Insights & Commentary

Thinking on IT, cyber risk
and the SME landscape.

Practical perspectives on cybersecurity, IT governance, and commercial technology decisions — written for business leaders, not technical teams.

IT Spend 16 April 2026 · 12 min read

The Hidden Cost of Unmanaged IT: What Most SME Boards Don’t See

Most SME boards have a reasonable grip on their obvious costs. Payroll, premises, and professional fees these appear on the P&L, they get challenged at quarterly reviews, and someone is usually accountable for them.

Duplicate licenses. Auto-renewed contracts. Suppliers billing for services that were scoped three years ago. The waste in most SME IT stacks is significant – and almost entirely invisible without oversight.

IT rarely receives the same scrutiny. Not because boards don’t care, but because the real cost of unmanaged or poorly managed technology is largely invisible. It doesn’t arrive as a single invoice. It doesn’t appear as a line item. It accumulates quietly – in lost hours, degraded productivity, regulatory exposure, security incidents, and missed commercial opportunity – until the bill becomes impossible to ignore.

By the time most boards notice the problem, they’re already paying for it.

The Visibility Gap

There is a fundamental mismatch in how technology costs are perceived versus how they actually accrue. When boards think about IT spend, they typically think about hardware, software subscriptions, and perhaps an IT support contract. These are the visible costs – the ones that get approved, budgeted, and tracked.

What doesn’t get tracked – because it’s structurally difficult to measure – is the cost of IT that doesn’t work as it should. Slow systems that add minutes to every task. Recurring technical issues that pull staff into workarounds. Unplanned outages that bring operations to a halt. Software that nobody uses, but that the business keeps paying for. Applications that employees have installed themselves to fill gaps in official tooling, creating security and compliance exposure that the board has no visibility over.

These aren’t edge cases. They are the daily reality for a significant proportion of UK SMEs, and they carry a financial cost that dwarfs what most organisations spend on managing IT properly.

Downtime: The Cost Nobody Calculates

Unplanned IT downtime is one of the most significant and most consistently underestimated costs in the SME world.

Research published in 2026 found that the average small business loses £7,500 per year to unplanned IT downtime, with individual incidents capable of costing up to £212,000 in a single event. More than nine in ten UK businesses take 24 hours or longer to recover from a significant outage – a statistic that should alarm any board that assumes their business would bounce back quickly from a serious IT failure.

The direct financial impact is only part of the picture. When systems fail, employees don’t simply stop and wait. They improvise: using personal devices, sending files through consumer email accounts, reverting to manual processes. Each of these workarounds creates its own downstream risk – security vulnerabilities, data handling issues, and the loss of audit trails that compliance requires. And even after systems come back online, the disruption continues: research consistently shows it takes an average of 20 to 30 minutes for employees to regain full focus and productivity after an interruption.

Multiply that across a team of 20 people and a handful of incidents per year, and the invisible productivity cost becomes very visible indeed.

The UK lost an estimated £3.7 billion to internet failures alone in 2023, according to research by Beaming. The same analysis noted that 15% of UK businesses now begin losing money the moment their connectivity fails – up from 11% five years earlier. Technology dependency is increasing. Tolerance for downtime is not keeping pace.

What makes this particularly significant for boards is the root cause profile. Security issues account for 84% of impactful downtime events, according to ITIC’s 2024 Hourly Cost of Downtime Report. Human error and inadequate or outdated infrastructure account for most of the remainder. These are not acts of God – they are predictable, manageable risks that proactive IT management addresses as a matter of course.

Shadow IT: The Compliance Risk Hiding in Plain Sight

There is a category of IT risk that most SME boards are entirely unaware of, and it is growing rapidly.

Shadow IT refers to any software, cloud application, hardware, or technology that employees use for work without the knowledge or authorisation of the IT function. It is not a niche problem. Research published in early 2026 found that the average UK organisation now runs approximately 898 SaaS applications, with IT unaware of roughly half of them. Four in five employees admit to using unauthorised IT applications for work purposes at some point.

