68% of UK firms will spend more on cyber. Fewer than 30% feel ready.

The Q1 2026 Barclays Business Prosperity Index, published in late May, gives the cleanest recent read on UK business cyber spending intentions. Sixty-eight per cent of business leaders plan to increase their cybersecurity investment over the next twelve months. The headline that ran in most outlets stopped there. The numbers underneath are the more useful ones, both because they are broken down by firm size and because they reveal a much wider preparedness gap than the spending intention number suggests.

The Index surveyed 1,000 senior business decision-makers in late April and early May, plus a separate panel of 500 B2B leaders. The same week, Digital Minister Liz Lloyd gave a speech at the New Statesman Security and Resilience Conference that put the supply-side picture next to it: £90 million of government money targeted at SMEs, a free training programme, and the legislative push of the Cyber Security and Resilience Bill which we covered separately. Read together, the demand side and the supply side describe a UK in which the spending direction is finally right and the readiness gap is still wide.

The numbers

Spending intentions, broken down by firm size:

Large businesses. Over one third have already increased cyber spending since the start of 2026. Average annual spend: £1.3 million.
Small businesses. 26% have increased spending. Average annual spend: £134,000.
Micro businesses. 4% have increased spending. Average annual spend: £15,000.

The headline 68% intention figure masks a very wide variation. Large firms are increasing spend now; smaller firms are saying they will. Micro businesses, the bulk of the UK business count by volume, are largely flat.

Readiness, across the whole sample:

46% of UK business leaders believe new technologies are increasing their cyber exposure.
Fewer than three in ten feel confident responding to a major incident.
33% are concerned about loss of sensitive data; 28% about damage to customer trust; 27% about operational disruption; 26% about revenue loss.

On the AI side, the survey produced a useful set of contradictions.

26% of firms worry about the accuracy and reliability of AI outputs.
24% flag data security risks from AI use.
61% nevertheless say they are already using agentic AI proactively.
52% report AI has improved productivity.

The pattern is the one our earlier filing on your staff are using AI, you're paying twice covered from the worker side: adoption is broad, productivity gains are real but smaller than claimed, and the risk picture is not yet managed.

What the government is offering

Liz Lloyd's speech at the New Statesman conference put numbers on the supply side. The Cyber Security Breaches Survey she quoted had 43% of UK businesses experiencing a breach in the last twelve months, 69% for large firms, with 29% facing weekly attacks. She framed cyber resilience as "not optional" and warned that "AI is making it easier and faster to exploit organisations" that lack the basic protections. The phrase she repeated was that SMEs are "the backbone of our economy", which is government language for "we are going to spend money on this".

The named programmes are worth knowing about.

£90 million committed to SMEs. The mechanism is a combination of free training for SME staff, the Cyber Resilience Pledge (a board-level commitment scheme), and the Early Warning system run by the NCSC, which automatically notifies organisations of indicators of compromise associated with their domains and IP ranges. The Pledge and the Early Warning system are both free; the training is too.
£187 million TechFirst programme. Skills development at university and PhD level, mostly targeted at the supply side of the cyber sector. Less directly relevant to SME spending decisions, more relevant to the firms that hire from this pool over the next five years.
Cyber Essentials. The basic certification scheme remains the floor for procurement from government and a growing share of larger commercial customers. We covered the detail in what Cyber Essentials actually involves.
Code of Practice for Software Vendors. Government's bet on raising the floor for vendors selling into the UK market. This pairs with the EU Cyber Resilience Act, which we covered in the EU Cyber Resilience Act is coming for your software.
Code of Practice for AI Cyber Security. The newer framework, intended for firms building or buying AI systems. The pattern is the same as the software one: voluntary now, used as a procurement filter quickly, mandatory in some form within a few years.

The gap the data describes

Three things stand out when the demand and supply sides are read together.

Spending intention is high. Spending capacity is low for the smallest firms. The micro-business 4% increase rate is the most important number in the Barclays survey. The smallest UK firms are not spending more, and the government's £15,000 average for that segment is roughly what a single decent Cyber Essentials engagement plus a year of basic backup tooling would cost. The supply-side programmes (Early Warning, Pledge, free training) are aimed at exactly this gap. They do not cost money. They do require the owner-manager to spend an afternoon enrolling.

Confidence is low across the board. Fewer than three in ten firms feel ready to respond to a major incident. That number is bad across every segment. The fix is mostly process, not tools. A two-page incident response plan, a list of who-rings-who, a backup that has been tested in the last six months, and a relationship with an incident-response firm you can call. The drill matters more than the document. We covered this in the first five minutes of incident response.

AI adoption is outrunning AI risk management. 61% use agentic AI; only 26% worry about AI output reliability. The mismatch is the source of the shadow AI problem. A short policy on what the firm uses AI for, and what data does not go into it, is a one-evening job for the owner-manager and removes the most common ways the firm gets surprised.

What an SME should actually do this quarter

Three concrete things, in order of cost.

Enrol in the Early Warning system. Free. NCSC will email you when one of your domains or IP ranges appears in a threat-intelligence feed. The signal-to-noise is decent and you find out before your customers do. The route in is via the NCSC website; the registration takes about ten minutes.

Run the free SME training, or send your team to it. The government's "Cyber Aware" and "Stay Safe Online" modules are free, short, and substantially better than they were five years ago. Twenty minutes per staff member, once a year, is not a heavy lift. The 43% breach rate from the speech is dominated by the kind of breach a half-hour of awareness training would prevent.

Do Cyber Essentials this year, if you have not. Self-assessed certification costs around £350. With an external assessor for Cyber Essentials Plus, around £1,500 to £3,000. The £134,000 average for small business cyber spend already covers it many times over; the £15,000 micro-business average makes it the largest single line item, which is the right shape. The certification is increasingly a procurement filter. Doing it now is easier than doing it under contract pressure.

A fourth, larger move is worth flagging for any firm that grows past the micro threshold this year. The £505,000 average masks how much of cyber spend is hidden inside other line items: the IT provider's bill, the SaaS subscriptions, the insurance premium. The exercise of pulling those out and tracking cyber as a single number, even crudely, is what turns "we should spend more" into "we are spending more on the right things". The firms that grow into the small-business segment without doing this end up spending more without getting more, which is the worst combination.

The bigger framing

The Barclays survey and the Lloyd speech describe the same thing from different angles. The threat picture is getting worse. The boards have noticed. The intent to spend is there. The capacity to spend wisely is unevenly distributed. The supply-side programmes that government has stood up are aimed at the gap, and most of them are free to use. The bit of work that is not free is the owner-manager deciding to take half a day this quarter to enrol the firm in them.

The 68% headline is the easy quote. The 30% confidence number underneath is the one to act on.

How Steelwise can help

Running the Cyber Essentials process, drafting the incident-response plan, and turning the free government programmes into a half-day exercise that actually gets the firm enrolled is the kind of practical work we do with clients. Get in touch.