practices. It is a prioritised set of specific actions tailored to your situation.
Covers the fundamentals that matter most
The toolkit focuses on the four areas that account for the vast majority of successful cyber attacks against small businesses: data backup, malware protection, device security, and authentication. These are the controls that, when implemented properly, prevent the attacks that are most likely to affect your organisation. Getting these right does more for your security posture than any amount of advanced tooling.
“The biggest barrier to better cyber security in small businesses is not budget or technology. It is knowing where to start. The Cyber Action Toolkit removes that barrier entirely.”
The four key areas
The toolkit is structured around four domains that collectively address the most common and most damaging cyber threats facing small businesses. These are not arbitrary categories. They reflect the attack patterns that the NCSC sees most frequently in incident reports from UK organisations.
Getting these four areas right will not make you immune to every possible threat. But it will close the doors that attackers walk through most often, and that is where the greatest return on effort lies.
Backing up your data
Data loss is one of the most common and most damaging outcomes of a cyber incident. Ransomware encrypts your files. A hardware failure destroys your server. An employee accidentally deletes a critical folder. Without reliable backups, recovery is either impossible or prohibitively expensive. The toolkit walks you through identifying what data matters most, choosing an appropriate backup method, testing that your backups actually work, and establishing a schedule that ensures nothing critical is more than a day old. It covers both cloud-based and physical backup approaches, and emphasises the importance of keeping at least one copy offline and disconnected from your network. This single control, implemented properly, can mean the difference between a minor disruption and a business-ending event.
Protecting from malware
Malware is any software designed to damage, disrupt, or gain unauthorised access to your systems. It includes ransomware, spyware, trojans, and viruses. The toolkit covers practical steps to reduce your exposure: keeping software up to date, being cautious with email attachments and links, installing and maintaining antivirus or endpoint protection software, and restricting what software can be installed on company devices. It also addresses the human element, because the majority of malware infections begin with someone clicking something they should not have. The guidance helps you establish sensible policies without creating a culture of fear or making it impossible for people to do their jobs.
Keeping devices secure
Every device that connects to your business data is a potential entry point for an attacker. This includes laptops, desktops, tablets, smartphones, and even printers and routers. The toolkit addresses secure configuration: ensuring devices are not running in their out-of-the-box state, changing default passwords, enabling built-in firewalls, encrypting storage, and keeping operating systems and firmware updated. For organisations with staff working from home or on the move, it covers the additional considerations of securing devices that connect through untrusted networks. The guidance is practical and device-agnostic, recognising that most small businesses run a mix of Windows, Mac, iOS, and Android.
Using passwords and multi-factor authentication
Compromised credentials remain the single most common attack vector for small businesses. Weak passwords, reused passwords, and the absence of multi-factor authentication account for a significant proportion of all breaches. The toolkit provides clear guidance on password policies that actually work: using longer passphrases rather than complex character requirements, avoiding password reuse across services, implementing a password manager, and enabling MFA on every account that supports it. It also covers the practical challenges of rolling out MFA across an organisation, including dealing with resistance from staff and handling accounts where MFA is not natively supported.
of UK businesses identified a cyber attack or breach in 2024
of breaches are preventable by implementing basic security controls
pounds: the average cost of a cyber breach for a small business
Building your action plan
The toolkit generates recommendations, but turning those recommendations into meaningful change requires a structured approach. The following four steps will help you move from assessment to implementation in a way that is realistic, accountable, and sustainable. The organisations that get the most value from the toolkit are not the ones that complete the assessment. They are the ones that follow through on what it tells them.
Complete the assessment honestly
The toolkit begins with a structured self-assessment that asks questions about your current practices across all four key areas. The temptation is to answer optimistically, to select the response that reflects what you intend to do rather than what you actually do today. Resist this. The value of the assessment is entirely dependent on honesty. If you say backups are tested regularly when they have not been tested in six months, the action plan will not flag it as a priority. Answer based on your current reality, not your aspirations. The gaps are not failures. They are the information you need to improve.