The motivation is generally benign. Employees are trying to do their jobs more efficiently. They find a tool that works – a file-sharing service, a messaging app, a project management platform – and they start using it. Nobody asks permission because the process of asking seems slow, and the tool seems harmless.

The business reality is considerably less benign.

Every unsanctioned application that processes company or customer data represents a potential breach of UK GDPR. The regulation requires organisations to maintain records of processing activities, conduct data protection impact assessments where necessary, and ensure that any third-party handling personal data meets specific contractual and security standards. An application the IT team doesn’t know about cannot be assessed. It cannot be included in data processing records. Its vendor cannot be evaluated for security or data residency compliance. If that application suffers a breach, the organisation is still liable – and the ICO has made increasingly clear that it will not accept ignorance as a defence.

The financial exposure is not theoretical. ICO fines under UK GDPR can reach £17.5 million or 4% of annual global turnover, whichever is higher. For an SME with £5 million in annual revenue, a serious data protection failure attributable to an unmanaged application could result in a fine exceeding £200,000 – before legal costs, remediation, and reputational damage are factored in.

Beyond compliance, shadow IT creates a direct financial waste problem. Employees independently adopting tools means the business pays for duplicate licences, redundant subscriptions, and platforms that overlap with tools already in the approved stack. Without central oversight, there is no mechanism to consolidate, renegotiate, or identify what is genuinely unused. The business ends up with an invisible software estate it is paying for but cannot manage.

The Cyber Risk That Boards Underestimate

Cybersecurity is a topic that most SME boards are now aware of in the abstract. Fewer boards have a clear picture of the specific, concrete risk that unmanaged IT creates.

In 2024, UK businesses experienced over 7.78 million cyberattacks – approximately 720,000 attempts per business. Phishing remained the most prevalent form, affecting 84% of businesses that reported breaches. Ransomware incidents increased by 70% compared to the previous year. The average cost of a cyberattack to a UK SME in 2024 was £10,830, with remediation costs – restoring systems, replacing hardware, upgrading security after the fact – pushing the total for small business incidents to an estimated £25,700.

Those numbers are painful enough. The more significant issue is that 81% of all UK cyberattacks and data breaches target SMEs, and the vast majority succeed by exploiting exactly the vulnerabilities that unmanaged IT creates: unpatched software, uncontrolled user access, devices without adequate security configuration, and applications outside the IT perimeter.

When IT is unmanaged, critical patches don’t get applied within safe timeframes. User privileges accumulate because nobody is reviewing them. Devices get added to the network without proper configuration. Former employees’ accounts stay active after they leave. Each of these represents an open door – not a theoretical risk, but a known attack vector that the NCSC’s guidance documents in detail.

The irony, which should frustrate any board, is that the attacks succeeding against UK SMEs are not sophisticated. They are opportunistic. They target the gaps that a properly managed IT environment closes as a matter of routine.

Staff Time: The Productivity Drain That Never Appears on the P&L

There is another category of cost that boards consistently fail to see because it has no natural home in financial reporting: the time your staff spend managing technology problems that shouldn’t exist.

Consider the volume of activity that flows from poorly managed IT in a typical week. The team member who spends an hour trying to fix a printer before giving up and going to a colleague. The manager who can’t access a system because their password has expired again and the reset process takes forty minutes to resolve. The finance team working around a system that keeps crashing by maintaining parallel spreadsheets. The account manager who can’t access the CRM from the client site because VPN access was never properly configured.

None of this appears on the P&L. But it is real cost – in wages, in opportunity, and in the compounding effect on staff morale when the tools people need to do their jobs simply don’t work.

UK SMEs collectively lose close to 19 hours of productivity per business per year to IT downtime alone, according to industry research. That figure captures only the measurable downtime events. The ambient drag of slow systems, inadequate tooling, and unresolved technical friction is harder to quantify but just as real.

There is also a talent dimension that boards are increasingly feeling. Skilled people – in finance, operations, marketing, client services – take jobs at organisations where the technology works. Poor IT infrastructure is a friction point in hiring and retention that rarely surfaces as a named reason for attrition, but that experienced candidates notice within days of joining.

