The UK’s cyber security industry is having a strong year. Total sector revenue reached £14.7 billion in 2026, according to the Department for Science, Innovation and Technology’s annual sectoral analysis, up 11 percent on the £13.2 billion recorded the year before.
The number of active firms rose to 2,603, a 20 percent jump. Gross value added climbed 17 per cent to £9.1 billion.
This matters well beyond boardrooms and IT departments. Every customer who books online, pays by card, or deposits at a non gamstop casino, tradesperson or local service provider is relying, often unknowingly, on that firm’s cyber defences holding up. When an SME’s systems are weak, it isn’t just the business that absorbs the damage: it’s the consumers whose card details, addresses and personal data sit inside it.
Strip away the topline figure and a sharper question emerges: who is this growth actually for?
Where the £14.7bn really goes
The sector looks like an SME story on paper. Fifty-eight per cent of firms are micro businesses, and a further 19 percent are classed as small. But size of firm and share of revenue are two very different things.
Large companies take 70 percent of total sector revenue. Just 32 large “anchor” firms now generate over £50 million each in cyber-related income, up from 28 last year, often as one division within a far bigger consultancy or telecoms business rather than as a dedicated specialist.
Below them sits a fast-growing middle tier: 241 firms now report annual cyber revenues above £10 million, more than double the 105 recorded two years ago. The genuine small players, by contrast, mostly survive on specialism rather than scale: dedicated, pure-play cyber firms generate roughly 83 percent of all SME-category revenue, while diversification does little for smaller companies trying to compete with the giants.
A procurement boom that small firms can’t reach
Public sector demand for cyber services is surging. Contract value rose 62 percent year-on-year in 2025, to £1.5 billion, a six-fold increase since 2019.
Yet investors interviewed for the DSIT report were blunt about who is winning that work. Several flagged government procurement rules themselves as the barrier stopping small cyber firms from scaling, even as the pot of public money on offer keeps growing. One venture capital investor told researchers the government “need[s] to open that space up for those SMEs to succeed,” describing current procurement engagement as actively excluding the smaller suppliers it claims to want to support.
There is a genuine bright spot. Of the £184 million raised by dedicated cyber firms in 2025, 46 percent went to small companies with 10 to 49 staff, sharply up from just 17 per cent in 2024. Early-stage investor appetite is shifting downward in company size, even as total deal value fell 11 percent.
The other half of the question: SMEs as buyers
Most Business Matters readers aren’t cyber security vendors. They’re the businesses trying to buy protection from this booming industry, and here the picture turns considerably less encouraging.
The government’s own Cyber Security Breaches Survey 2025/2026, published in April, found that 43 percent of UK businesses, an estimated 612,000 organisations, suffered a breach or attack in the past twelve months. Despite that, formal Cyber Essentials certification, the UK’s baseline security standard, is held by just 5 per cent of businesses overall. Among small firms specifically, the figure is 12 percent, against 35 percent for large businesses.
Advanced protections lag even further behind. Fewer than half of UK businesses use two-factor authentication consistently. Only 36 percent provide a VPN for remote staff. Just 15 percent review the cyber risk posed by their immediate suppliers, and a mere 6 percent look any further down the supply chain than that.
Why SMEs are stuck, in their own words
Separate research from ISO certification platform Be Certified, surveying 700 SME owners earlier this year, found that cyber security fears are now the single biggest barrier stopping smaller firms from digitalising further. Forty-two per cent named it their top obstacle, ahead of skills shortages and budget constraints combined.
The financial exposure behind that fear is real. Research commissioned by Samsung found 69 percent of SMEs have no allocated funds or insurance to cover a cyber incident at all, despite 55 percent saying they’re now more aware of the risk following recent high-profile breaches. Those breaches are not abstract: Marks & Spencer, Co-op, Harrods and Jaguar have all been hit within the past year, demonstrating that scale buys no real immunity, and giving smaller firms little reassurance that bigger budgets solve the problem.
Regulation is about to raise the bar regardless
Cyber Essentials version 3.3 came into force in late April, making multi-factor authentication on every cloud service a hard pass-or-fail requirement. A substantial share of UK businesses, by the government’s own survey data, would fail that standard today.
Further up the pipeline, the Cyber Security and Resilience Bill, introduced to the Commons in November 2025 and expected to gain Royal Assent in the 2026-27 parliamentary session, will push stricter incident reporting obligations down supply chains. SMEs that are never directly regulated will still feel the effect, through customer contracts and supplier questionnaires demanding proof of certification they may not hold.
So, are SMEs benefiting?
The government has committed £90 million specifically to help secure smaller businesses, alongside a voluntary Cyber Resilience Pledge asking larger signatories to require Cyber Essentials across their own supply chains. Both initiatives target the right problem.
But set against a sector where 70 percent of revenue sits with large firms, where investors describe procurement as actively shutting out small suppliers, and where fewer than one in eight small businesses hold even baseline certification, the honest answer is: not yet, not at scale. Britain’s £14.7 billion cyber industry is growing fastest where it is needed least, and lagging where the country’s 99.8 percent SME population needs it most.