Updated 27 May 2026
The UK SMB Security Benchmark
Aggregated insights from 529 anonymous Mode 1 scans across 16 UK sectors. All figures are cohort-derived; no individual sites are identified.
Headline findings
- 100%100% of UK general sites scanned have "Does not meet bulk-sender email requirements"
- 96%96% of UK legal sites scanned have "UK GDPR: 4 UK GDPR gaps detected — Article 32 requires "appropriate technical measures""
- 96%96% of UK manufacturing sites scanned have "Email authentication grade: F (0/100)"
- 91%91% of UK general sites scanned have "Content Security Policy missing"
- 85%85% of UK general sites scanned have "Missing HSTS header"
- 60%60% of UK charity-non-profit sites scanned have "Hidden iframe injection (1x1 or display:none)"
- 48%48% of UK general sites scanned have "Homepage unreachable"
- 48%48% of UK media-publishing sites scanned have "EU NIS2: Sector suggests NIS2 may apply — 3 baseline cybersecurity gaps"
Sector cohorts
Median score, cohort size, and top three issues per UK sector. Click a sector to deep-dive.
General / uncategorised
n=137
61/100
median score
p25 54 · p75 67
p25 54 · p75 67
- criticalHomepage unreachable48%
- criticalNo modern TLS protocol supported24%
- criticalNo TLS certificate23%
E-commerce
n=72
70/100
median score
p25 64 · p75 74
p25 64 · p75 74
- criticalHomepage unreachable6%
- criticalNo TLS certificate3%
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)3%
Healthcare
n=58
74/100
median score
p25 70 · p75 77
p25 70 · p75 77
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)9%
- criticalHomepage unreachable5%
- criticalCVE-2024-45440: 87.5% exploitation probability3%
Financial services
n=57
75/100
median score
p25 70 · p75 79
p25 70 · p75 79
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)2%
- criticalNo modern TLS protocol supported2%
- criticalCVE-2024-45440: 87.5% exploitation probability2%
Legal
n=51
73/100
median score
p25 68 · p75 77
p25 68 · p75 77
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)8%
- criticalPublic bucket listing: azure-blob — feaasstatic/assets6%
- criticalNo modern TLS protocol supported4%
SaaS / Technology
n=40
77/100
median score
p25 72 · p75 78
p25 72 · p75 78
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)5%
- criticalCVE-2024-45440: 87.5% exploitation probability3%
- criticalPossible Generic API Key in rendered page3%
Media & Publishing
n=40
71/100
median score
p25 67 · p75 75
p25 67 · p75 75
- criticalHomepage unreachable5%
- criticalPossible Generic API Key in rendered page5%
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)3%
Manufacturing
n=28
71/100
median score
p25 65 · p75 77
p25 65 · p75 77
- criticalNo modern TLS protocol supported7%
- criticalHomepage unreachable4%
- criticalNo TLS certificate4%
charity-non-profit
n=15
74/100
median score
p25 70 · p75 76
p25 70 · p75 76
- criticalNo modern TLS protocol supported7%
- criticalNo TLS certificate7%
- criticalHomepage unreachable7%
public-sector
n=10
68/100
median score
p25 64 · p75 70
p25 64 · p75 70
- criticalOpenAI API key exposed in page source30%
- highDoes not meet bulk-sender email requirements100%
- highMissing HSTS header50%
retail
n=7
59/100
median score
p25 59 · p75 63
p25 59 · p75 63
- criticalHomepage unreachable57%
- highContent Security Policy missing100%
- highMissing HSTS header100%
education
n=6
75/100
median score
p25 70 · p75 75
p25 70 · p75 75
- criticallodash@unknown — CVE-2019-10744 (CVSS 9.1)17%
- highDoes not meet bulk-sender email requirements100%
- highNo DKIM records found67%
technology
n=3
64/100
median score
p25 54 · p75 64
p25 54 · p75 64
- criticalNo modern TLS protocol supported67%
- criticalHomepage unreachable33%
- highDoes not meet bulk-sender email requirements100%
media
n=2
59/100
median score
p25 59 · p75 59
p25 59 · p75 59
- criticalHomepage unreachable100%
- highContent Security Policy missing100%
- highMissing HSTS header100%
hospitality
n=2
67/100
median score
p25 67 · p75 67
p25 67 · p75 67
- highDoes not meet bulk-sender email requirements100%
- highMissing HSTS header100%
- highContent Security Policy missing50%
real-estate
n=1
75/100
median score
p25 75 · p75 75
p25 75 · p75 75
- highUK GDPR: 4 UK GDPR gaps detected — Article 32 requires "appropriate technical measures"100%
- highContent Security Policy missing100%
- highDoes not meet bulk-sender email requirements100%
Deep-dive: technology
Top 10 most-prevalent issues in this cohort. Bars show the percentage of cohort sites affected.
Score distribution
- 0-39 (poor)0 · 0%
- 40-59 (weak)1 · 33%
- 60-79 (fair)2 · 67%
- 80-100 (strong)0 · 0%
Top issues — 10 of cohort n=3
- criticalNo modern TLS protocol supported67%(2/3)tls-protocol-no-modern
- criticalHomepage unreachable33%(1/3)homepage-unreachable
- highDoes not meet bulk-sender email requirements100%(3/3)email-auth-bulk-sender-noncompliant
- highMissing HSTS header67%(2/3)http-missing-hsts
- highContent Security Policy missing67%(2/3)csp-missing
- highHomepage returned HTTP 42933%(1/3)homepage-error-status
- highCSP allows 'unsafe-inline' in script-src33%(1/3)csp-unsafe-inline-script
- highCheck Point Gaia firewall admin exposed on public internet33%(1/3)enterprise-edge-device-exposed
- mediumIP 76.76.21.21 listed on 1 blocklist(s)100%(3/3)blocklist-ip-listed
- mediumNo HTTP/2 or HTTP/3 advertised — likely HTTP/1.1 only100%(3/3)transport-h1-only-no-altsvc
Methodology
- Scope: SiteIntel Mode 1 (Public Passive) — 46 checks across DNS, TLS, headers, supply-chain, breach exposure, threat intel.
- Corpus: Public UK sites from FCA register, IMRG Top 500, ABPI member list, The Lawyer 200, Make UK members, Press Gazette top 50. Anonymised at ingest (domain hashed, no identifying metadata persisted).
- Score: Composite 0-100; weighted across security, performance, SEO, accessibility, tech-debt.
- Composite signals: Pairs of finding codes with ≥5% co-occurrence and ≥1.5× score-drop lift versus sector baseline.
- Cohort floor: Sectors with <5 scans are excluded from percentile reporting (too thin to be stable).
- Refresh: Cached 1 hour. PDF report regenerated on demand.