The Support Model Problem: Reactive vs. Managed

Underlying many of these issues is a structural one: the break-fix model of IT support, which remains common among UK SMEs, is categorically the wrong approach for a business that depends on technology to operate.

The break-fix model – calling for support when something goes wrong – has an intuitive appeal for boards focused on cost control. You only pay when you need it. There is no ongoing commitment. It feels lean.

The financial reality is the reverse. Reactive IT support is almost always more expensive than proactive management. Emergency call-out rates are higher than contracted support rates. The downtime that occurs while waiting for reactive support costs more than prevention would have. Problems that a monitoring system would have caught in the early stages become expensive incidents when they go undetected until failure. And critically, reactive support addresses symptoms – it does not address the underlying infrastructure risks that generate repeat incidents.

A properly managed IT environment involves continuous monitoring, proactive patching, regular review of user access rights, tested backup and recovery processes, and alignment with security frameworks such as Cyber Essentials. These are not luxury services – they are the baseline that determines whether an SME’s technology estate is a business asset or a liability waiting to crystallise.

What the Board Should Be Asking

The question is not whether unmanaged IT has a cost. It does, and the evidence is consistent and substantial. The question is whether the board has the visibility to see it.

Most don’t, because the reporting structures don’t exist. Technology risk doesn’t appear in management accounts. Nobody tracks the hours lost to IT friction. Shadow IT isn’t visible because, by definition, nobody is looking for it. Downtime events are reported as isolated incidents rather than as a pattern that reveals a structural problem.

A board that takes this seriously should be asking five questions:

1. When did we last conduct a full IT audit? Not a review of what the business pays for, but a comprehensive assessment of every device, application, and cloud service in use – including those IT doesn’t know about.

2. What is our actual downtime cost? Calculate it honestly: lost revenue per hour of systems failure, multiplied by the number of incidents in the last 12 months, plus the staff time consumed by workarounds and recovery.

3. Can we demonstrate UK GDPR compliance across our entire software estate? If the honest answer is no – because half the applications in use are unknown to IT – that is a board-level governance issue, not an IT department issue.

4. How long would it take to recover from a serious cyber incident? If the answer is uncertain, the backup and recovery strategy has not been tested, and that needs to change before the question becomes urgent.

5. Are we managing IT proactively or reactively? If the answer is reactively, the business is paying more than it should and accepting more risk than it needs to.

The Case for Managed IT

The financial case for properly managed IT is not complicated. It requires a business to accept that the cost of managing technology proactively is almost always lower than the combined cost of the downtime, security incidents, compliance exposure, and productivity loss that unmanaged IT generates.

For UK SMEs, the additional context matters. The regulatory environment is tightening – the Cyber Security and Resilience Bill, Procurement Policy Note 014, and evolving ICO enforcement all increase the consequences of governance failures that unmanaged IT makes more likely. The threat landscape is worsening – ransomware incidents have increased by 70%, and SMEs remain the primary target. And the competitive environment is one in which clients, partners, and procurement teams increasingly expect evidence of basic security hygiene as a condition of doing business.

Boards that treat IT as a background operational function – something to worry about when it breaks – are carrying a risk they haven’t priced. The businesses managing it well have moved it from a cost centre to be minimised into an infrastructure question to be governed: clearly, continuously, and at the right level of the organisation.

The hidden costs of unmanaged IT aren’t hidden because they’re small. They’re hidden because nobody is looking for them.

For a no-obligation IT audit or to discuss a managed IT strategy for your business then please reach out to us, we are here to assist.

Cyber Risk 16 April 2026 · 9 min read

Cyber Essentials Is No Longer Optional for UK SME’s – Here’s What You Need to Know

There was a time when Cyber Essentials felt like something for bigger organisations, a nice-to-have badge that enterprise procurement teams cared about, but not a pressing concern for a 15-person accountancy firm in Kent or a specialist manufacturer in the East Midlands. That time has passed.

A combination of tightening government procurement rules, a surge in cyber attacks targeting smaller businesses, and a growing expectation from larger private-sector buyers has transformed Cyber Essentials from a voluntary best-practice framework into something that looks, for many SMEs, a great deal like a business requirement.

