Most SME boards are making decisions about cyber risk with incomplete information. Not because they’re careless – but because nobody has ever given them a clear, honest picture of what the real threats are, what the consequences look like commercially, and what good oversight actually involves.
This post attempts to do that.
The threat landscape for UK SMEs is not theoretical
There’s a persistent myth that cyber-attacks are primarily a problem for large organisations – banks, hospitals, government departments. The reality is the opposite. UK SMEs are targeted constantly, precisely because they tend to have weaker defences, less dedicated IT resource, and less capacity to respond when something goes wrong.
The National Cyber Security Centre’s annual report consistently shows that small businesses account for a significant proportion of reported incidents. Phishing remains the most common entry point – not sophisticated zero-day exploits, but convincingly written emails that persuade someone in your business to click a link or hand over credentials.
The consequences are not abstract. They include:
– **Ransomware** – where your systems and data are encrypted and a payment is demanded to restore access
– **Business email compromise** – where attackers intercept or spoof email communications to redirect payments
– **Data breaches** – where customer, employee or financial data is exfiltrated and potentially published or sold
– **Operational disruption** – where systems become unavailable for days or weeks, affecting your ability to trade
For a 20 or 50-person business, any of these is a serious commercial event. For some, it’s existential.
### What most SME boards actually know about their cyber risk
In my experience, most SME boards know very little – and what they think they know is often shaped by what their IT supplier has told them.
That’s not an accusation. IT suppliers are generally focused on keeping systems running. Security reassurance is often part of the sales relationship rather than an independent assessment. When the MD asks “are we secure?” and the MSP says “yes, we have antivirus and backups” – that answer is technically accurate but commercially meaningless.
What boards actually need to know:
1. **What are the specific threats most likely to affect a business of our type, size and sector?**
2. **What would happen operationally and financially if we experienced a significant cyber incident?**
3. **What controls do we currently have in place, and are they proportionate to our exposure?**
4. **What are the gaps, and what would it cost to close them?**
5. **What are our obligations – to customers, to insurers, to regulators – in the event of a breach?**
These are not technical questions. They are commercial and governance questions. And they deserve honest, independent answers.
The five controls that matter most for SMEs
Cyber risk management for SMEs does not need to be complex. The government-backed Cyber Essentials framework identifies five technical controls that, if properly implemented, protect against the vast majority of common attacks:
**1. Firewalls** – ensuring your network boundary is protected and that unnecessary ports and services are not exposed to the internet.
**2. Secure configuration** – removing default passwords, disabling unnecessary software and services, and ensuring devices are set up securely from the outset
**3. User access control** – ensuring people only have access to the systems and data they need for their role, and that access is removed promptly when someone leaves.
**4. Malware protection** – using up-to-date antivirus or endpoint detection software and ensuring it covers all devices, including personal devices used for work.
**5. Patch management** – keeping software, operating systems and applications up to date, so known vulnerabilities are closed promptly.
None of these are exotic. Most businesses are partially compliant with all of them. The gap is usually in the consistency and documentation – which is precisely what Cyber Essentials certification tests.
What board-level cyber oversight actually looks like
Good cyber oversight at board level does not mean the MD or FD becoming a technical expert. It means:
– Receiving regular, plain-English updates on the organisation’s cyber risk posture
– Understanding the commercial consequences of the most likely incident scenarios
– Having confidence that someone independent and competent is overseeing IT and cyber on behalf of the business
– Being able to demonstrate to insurers, clients and regulators that cyber risk is being actively managed
If your board cannot currently answer the five questions I listed above, that’s a governance gap – not a technical one.
Where to start
If you are an SME founder, MD, or Finance Director reading this and recognising that your business does not have adequate cyber risk oversight, the starting point is straightforward: get an independent assessment from someone with no interest in selling you products.
That assessment should tell you where you stand, what the real risks are, and what proportionate action looks like for a business of your size. It should be delivered in language your board can act on – not a 40-page technical report that sits in a drawer.
That is exactly what Northstar’s IT and Cyber Risk Review is designed to provide.