In February 2026, the Government launched the Lock the Door campaign, urging businesses to adopt the Cyber Essentials scheme to protect against common cyber threats. The campaign, developed by the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT), is timely, practical, and important. It addresses one half of a complete data protection strategy: defence. The other half is resilience.
At Firevault, we design and operate physically disconnected storage infrastructure. We work with organisations that have already invested in strong cyber defences and recognise that their most sensitive data requires a fundamentally different protection model: one that removes the network connection entirely. This article explains why both defence and resilience matter, and how they complement each other.
Defence: What the Lock the Digital Door Campaign Covers
The Lock the Digital Door campaign promotes Cyber Essentials, a government-backed certification scheme built around five key controls:
- Firewalls: Protecting the network perimeter from unauthorised access
- Secure configuration: Removing unnecessary services and default settings that create vulnerabilities
- Software updates: Ensuring known vulnerabilities are patched promptly
- User access control: Restricting who can access systems and data, and at what privilege level
- Malware protection: Defending endpoints against malicious software
These five controls represent the baseline. They are the minimum that every organisation should have in place. The Government is right to promote them aggressively.
The Statistics That Demand Attention
The campaign is backed by figures from the Cyber Security Breaches Survey 2025 and the Cyber Security Longitudinal Survey that make the case for action unavoidable:
- £14.7 billion: the annual cost of cyber threats to businesses — *DSIT, 2026*
- 50 per cent: of small firms experienced a cyber breach or attack in the last 12 months — *Cyber Security Breaches Survey 2025*
- 82 per cent: of medium and large businesses suffered a cyber incident in the past year
- 92 per cent: fewer insurance claims were made by organisations with Cyber Essentials in place — *NCSC*
- £195,000: the average cost of a significant cyber incident
Cyber Security Minister Baroness Lloyd stated: "No business is out of reach from cyber criminals. SMEs play a vital role in our economy, and business owners work incredibly hard to build something valuable, but too many still assume cyber criminals only go after big brands." — *GOV.UK Press Release, February 2026*
The data is clear. The threat is not theoretical. It is operational, financial, and existential for many smaller firms.
Defence Assumes Connection. Resilience Does Not.
Every one of the five Cyber Essentials controls operates on a shared assumption: that the systems being protected remain connected to a network. Firewalls protect a network perimeter. Software updates require an online update path. Access controls manage credentials on connected systems. Malware protection monitors connected endpoints.
This is not a flaw in the scheme. It is a scope decision. Cyber Essentials is designed to defend connected infrastructure from the most common attacks. It does this well, and the 92 per cent reduction in insurance claims is evidence of its effectiveness.
But defence and resilience are different disciplines. Defence keeps attackers out. Resilience keeps your business running when attackers get in. Ransomware does not need to bypass a firewall if it enters through a phishing email to an authorised user. Credential theft does not need to overcome access controls if the credentials unlock a system that is always online. Supply chain attacks do not need to penetrate a well-configured system if they can compromise a trusted vendor with network access.
The NCSC Annual Review 2024 reported a threefold increase in the most severe cyber incidents compared to the previous year. The common thread is that connected systems are, by definition, reachable. And reachable systems can be reached by attackers. Defence reduces the likelihood. Resilience addresses the consequence.
Cyber Essentials is the right answer to the right question: how do we defend connected systems? But for the data that an organisation cannot afford to lose, there is a more fundamental question: does this data need to be connected at all? That is not a defence question. It is a resilience question. — Mark Fermor, Founder, Firevault
Resilience Through Physical Disconnection
Consider the scenario. A small professional services firm achieves Cyber Essentials certification. Firewalls are configured correctly. Software is patched. Access controls are in place. Anti-malware is running on every endpoint. Their defence is strong.
Then a ransomware attack enters through a compromised supplier update. The malware moves laterally across the network. Every connected system is encrypted. The firm's client records, financial data, and intellectual property are locked. The ransom demand arrives.
The five Cyber Essentials controls did their job. They defended against the most common attacks. But this attack got through. Defence reduced the likelihood. Now the question is resilience: can the firm recover?
Now consider the same firm with one additional measure. Their most critical data, the client records, the contracts, the irreplaceable documents, is stored on a [Firevault system](/vault). Physically disconnected from the network. No IP address. No network path. No connection to the compromised infrastructure.
The ransomware encrypted everything it could reach. It could not reach the vault. The firm loses operational continuity, which is painful. But it does not lose the data that defines its business and its obligations to clients. Defence kept most threats out. Resilience kept the crown jewels safe.
Crown Jewels Strategy
The Government's campaign is right to focus on baseline defence for all businesses. Cyber Essentials should be universal. But within every organisation, there exists a category of data where defence alone is not sufficient.
Board materials. Client privilege files. Financial records. Succession plans. Intellectual property. Personal documents of directors and high-net-worth individuals. Regulatory evidence. Contracts that, if exposed, could result in litigation, reputational damage, or competitive disadvantage.
This is the crown jewels category. It is the data where the consequences of compromise are not measured in downtime or recovery costs, but in existential outcomes. Business closure. Personal liability. Loss of professional standing.
For this category, the correct strategy is not stronger defence alone. It is adding [resilience through physical disconnection](/offline-secure-storage/what-is-oss). Turning the power off ensures that no matter what happens to the connected infrastructure, the most critical data remains beyond the reach of any network-based threat.
Defence and Resilience: Complementary Disciplines
Firevault does not compete with Cyber Essentials. The two address different dimensions of the same challenge. Cyber Essentials is defence: it protects operations. [Offline Secure Storage](/offline-secure-storage/what-is-oss) is resilience: it protects crown jewels.
The Lock the Digital Door campaign is an important step. Every business should lock its digital doors. But for the data that matters most, locking the door is not enough. Turning the power off ensures that even when attackers get through the door, your most critical data is already beyond their reach.
Sources and Further Reading
- [How Offline Secure Storage Works — Firevault](/offline-secure-storage/what-is-oss)
Key Takeaways
- The Lock the Digital Door campaign is necessary and well-designed, promoting baseline cyber defence that every business should adopt
- Cyber Essentials is defence: five proven controls that protect connected systems from common attacks
- Defence and resilience are different disciplines: defence keeps attackers out; resilience keeps you running when they get in
- Physical disconnection is resilience: removing critical data from the network entirely ensures it survives any breach
- Learn more about [how offline secure storage works](/offline-secure-storage/what-is-oss) or [explore the Vault](/vault)