If you haven’t engaged with it yet, this is the article that explains why now is the moment to act.

What Is Cyber Essentials?

Cyber Essentials is a UK Government-backed certification scheme, overseen by the National Cyber Security Centre (NCSC), designed to protect organisations against the most common cyber threats. It isn’t a comprehensive security overhaul – it’s a baseline. The scheme specifies five concrete controls that every organisation should have in place:

  1. Firewalls and internet gateways – securing the boundary between your network and the wider internet
  2. Secure configuration – hardening your devices and disabling services you don’t need
  3. User access control – ensuring the right people have access to the right systems, and no more
  4. Malware protection – defending against malicious software with up-to-date endpoint security
  5. Security update management – patching known vulnerabilities within 14 days of a critical update being released

There are two certification tiers. The standard Cyber Essentials assessment involves completing a detailed self-assessment questionnaire that is independently verified by an accredited certification body. Cyber Essentials Plus goes further, requiring a hands-on technical audit in which an assessor actively tests your systems with vulnerability scans and verification checks. Both require third-party sign-off – the difference is the depth of scrutiny applied to your actual technical environment.

The Regulatory Shift: What Changed and When

The key turning point came through the UK Government’s procurement policy machinery. Central government has required Cyber Essentials certification for contracts involving the handling of personal data or the delivery of certain IT products and services since 2014 – but that obligation was relatively narrow in scope and not consistently enforced across the supply chain.

That picture has changed materially.

Procurement Policy Note 014 (PPN 014), which reflects the new terminology and obligations introduced by the Procurement Act 2023 and the Procurement Regulations 2024, took effect for procurements commenced on or after 24 February 2025. Under this note, in-scope public sector organisations must ensure that effective and proportionate cyber security controls are applied across their supply chains, and Cyber Essentials is explicitly identified as the baseline mechanism for demonstrating compliance at the standard tier.

Government contract requirements were further expanded in April 2025. Defence suppliers faced their own deadline in December 2024. The NHS has been enforcing Cyber Essentials across its vendor base, with figures suggesting that 85% of NHS trusts now require it as a condition of supplier approval.

The effect of these changes is felt most acutely by SMEs. If your business supplies services, software, consultancy, data processing, or anything that touches sensitive information to a public sector body – directly or as a sub-contractor further down the supply chain – you are increasingly likely to find Cyber Essentials certification is a gate you must pass before price or capability even enters the conversation.

The Numbers Behind the Risk

It would be easy to treat Cyber Essentials as a compliance exercise disconnected from real operational risk. The data says otherwise.

The UK Government’s own research found that 50% of UK businesses suffered a cyber attack or security breach in the 12 months covered by the 2024 Cyber Security Breaches Survey – up from 39% two years earlier. The threat is not declining; it is growing. Ransomware incidents surged by 70% in the same period. Phishing attacks affected 84% of businesses that reported breaches.

The financial impact is considerable. UK businesses reported an average cost of £10,830 per cyberattack in 2024 for medium-sized businesses, with remediation costs for small businesses estimated at around £25,700 when full clean-up costs – restoring systems, replacing hardware, improving security after the fact – are factored in. Across the economy, cybercrime costs the UK an estimated £27 billion annually.

For SMEs specifically, the consequences extend well beyond immediate financial loss. Research from Hiscox found that 43% of businesses lost customers following a cyber attack, and 38% reported damaging publicity. A significant proportion of small businesses that experience a serious breach never fully recover. The threat is existential for firms operating on thin margins and with limited IT resource.

The irony is that many of the attacks succeeding against SMEs are not sophisticated. They exploit exactly the vulnerabilities that Cyber Essentials addresses: unpatched software, weak or reused passwords, excessive user privileges, inadequate network boundaries. The certification does not protect against everything – it does not address advanced persistent threats or complex social engineering campaigns — but it closes the doors that the vast majority of opportunistic attackers use.

The Commercial Dimension: Lost Contracts and Missed Tenders

Beyond the regulatory requirement, there is a straightforward commercial reality that many SME owners are discovering too late: the absence of Cyber Essentials certification is costing them business.

