With cybersecurity being a priority in every boardroom, SME business leaders are particularly pressurised, with lower budgets than their larger counterparts. Threat levels are high, with as many as 43% of businesses and three in ten charities experiencing some kind of cyber security breach or attack in the last 12 months.
Beyond resources, there could also be another key barrier to SMEs taking adequate cybersecurity action. It seems friction amongst leadership is creating a divide in business with lack of a CISO or cybersecurity representative at board level being common. This cavalier approach may leave companies wide open to successful breaches.
In fact, the UK Government Cyber Security breaches 2025 report reveals that board level responsibility for cyber security at company director level has decreased from 38% to 27% over the last four years. Despite almost three quarters (72%) of business respondents seeing cyber security as a ‘high priority’ it indicates a clear disconnect between the board responsibilities required and cyber security reality that puts the entire business at risk.
While security professionals are fluent in technical jargon or threat models, their business leader peers talk about bottom-line impact, and board-level implications. The effect on strategy is that critical security concerns may be downplayed, misunderstood or, at worst, ignored. This means keeping up with the latest strategies to counter threats is essential.
The risk of cybersecurity complacency at board level
With more CISOs stepping away from the boardroom, and in an increasingly active and intelligent cyber threatscape featuring ransomware and highly targeted social engineering attacks, it’s likely that their board director peers aren’t qualified to step up to the ownership of cyber security responsibilities.
AI-driven threats are introducing new challenges for the development of overall corporate security policy. AI requires a different approach to cyber security than the traditional cyber security methods employed. Security policies will need to be reviewed and revised on a regular basis, to ensure the safe and responsible use of AI within an organisation to protect its biggest assets – data and people.
Added to this, Cyberfort’s own customer research has revealed a concerning complacency – that many businesses consider a Cyber Essentials Plus (CE+) certification sufficient to keep their organisation secure and fulfil board requirements. With high profile breaches continuing to dominate the media agenda, this is a high-risk strategy.
Limitations of CE+
The cybersecurity needs of today’s business have superseded the Government-backed certification scheme launched in 2014, Cyber Essentials Plus (CE+), which was recommended as the minimum standard of cyber security for organisations. Although CE+ covers basic areas which might previously have been sufficient to counter cyber risks – patch management, access control, malware protection, secure configuration, and boundary firewalls – it lacks information on real-time threat detection and response, which is an essential tool for the earliest threat detection.
CE+ wasn’t designed to protect organisations against advanced persistent threats (APTs), targeted attacks, or any evolving techniques by criminal groups, which are so prevalent today. According to the UK Information Commissioner’s Office (ICO), over 80% of successful cyber incidents begin with phishing, yet CE+ has no requirements around simulated phishing or awareness training beyond general advice.
Costs and consequences of gaps in protection
There are some serious risks for SMEs investing in and relying on CE+ alone. To start with, there are hefty fines payable for non-compliance, with the average ICO fine for a serious cyber incident in the UK being £153,722 in 2024.
Insurers are also upping their demands, with some underwriters insisting on evidence of 24/7 monitoring and incident response plans to stay covered. Business partnerships are also becoming dependent on a company’s cybersecurity posture, with rising expectations of ISO 27001 or sector- specific certifications such as NHS DSPT or PCI-DSS compliance.
With significant risks and responsibilities to protect a business’ data and people, it is essential to have information security representation at board level. Research by the World Economic Forum shows that those organisations that have strong executive involvement in cybersecurity are 400% more likely to repel or rapidly recover from an attack.
The consequences of a breach in terms of reputational and financial damage can’t be ignored. Hiscox’s 2024 Cyber Readiness Report reveals that almost half (47%) of organisations struggled to attract new customers following a successful cyber attack. The costs and recovery time can also be extensive. In 2024, the average ransomware incident led to 21-24 days of downtime and cost $2.73 million, according to NinjaOne.
Five ways to elevate cybersecurity protection
In taking the following cybersecurity measures, SMEs will have the best chance of being protected in the event of a cyber attack:
Real-time threat detection and response – The use of Security Operations Centres (SOC), Security Information Event Management (SIEM) platforms, and Endpoint Detection and Response (EDR) are the most effective ways to counter a cyber attack.
- Phishing and social engineering resilience – This is the only way of outsmarting social engineering attacks where emails are highly personalised and look like they are coming from a known person.
- Cloud and hybrid environment protection – CE+ still assumes a traditional network perimeter, ignoring many risks associated with modern SaaS, IaaS, and BYOD environments. The complexities of growing ecosystems are allowing vulnerabilities to grow.
- Business continuity and incident response planning – Almost unbelievably, there is no requirement under CE+ to prove you can recover from a ransomware attack or data breach. Inclident response planning is the only way to fully understand potential risk.
- Third-party and supply chain risk – Attackers often access their targets through exploiting third party vendors or contractors. As CE+ does not assess or govern these relationships, it’s up to each business to engage with their supply chain to fully understand risk levels.
Key steps that cyber security leaders must take
To ensure a cohesive and effective cybersecurity strategy that can counter today’s cyber threats and stay compliant, information security decision-makers must take four key actions:
- Ensure board-level oversight of cyber risk through regular briefings, KPIs, and executive ownership
- Commission an independent cyber risk assessment that goes beyond Cyber Essentials+
- Invest in detection and response capabilities – whether in-house or outsourced
- Adopt a recognised security framework such as the NCSC’s Cyber Assessment Framework, NIST Cyber Security Framework(CSF) 2.0, or ISO 27001
Ensuring strategies align to today’s cyber threats
With AI introducing a new complexity to cybersecurity threats, business leaders must keep up with the latest tactics, such as advanced detection capabilities, to identify threats as they arise. This means going beyond CE+ and adopting new tools and measures aligned to their risk levels.
While CE+ is a strong starting point for SMEs, it’s not enough. Business directors and cyber security teams must unite to elevate their security approach and defend what’s theirs in an increasingly hostile threat landscape.
Author: Glen Williams CEO at Cyberfort