There is no shortage of good, free cyber security guidance aimed at small businesses in the UK.
The NCSC Small Business Guide covers practical steps across passwords, backups, malware protection, and staff awareness without charging a penny.
The Eastern Cyber Resilience Centre, a police-led, not-for-profit organisation covering Norfolk, Suffolk, and Cambridgeshire, offers free core membership that includes regular threat updates, security guidance, and signposting to NCSC tools.
Cyber Essentials, the government-backed certification scheme, provides a free self-assessment pathway to help businesses understand where their IT compliance gaps sit.
Between these three resources alone, a business owner in Norwich could spend an afternoon reading and come away with a credible checklist covering almost every threat they are realistically likely to face. Most never do.
What the Data Shows
The DSIT Cyber Security Breaches Survey 2024 puts some numbers to the gap. Only 12% of UK businesses are aware of the Cyber Essentials scheme, and of those, just 3% report adhering to it. Awareness of the NCSC’s 10 Steps to Cyber Security guidance sits at 13% across all businesses. The proportion seeking out external security information at all has dropped from 49% in 2023 to 41% in 2024. Awareness of the Cyber Aware campaign has continued to fall among smaller businesses, continuing a multi-year decline. When businesses do look for help, they turn most often to their IT provider, not to the official guidance that is sitting there for free.
Those figures describe a usage problem, not an information problem. The advice exists. It is well-written, well-signposted, and costs nothing. Something else is getting in the way.
The Problem is Not the Advice
The NCSC has spent years making its guidance accessible. Plain language, practical steps, no assumed technical knowledge. The ECRC’s resources are produced in partnership with regional policing and calibrated specifically for East Anglia’s typical business profile: small, often under-resourced, operating in sectors where client data and compliance matter.
Half of UK businesses experienced a cyber security breach or attack in the past year, according to the same DSIT survey. Many of those incidents do not exploit sophisticated vulnerabilities. They exploit the predictable ones – weak passwords, unpatched software, and staff who have never been shown what a convincing phishing email looks like – that the NCSC has been publishing guidance on for years. The answers to cyber security East Anglia businesses most commonly need have been freely available for a long time. That is what makes the gap so difficult to explain.
Reading and Doing are Different Things
Most small businesses encounter security guidance the way most people encounter good health advice. They read it, acknowledge it, and sometimes forward it to a colleague. Then something more immediately pressing arrives – a client deadline, a cash flow concern, a staff issue – and the browser tab closes. The difference is that ignoring health advice affects you. Ignoring a security gap can affect your clients, your contracts, your regulatory obligations, and your ability to trade.
There is also a subtler problem with self-serve guidance: it requires the reader to self-diagnose. The NCSC’s Small Business Guide is excellent, but it does not know whether you have configured multi-factor authentication across every cloud account your team uses. It cannot tell you whether the backup that runs every night has been tested under recovery conditions or whether the staff member who handles client data has ever seen a phishing simulation. It describes what good looks like. It cannot confirm whether you have got there.
That gap between reading the guidance and verifying that it has been applied is where most businesses are quietly exposed.
Why the Gap Stays Open
Urgency is part of it. Security work rarely feels pressing until something goes wrong, and by the time it does, the cost is high. The businesses that call us following an incident almost always knew the steps they should have taken. But knowing and doing are separated by something more than awareness – they are separated by time, resources, and the absence of anyone whose job it is to make sure the work gets finished.
When no one specific owns implementation, the task belongs to everyone and gets done by no one. A business owner managing fifteen members of staff, a client base, and a set of operational pressures that seem to grow every quarter does not have the available hours to become a working authority on IT compliance as well. That is not a criticism. It is just an accurate description of how most small businesses operate.
The Difference a Partner Makes
We see this regularly across Norfolk, Suffolk, and beyond. Businesses that have Cyber Essentials on their radar, that have downloaded the ECRC’s materials, and that have heard of the NCSC’s 10 Steps. The gap is not knowledge. It is execution, follow-through, and someone who checks. A managed IT support partner who reviews your actual environment against that guidance, asks the uncomfortable questions, and helps you close what is open does not replace the free advice. It makes the free advice worth having. As a Cyber Essentials Plus certified company, we’ve been through the process ourselves. We know both what the requirements look like on paper and what getting there actually involves for a small business.
The NCSC and the Eastern Cyber Resilience Centre are doing their job. The question is whether anyone is doing the job of making sure your business has acted on what they recommend.
Next Steps
If you want a clear picture of where your business stands, there are two ways in. Download The Compliance Casebook, a practical guide to the requirements most East Anglian businesses overlook, or book a free 30-minute call with VMIT to talk through your current position. Whether you are exploring Cyber Essentials in Norfolk for the first time or picking up a process that stalled, we can help you work out where you stand.
Frequently Asked Questions
What should I look for in IT support in Norwich?
Look for a provider that takes a proactive approach, monitoring and maintaining your systems rather than just responding when things break. Local knowledge matters too, so choose someone who understands the needs of Norwich and Norfolk businesses.
How do I know if my business needs managed IT support in Norfolk?
If you’re experiencing regular downtime, relying on untrained staff for technical issues, or struggling to keep up with compliance, these are strong indicators that your business would benefit from dedicated IT support in Norfolk.
Can IT support help with compliance like Cyber Essentials and GDPR?
Yes. A good IT support provider will help you implement the technical controls needed for compliance, monitor them on an ongoing basis, and ensure your business stays aligned with current requirements.
What's the difference between break-fix and managed IT support?
‘Break-fix’ means you call someone when something goes wrong and pay per incident. Managed IT support provides ongoing monitoring, maintenance, and strategic guidance, preventing many issues and giving you predictable costs.