What micro-businesses actually need from cybersecurity support
A new paper in Behaviour & Information Technology sets out what the UK’s smallest businesses actually need from cybersecurity support. The short answer: not more advice.
We have a stake in this one. Layer 7’s Joe Cockcroft is one of the four authors, alongside Martin Wilson, Sharon McDonald and Alastair Irons of Abertay University’s Division of Cybersecurity. The study is open access, so you can read it in full.
The study in brief
The researchers took a user-centred design approach, the discipline behind well-made software and services, and pointed it at cybersecurity support. They interviewed 30 micro and small businesses across three groups: firms that depend on IT to operate, firms that sell products or services built on IT, and the consultants who support them. From those interviews they distilled 36 specific user needs, written in the plain Government Digital Service format (as a [user], I need [something] so that [reason]), and grouped them under four headings: Guidance, Posture, Resources, and Return on Investment.
The finding that matters
Guidance dominated; every business in the study had needs in that category. But the gap wasn’t a shortage of information: micro-businesses are surrounded by cybersecurity advice. The gap was usable information: advice they can find, trust, understand without jargon, and act on without hiring a specialist to translate it.
The single most widely shared need across the whole sample was being able to trust the source of the advice. Close behind came knowing what to prioritise out of everything a business could do, and being able to find the right help in the first place.
Two of the findings are worth dwelling on, because they cut against how parts of the industry tend to sell:
- Businesses wanted guidance that doesn’t trade on fear. Scare tactics tend to make smaller firms switch off rather than act.
- They wanted help without the hard sell: support they could trust was in their interest, not pitched to hit someone’s target.
The authors describe guidance as a kind of gateway: until a business has clear direction on what to do first, awareness of risk on its own rarely turns into action. They also show the needs aren’t uniform: a software company’s worries (reputation, client trust) differ from those of an IT-dependent shop, which is why generic, one-size-fits-all guidance tends to fit no one.
Why this matches how we work
None of this surprised us, and that is rather the point: it’s a research-grounded version of principles we apply every day.
- Cyber Essentials does what the study asks for. It gives a smaller organisation a clear, achievable, prioritised baseline instead of an open-ended list. Helping firms reach and hold that baseline is core to what we do.
- Plain over jargon, evidence over fear, no hard sell. The study’s call for trustworthy, jargon-free, non-frightening guidance is, more or less, our house style.
- Support that lasts. One of the needs the researchers identify is for ongoing help rather than a one-off report: someone a business can turn to. We take the same view: find the gaps, prove they’re closed, and keep them closed, with the same people throughout.
The takeaway
The paper reframes micro-business cybersecurity not as a technology problem, nor as a matter of owners “not caring”, but as a translation problem: making good security legible and actionable for people who lack the time, budget or in-house expertise to work it out alone. That’s a fair standard to hold any security provider to, and a useful one to see set out in the evidence.
Read the open-access paper: Wilson, M., McDonald, S., Irons, A. & Cockcroft, J. (2026), “What micro-businesses need: a user-centered approach to cybersecurity support”, Behaviour & Information Technology, doi.org/10.1080/0144929X.2026.2686166.
If you’re a smaller organisation trying to work out what to prioritise, that’s a conversation we’re glad to have. Start a conversation →