Prioritise by impact and effort
The assessment will likely generate more actions than you can implement at once. That is normal and expected. The next step is to prioritise. Sort your actions into three categories: quick wins that can be done this week with minimal effort, medium-term improvements that require some planning or budget, and longer-term projects that involve significant change. Start with the quick wins. Enabling MFA on your email accounts, changing default passwords on your router, and verifying that your backups ran last night are actions you can take today that meaningfully reduce your risk. Build momentum with these before tackling the larger items.
Assign ownership and deadlines
An action plan without owners and deadlines is a wish list. Every item needs a named person responsible for completing it and a realistic target date. For organisations without dedicated IT staff, this might mean the business owner takes responsibility for some items, a trusted employee handles others, and an external partner is brought in for anything that requires specialist knowledge. The key is accountability. Review the plan in a team meeting, agree who is doing what, and put the deadlines in a shared calendar. Vague intentions do not improve security. Specific commitments do.
Review, repeat, and build on progress
Cyber security is not a project with a finish line. Threats evolve. Technology changes. Staff join and leave. The action plan you create today will need updating in three months, and again in six months, and again after that. Schedule a quarterly review where you revisit the toolkit, reassess your position, and update your plan accordingly. Each cycle should feel easier than the last, because you will be building on progress rather than starting from scratch. Over time, this process becomes part of how your organisation operates rather than something you do once and forget about.
Beyond the basics
The Cyber Action Toolkit is designed as a starting point, not a destination. Once you have implemented its core recommendations and established a regular review cycle, the natural next step is to build on that foundation with additional measures that further reduce your risk and demonstrate your commitment to security to clients, partners, and regulators.
The good news is that the work you do with the toolkit is not wasted when you move to more formal frameworks. The controls overlap significantly with Cyber Essentials, and the discipline of regular assessment and improvement aligns directly with the approach required by ISO 27001 and similar standards. You are not starting over. You are building on a solid foundation.
Cyber Essentials certification
If you have implemented the actions recommended by the toolkit, you are already well on your way to meeting the requirements for Cyber Essentials, the UK government-backed certification scheme. Cyber Essentials formalises the baseline controls and provides a recognised certificate that demonstrates your commitment to security. It is increasingly required for public sector contracts, and many private sector organisations now ask suppliers for it. The certification process builds directly on the work you have already done with the toolkit.
Staff awareness training
The toolkit addresses technical controls, but human behaviour remains the largest factor in most security incidents. Regular security awareness training helps staff recognise phishing attempts, understand why policies exist, and develop habits that reduce risk. This does not need to be expensive or time-consuming. Short, regular sessions are more effective than annual compliance exercises that people tune out.
Incident response planning
Knowing what to do when something goes wrong is just as important as preventing incidents in the first place. A simple incident response plan that defines who to contact, what to do in the first hour, and how to communicate with affected parties can dramatically reduce the impact of a breach. The NCSC provides free templates for this as well.
Regular security reviews
As your organisation grows and your technology changes, your security posture needs to keep pace. Periodic reviews, whether conducted internally or with an external partner, ensure that new systems, new staff, and new ways of working are covered by your controls. What was secure six months ago may not be secure today.
“Security is not a product you buy or a project you complete. It is a discipline you build into how your organisation operates. The Cyber Action Toolkit gives you the structure to start building that discipline today.”
Need help building your cyber action plan?
The toolkit is a great starting point, but some organisations want expert guidance to interpret the results, prioritise the right actions, and implement changes with confidence. We help UK businesses turn the toolkit’s recommendations into a practical, funded security improvement plan that actually gets delivered.
Whether you need help completing the assessment, want support implementing the recommendations, or are ready to take the next step towards Cyber Essentials certification, a conversation with our team will give you a clear picture of where you stand and what to do next.