Lock the Door: What the Government’s New Cyber Campaign Actually Means for Your Business

In February 2026, the UK Government launched “Lock the Door,” a national campaign telling every business to implement five basic cyber protections. The Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) are behind it. The reason is straightforward: cyber crime costs the UK economy £14.7 billion a year, 43% of businesses reported an attack last year, and 97% still do not hold Cyber Essentials certification.

The NCSC’s CEO, Dr Richard Horne, put it bluntly: “Most attackers don’t care about size, reputation or logos, they are looking for opportunity and weaknesses.”

The five protections the campaign recommends are the same five that underpin Cyber Essentials, the government-backed certification scheme. They are not complicated. But most businesses either assume they already have them covered, or do not know what “good” actually looks like.

This guide breaks down each one in plain English, explains what businesses commonly get wrong, and shows what proper implementation looks like.

Not sure where your business stands on these five protections? We run a no-cost credential exposure check on your domain that takes less than five minutes to set up. It shows you exactly which staff email accounts and passwords have been found in data breaches. Run your credential exposure check or call us on 0151 452 3060.

The 5 Protections: What They Actually Mean

1. Firewalls

What it means: A firewall controls what traffic can enter and leave your network. Think of it as a security gate that only lets authorised traffic through.

What most businesses get wrong: They have a firewall, but nobody has reviewed the rules since it was installed. Default configurations often leave ports open that should be closed. Remote working has added complexity that many firewalls were never configured to handle.

What “good” looks like: Firewall rules reviewed at least annually. Only necessary ports open. Remote access secured through VPN or cloud-based access controls, not exposed RDP (Remote Desktop Protocol). Default admin credentials changed on day one.

HiltDigital: H-Protect Standard (£55/user/month) includes managed firewall monitoring as part of our security stack. H-Protect Complete (£89/user/month) adds quarterly vulnerability scanning that specifically checks for exposed ports and misconfigured perimeter defences.

2. Secure Configuration

What it means: Every device, application, and cloud service should be configured with security in mind, not left on default settings. This includes removing unnecessary software, disabling unused features, and applying baseline security policies.

What most businesses get wrong: Laptops ship with default settings and stay that way. Microsoft 365 tenants run without Conditional Access policies. Staff install whatever software they want. Nobody has documented what the “standard build” should look like.

What “good” looks like: A documented baseline configuration for all devices. Microsoft 365 security policies applied (Conditional Access, data loss prevention). Local admin rights removed from standard user accounts. Regular reviews to check nothing has drifted from the baseline.

HiltDigital: Our onboarding process includes a security baseline assessment across all endpoints and cloud services. H-Protect Standard includes Microsoft 365 security monitoring through SaaS Alerts, catching configuration drift before it becomes a vulnerability.

3. Software Updates and Patch Management

What it means: Every piece of software, from operating systems to browser plugins, needs to be kept up to date. Attackers exploit known vulnerabilities, and patches fix them.

What most businesses get wrong: Windows Update runs on laptops, but third-party applications (Adobe, Zoom, Chrome, Java) go months without updates. Nobody tracks which machines are behind. Critical patches sit uninstalled for weeks because there is no process for testing and deploying them.

What “good” looks like: Automated patching for operating systems and third-party software. A defined window for applying critical security patches (ideally within 14 days of release). Visibility into which devices are compliant and which are not.

HiltDigital: H-Protect Standard includes automated endpoint patching for operating systems and common third-party applications. You get monthly security scorecards showing patch compliance across your entire estate.

4. Access Controls

What it means: The right people should have access to the right things, and nobody else. This covers multi-factor authentication (MFA), user permissions, and having a process for removing access when someone leaves.

What most businesses get wrong: This is the biggest gap we see. Only 40% of UK businesses use MFA on their email (DSIT, 2025). Staff share login credentials. Former employees still have active accounts weeks or months after leaving. Everyone has admin access because “it was easier to set up that way.”

What “good” looks like: MFA enabled on every account, starting with email and cloud services. User permissions based on role (principle of least privilege). A documented leavers process that revokes access on the same day someone departs. Regular access reviews, at least quarterly.

HiltDigital: H-Protect Standard includes 24/7 credential breach monitoring. If a staff member’s email and password appear in a data breach, you are alerted within 24 hours. The enterprise password manager (included as standard) eliminates password sharing and reuse. H-Protect Complete adds regular penetration testing that specifically tests whether access controls hold up under real attack conditions.

5. Malware Protection

What it means: Software that detects, prevents, and responds to malicious software, including ransomware, spyware, and trojans. Traditional antivirus is no longer sufficient; modern threats require endpoint detection and response (EDR).

What most businesses get wrong: They still rely on basic antivirus that was adequate ten years ago. 85% of attacks start with phishing (DSIT, 2025), which means the malware often arrives through email, not a dodgy download. Without email-specific security alongside endpoint protection, you are only covering half the attack surface.

What “good” looks like: EDR on every endpoint (laptops, desktops, servers), not just antivirus. Email security that catches phishing and malicious attachments before they reach staff inboxes. Automated response that isolates compromised devices before malware can spread laterally.

HiltDigital: H-Protect Standard includes both EDR (endpoint detection and response) and AI-powered email security as standard. That combination covers the two most common attack paths: compromised endpoints and phishing emails. This is not an add-on; it is included in the £55/user/month price.

Cyber Essentials Is the Floor, Not the Ceiling

The five protections above are the baseline. They will stop the majority of opportunistic attacks, which is exactly what the “Lock the Door” campaign is designed to address.

But they do not cover everything.

Cyber Essentials does not include:

• Backup and disaster recovery. If ransomware encrypts your data, you need tested, immutable backups to recover without paying. The average impactful breach costs £8,260 (DSIT, 2025). The average time to detect a breach is 241 days (IBM, 2025). That is nearly eight months of an attacker in your systems before anyone notices.
• Security awareness training. Only 19% of UK businesses provide cyber security training to staff (DSIT, 2025). Your people are your first line of defence, and also your biggest vulnerability.
• Incident response planning. What happens in the first hour after a breach matters more than anything else. Without a plan, businesses lose time, data, and money.
• Penetration testing. Vulnerability scanning finds known weaknesses. Penetration testing proves whether those weaknesses can actually be exploited. It is the difference between knowing the lock is old and proving someone can pick it.

Businesses holding Cyber Essentials certification see 92% fewer insurance claims (DSIT Lock the Door, 2026). That is a powerful number. But certification is the starting point, not the finish line.

What to Do Next

You have three options, depending on where your business is today.

Option 1: Find out what is already exposed. We run a no-cost credential exposure check on your business domain. It takes less than five minutes to set up. You will see exactly which staff credentials have appeared in known data breaches. No obligation, no follow-up pressure. Just information you can act on.

Option 2: Get the full picture. A CREST accredited penetration test (from £2,495) goes beyond the five basics and tests your defences the way an attacker would. We deliver a prioritised report showing exactly what needs fixing and how.

Option 3: Lock the door properly. H-Protect Standard (£55/user/month) covers all five Cyber Essentials protections, plus backup, email security, credential monitoring, and a password manager. H-Protect Complete (£89/user/month) adds ongoing vulnerability management and regular penetration testing for businesses that need to stay ahead of the curve.