Free Guide

Ten Questions Every SME Board Should Ask About
IT & Cyber Risk

Most SME boards are making decisions about IT and cyber risk with incomplete information. Not because they are careless — but because nobody has given them the right questions to ask. This guide does exactly that.

  • What your IT supplier should be able to tell you — and often cannot
  • The 72-hour obligation most boards do not know they have
  • Why AI governance is a risk your business may already be carrying
  • The IT spend question that makes most CFOs uncomfortable
  • Who is actually accountable for cyber risk at board level
Get the free guide

Enter your name and email and your guide will download instantly. No spam, no mailing list, no obligation.

Your details are used only to send the guide and notify Northstar of your download. We will never share your information with third parties. Read our Privacy Policy.

Your guide is ready

Click below to download your copy of Ten Questions Every SME Board Should Ask About IT & Cyber Risk.

Download Your Guide

Carl will be in touch shortly. In the meantime, feel free to explore the situations we help with or read the latest Insights.

About this guide

The questions most boards
have never been asked.

Most SME boards receive IT updates that confirm everything is running. They rarely receive the questions that would tell them whether the business is genuinely well-governed, properly protected and paying a fair price for its technology.

This guide gives you ten questions drawn from real advisory engagements with UK SMEs. They are designed to be asked of your IT supplier, your leadership team, or used as a framework for an honest internal review.

No technical knowledge required. These are commercial and governance questions, not technical ones. If the answers are not clear and confident, that is itself a finding worth acting on.

Speak to Carl about your situation

The ten questions at a glance

  • 1What are the three most likely ways our business could be compromised?
  • 2When did we last independently verify our IT supplier is performing?
  • 3What would happen if we lost access to our systems for 72 hours?
  • 4Are our staff using AI tools with a policy governing how?
  • 5When did we last review what we are actually paying for in IT?
  • 6Do we know where our personal and customer data is stored?
  • 7Have we tested whether our backups actually work?
  • 8Do we know which suppliers could cause the most damage if compromised?
  • 9Could we demonstrate to a client or insurer that we take cyber security seriously?
  • 10Who is accountable for IT and cyber risk at board level?

Want to work through these questions
with someone independent?

Northstar's Board-Level IT and Cyber Risk Review gives you honest answers to all ten questions — and a clear, prioritised picture of what action looks like for a business of your size.

Start a conversation with Carl