Research suggests that the compliance gap costs non-certified regional SMEs over £250 million in lost tenders annually. The mechanism is simple. When a public sector buyer or a large private-sector contractor reviews a supplier’s credentials, they are increasingly checking certification status first. An SME without Cyber Essentials – however competitive on price, quality, or experience – may simply not make it through the initial screening stage.

This is particularly relevant in sectors where data handling is central to the work: professional services, healthcare supply, legal, financial advisory, IT services, education, and anything touching the Ministry of Defence supply chain. In these areas, Cyber Essentials has moved from differentiator to threshold requirement.

The practical rule is worth stating plainly: if a contract involves sensitive data, regulated information, or public sector procurement, assume you will be asked for evidence of certification – not good intentions.

What Has Changed in 2025 and 2026

The technical requirements are also evolving, which means the certification you achieved 18 months ago may need attention.

The April 2025 update introduced a revised question set (version 3.2) with more detailed requirements around multi-factor authentication enforcement, privileged access management, and cloud security policies. The biggest shift in the current cycle is the move towards treating passwordless authentication as the preferred approach – recognising that compromised passwords remain the most common vector for successful attacks on SMEs.

Looking ahead to April 2026, the most significant change is the tightening of MFA requirements. What was previously described as “where supported” and “where technically feasible” will become, in practice, mandatory wherever cloud services support MFA. That means email, file-sharing platforms, finance applications, CRM tools, and other SaaS services – any cloud tool your business uses that has MFA capability will need it enabled, documented, and evidenced. For the many SMEs already relying heavily on Microsoft 365, Google Workspace, or similar cloud platforms, this is achievable – but it requires a process, not just a setting.

The patching requirement also continues to demand attention. Critical and high-rated vulnerabilities must be patched within 14 days of release. This is not simply “turn on automatic updates.” It requires knowing what devices and software are in scope, tracking update status, and having a process to handle devices that fall behind – the laptop that hasn’t connected to the corporate network in a fortnight, the back-office application that staff avoid updating because it sometimes causes problems.

A Practical Path Forward

If your business hasn’t started, the steps are more manageable than many owners expect.

Start with an honest inventory. Map the devices, software, and cloud services that fall within the scope of your network boundary. Many SMEs discover gaps here – forgotten subscriptions, personal devices used for work, cloud services that IT wasn’t aware of.

Choose your certification level strategically. If you are targeting government contracts, public sector frameworks, or large corporate clients, plan for Cyber Essentials Plus from the outset. The additional investment in a technical audit pays back quickly through contract access that self-assessment alone cannot unlock, and avoids the need to upgrade later when a buyer asks for it.

Don’t treat it as a one-time exercise. Certification is annual. The threat landscape changes, your technology stack changes, and the requirements themselves are being updated. Build the renewal into your annual planning cycle rather than scrambling at the last minute.

Use it commercially. The certificate is a credible, independently verified signal to customers, partners, and insurers that your business meets baseline security standards. The certificate holder search on the NCSC website is publicly accessible – buyers check it. Make sure your certification is current and visible in your own marketing materials and supplier questionnaire responses.

The Bottom Line

For UK SMEs, Cyber Essentials has crossed the threshold from recommended to required – at least for any business that wants to compete for public sector work, sit in the supply chain of a large government contractor, or supply services to the NHS. The penalties for non-compliance now reach £17 million in the most serious cases. The compliance gap is already costing the SME sector hundreds of millions in lost contracts each year.

The certification is not a guarantee against every cyber threat. But it closes the vulnerabilities that most attacks actually exploit, it satisfies the procurement requirements that are now embedded in government policy, and it sends a clear signal to clients, insurers, and partners that your business treats security as a business function rather than an afterthought.

The businesses winning public sector contracts in 2026 will have had Cyber Essentials in place for years. The ones scrambling to get certified at the point of tender – or worse, discovering they don’t qualify for an opportunity they would otherwise have won – are the ones for whom it stayed optional for too long.

For more information on Cyber Essentials certification, visit the NCSC’s official guidance at ncsc.gov.uk/cyberessentials or the IASME Consortium at iasme.co.uk.