Most SME boards are making decisions about cyber risk with incomplete information. Not because they’re careless – but because nobody has ever given them a clear, honest picture of what the real threats are, what the consequences look like commercially, and what good oversight actually involves.

This post attempts to do that.

The threat landscape for UK SMEs is not theoretical

There’s a persistent myth that cyber-attacks are primarily a problem for large organisations – banks, hospitals, government departments. The reality is the opposite. UK SMEs are targeted constantly, precisely because they tend to have weaker defences, less dedicated IT resource, and less capacity to respond when something goes wrong.

The National Cyber Security Centre’s annual report consistently shows that small businesses account for a significant proportion of reported incidents. Phishing remains the most common entry point – not sophisticated zero-day exploits, but convincingly written emails that persuade someone in your business to click a link or hand over credentials.

The consequences are not abstract. They include:

– **Ransomware** – where your systems and data are encrypted and a payment is demanded to restore access

– **Business email compromise** – where attackers intercept or spoof email communications to redirect payments

– **Data breaches** – where customer, employee or financial data is exfiltrated and potentially published or sold

– **Operational disruption** – where systems become unavailable for days or weeks, affecting your ability to trade

For a 20 or 50-person business, any of these is a serious commercial event. For some, it’s existential.

### What most SME boards actually know about their cyber risk

In my experience, most SME boards know very little – and what they think they know is often shaped by what their IT supplier has told them.

That’s not an accusation. IT suppliers are generally focused on keeping systems running. Security reassurance is often part of the sales relationship rather than an independent assessment. When the MD asks “are we secure?” and the MSP says “yes, we have antivirus and backups” – that answer is technically accurate but commercially meaningless.

What boards actually need to know:

1. **What are the specific threats most likely to affect a business of our type, size and sector?**

2. **What would happen operationally and financially if we experienced a significant cyber incident?**

3. **What controls do we currently have in place, and are they proportionate to our exposure?**

4. **What are the gaps, and what would it cost to close them?**

5. **What are our obligations – to customers, to insurers, to regulators – in the event of a breach?**

These are not technical questions. They are commercial and governance questions. And they deserve honest, independent answers.

The five controls that matter most for SMEs

Cyber risk management for SMEs does not need to be complex. The government-backed Cyber Essentials framework identifies five technical controls that, if properly implemented, protect against the vast majority of common attacks:

**1. Firewalls** – ensuring your network boundary is protected and that unnecessary ports and services are not exposed to the internet.

**2. Secure configuration** – removing default passwords, disabling unnecessary software and services, and ensuring devices are set up securely from the outset

**3. User access control** – ensuring people only have access to the systems and data they need for their role, and that access is removed promptly when someone leaves.

**4. Malware protection** – using up-to-date antivirus or endpoint detection software and ensuring it covers all devices, including personal devices used for work.

**5. Patch management** – keeping software, operating systems and applications up to date, so known vulnerabilities are closed promptly.

None of these are exotic. Most businesses are partially compliant with all of them. The gap is usually in the consistency and documentation – which is precisely what Cyber Essentials certification tests.

What board-level cyber oversight actually looks like

Good cyber oversight at board level does not mean the MD or FD becoming a technical expert. It means:

– Receiving regular, plain-English updates on the organisation’s cyber risk posture

– Understanding the commercial consequences of the most likely incident scenarios

– Having confidence that someone independent and competent is overseeing IT and cyber on behalf of the business

– Being able to demonstrate to insurers, clients and regulators that cyber risk is being actively managed

If your board cannot currently answer the five questions I listed above, that’s a governance gap – not a technical one.

Where to start

If you are an SME founder, MD, or Finance Director reading this and recognising that your business does not have adequate cyber risk oversight, the starting point is straightforward: get an independent assessment from someone with no interest in selling you products.

That assessment should tell you where you stand, what the real risks are, and what proportionate action looks like for a business of your size. It should be delivered in language your board can act on – not a 40-page technical report that sits in a drawer.

That is exactly what Northstar’s IT and Cyber Risk Review is designed to provide.

← All Insights
← Previous Next →

More Insights

Supplier Management

The MSP Contract Renewal Playbook: How to Negotiate from Strength

Most SMEs accept their MSP's renewal offer without negotiation. This is almost always a commercial mistake. Here is how to approach contract renewal in a way that produces better terms, better service commitments and better value.

17 July 2026 · 4 min read
Cyber Risk

Business Email Compromise: The Cyber Threat Most SME Boards Have Never Heard Of

Ransomware gets the headlines. Business email compromise quietly costs UK businesses more money every year. Here is what it is, how it works, and why it is particularly dangerous for SMEs.

9 July 2026 · 4 min read
IT Governance

The IT Governance Checklist Every SME Board Should Work Through Once a Year

Most SME boards have no structured way to review their IT governance position. This practical checklist gives you a framework for doing exactly that in plain English, without technical jargon, in under an hour.

1 July 2026 · 5 min read