In our last post, we made the case that no business is too small to be targeted. The threat is real, it is indiscriminate, and SMEs are increasingly in scope, not despite their size, but because of it.

So if you accepted that premise, the next question matters just as much: once you know you're a target, who in your organisation is actually responsible for doing something about it?

For too many businesses, the honest answer is: IT. Or the MSP. Or whoever handles "the tech stuff." And that is exactly the problem.

Cyber security is a business risk, not a technical one

Your MSP can implement every technical control available. Firewalls configured. Multi-factor authentication enforced. Systems patched, network monitored, endpoints protected. All of that matters enormously.

And a single poorly-handled email, an unverified payment request, or an account left open after someone leaves can still bring operations to a halt.

Not because the technology failed. Because technology has a hard limit. It cannot protect your organisation from the decisions made by the people inside it.

In 2026, cyber security is a business risk as serious as financial, legal, or reputational risk. It demands the same level of board ownership and cross-organisational attention as any of those. If your board isn't actively engaged in your cyber security posture, your business is exposed in ways that no firewall can fix.

The statistics that should concern every business leader

According to the UK Government's Cyber Security Breaches Survey, half of UK businesses reported experiencing a cyber security breach or attack in the last 12 months. In the majority of cases, the route in was a human one: phishing emails, stolen credentials, or social engineering. No technical control prevents all of these. The human layer is where most attacks succeed, and it runs from the boardroom to the most junior member of staff.

The financial consequences of a breach are significant. Downtime, recovery costs, regulatory fines, reputational damage and lost contracts can be existential for a business that hasn't prepared. According to Sophos research, 27% of manufacturing organisations experienced leadership changes as a direct result of a ransomware attack. A cyber incident is not just an IT event. The consequences land in the boardroom.

Why technology alone is never enough

Your MSP can manage your firewalls, enforce multi-factor authentication, monitor your network, and keep your systems patched. But technology cannot:

• Stop a director from clicking a phishing link
• Prevent a finance manager from processing a fraudulent payment following a convincing email exchange
• Enforce a policy that leadership hasn't communicated or modelled
• Protect data that staff are sharing through personal, unsanctioned apps because nobody told them not to

Cyber security is effective when technology, processes, and people all work together. Two out of three is not enough. Getting all three aligned is a leadership responsibility, not something you can outsource to your MSP.

What board-level ownership actually looks like

Owning cyber security at board level doesn't mean the CEO becomes a technical expert. It means:

• Cyber risk appears on the board agenda at least quarterly, with clear reporting on posture, incidents, and exposure
• There is a named owner for cyber security at leadership level, someone accountable rather than simply whoever the MSP reports to
• The business has a cyber security policy that is actively communicated, reviewed annually, and genuinely reflects how the organisation operates
• Investment in security is treated as risk management, not an IT cost, with the same logic applied as to business insurance or legal compliance
• Incident response has been planned and tested. Not written up and filed, but actually walked through so that people know what to do
  
  

The questions your board should be able to answer right now

Use these as a quick sense check. If the honest answer to most of them is "I don't know" or "we haven't got to that yet," it is time to have a different conversation about cyber risk in your organisation.

1. Who in our organisation is accountable for cyber security at a leadership level?
2. When did we last discuss cyber risk as a formal board agenda item?
3. Do we have an incident response plan, and has it actually been tested?
4. Do our staff know what to do if they suspect they've been phished or their account compromised?
5. Does our cyber insurance reflect our actual risk exposure, and do we know what it does and doesn't cover?
6. Are we confident that all former employee accounts have been properly closed?
7. Do we know what data we hold, where it lives, and who has access to it?

Knowing you're a target is only the first step

Accepting that your business is in scope for a cyber attack is an important moment. But awareness without action doesn't reduce your risk.

The next step is understanding how cyber security responsibility flows through every layer of your organisation, from the board down to every person with a device and an email address. Because the businesses that handle this well aren't necessarily the ones with the best technology. They're the ones where leadership takes it seriously, and where security is woven into how the business operates at every level.

In our next video, we break down exactly how cyber security responsibility runs through every layer of your business, from the boardroom to your newest starter, and the questions every leader should be asking right now. Subscribe to our YouTube channel to be notified when it goes live