Updated 10 June 2026
The UK SMB Security Benchmark
Aggregated insights from 541 anonymous Mode 1 scans across 16 UK sectors. All figures are cohort-derived; no individual sites are identified.
Headline findings
- 100%100% of UK general sites scanned have "Does not meet bulk-sender email requirements"
- 100%100% of UK saas-tech sites scanned have "UK GDPR: 4 UK GDPR gaps detected — Article 32 requires "appropriate technical measures""
- 91%91% of UK general sites scanned have "Content Security Policy missing"
- 85%85% of UK general sites scanned have "Missing HSTS header"
- 56%56% of UK charity-non-profit sites scanned have "Hidden iframe injection (1x1 or display:none)"
- 49%49% of UK general sites scanned have "Homepage unreachable"
- 41%41% of UK manufacturing sites scanned have "EU NIS2: Sector suggests NIS2 may apply — 3 baseline cybersecurity gaps"
- 40%40% of UK public-sector sites scanned have "Homepage returned HTTP 403"
Sector cohorts
Median score, cohort size, and top three issues per UK sector. Click a sector to deep-dive.
General / uncategorised
n=138
61/100
median score
p25 54 · p75 67
p25 54 · p75 67
- criticalHomepage unreachable49%
- criticalNo modern TLS protocol supported25%
- criticalNo TLS certificate24%
E-commerce
n=72
70/100
median score
p25 64 · p75 74
p25 64 · p75 74
- criticalHomepage unreachable6%
- criticalNo TLS certificate3%
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)3%
Healthcare
n=58
74/100
median score
p25 70 · p75 77
p25 70 · p75 77
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)9%
- criticalHomepage unreachable5%
- criticalCVE-2024-45440: 87.5% exploitation probability3%
Financial services
n=57
75/100
median score
p25 70 · p75 79
p25 70 · p75 79
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)2%
- criticalNo modern TLS protocol supported2%
- criticalCVE-2024-45440: 87.5% exploitation probability2%
Legal
n=51
73/100
median score
p25 68 · p75 77
p25 68 · p75 77
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)8%
- criticalPublic bucket listing: azure-blob — feaasstatic/packages6%
- criticalNo TLS certificate4%
Media & Publishing
n=48
72/100
median score
p25 68 · p75 75
p25 68 · p75 75
- criticalPossible Generic API Key in rendered page19%
- criticalHomepage unreachable4%
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)4%
SaaS / Technology
n=41
77/100
median score
p25 73 · p75 78
p25 73 · p75 78
- criticalOpenAI API key exposed in page source7%
- criticalnext@unknown — CVE-2025-29927 (CVSS 9.1)5%
- criticalPossible Generic API Key in rendered page2%
Manufacturing
n=29
74/100
median score
p25 66 · p75 77
p25 66 · p75 77
- criticalNo modern TLS protocol supported7%
- critical.git/config exposed (full source code recoverable)3%
- criticalHomepage unreachable3%
charity-non-profit
n=16
74/100
median score
p25 68 · p75 76
p25 68 · p75 76
- criticalNo TLS certificate6%
- criticalHomepage unreachable6%
- criticalCVE-2024-45440: 87.5% exploitation probability6%
public-sector
n=10
68/100
median score
p25 64 · p75 70
p25 64 · p75 70
- criticalOpenAI API key exposed in page source30%
- highMissing HSTS header50%
- highContent Security Policy missing50%
retail
n=7
59/100
median score
p25 59 · p75 63
p25 59 · p75 63
- criticalHomepage unreachable57%
- highEmail authentication grade: F (24/100)100%
- highContent Security Policy missing100%
education
n=6
75/100
median score
p25 70 · p75 75
p25 70 · p75 75
- criticallodash@unknown — CVE-2019-10744 (CVSS 9.1)17%
- highDoes not meet bulk-sender email requirements100%
- highNo DKIM records found67%
technology
n=3
64/100
median score
p25 54 · p75 64
p25 54 · p75 64
- criticalNo modern TLS protocol supported67%
- criticalHomepage unreachable33%
- highDoes not meet bulk-sender email requirements100%
media
n=2
59/100
median score
p25 59 · p75 59
p25 59 · p75 59
- criticalHomepage unreachable100%
- highMissing HSTS header100%
- highContent Security Policy missing100%
hospitality
n=2
67/100
median score
p25 67 · p75 67
p25 67 · p75 67
- highMissing HSTS header100%
- highDoes not meet bulk-sender email requirements100%
- highContent Security Policy missing50%
real-estate
n=1
75/100
median score
p25 75 · p75 75
p25 75 · p75 75
- highUK GDPR: 4 UK GDPR gaps detected — Article 32 requires "appropriate technical measures"100%
- highContent Security Policy missing100%
- highDoes not meet bulk-sender email requirements100%
Methodology
- Scope: SiteIntel Mode 1 (Public Passive) — 46 checks across DNS, TLS, headers, supply-chain, breach exposure, threat intel.
- Corpus: Public UK sites from FCA register, IMRG Top 500, ABPI member list, The Lawyer 200, Make UK members, Press Gazette top 50. Anonymised at ingest (domain hashed, no identifying metadata persisted).
- Score: Composite 0-100; weighted across security, performance, SEO, accessibility, tech-debt.
- Composite signals: Pairs of finding codes with ≥5% co-occurrence and ≥1.5× score-drop lift versus sector baseline.
- Cohort floor: Sectors with <5 scans are excluded from percentile reporting (too thin to be stable).
- Refresh: Cached 1 hour. PDF report regenerated on demand.