Cybersecurity for SMEs: Accountability, Risk Management, and What You’re Missing

Cybersecurity has become a core business concern, not just a tech issue to be handled by the IT team. For small and medium-sized enterprises (SMEs), the stakes are especially high: from the rising frequency of ransomware attacks to new regulations that demand accountability for data breaches, it’s crucial to develop a proactive cybersecurity strategy. Steve Durbin, CEO of the Information Security Forum (ISF), recently shared some valuable insights on the current cybersecurity landscape and what businesses need to focus on.

Let’s dive into some deep insights and actionable takeaways from that discussion.

⚖️ You Can’t Outsource Accountability in Cybersecurity

In the conversation, Durbin highlighted a common misconception: that outsourcing IT services or cybersecurity functions means the responsibility for securing data shifts to the vendor. It doesn’t. You remain fully accountable for the data your business collects, stores, and uses—whether you’re managing it internally or through a third-party service provider.

GDPR (and similar regulations around the world) already imposes strict penalties for mishandling data, and it’s not just about protecting your customers’ personal information—it’s also about safeguarding your business.

Key takeaway: Even if you’ve outsourced your IT functions, you still need to actively ensure that the vendors you work with have robust security protocols. Regular audits of your partners’ security systems and processes can help prevent a data breach from causing harm to your company.

Fun fact: According to a study, 63% of data breaches are linked to third-party vendors. So, having a strong vendor management program isn’t just a bonus—it’s critical.

🏢 Cybersecurity Centres and National Institutions: More Help Than You Realize?

One of the topics Durbin touched on was the role of national cybersecurity centres. Countries across the globe have established these organizations to protect critical national infrastructure and offer businesses, including SMEs, valuable resources. But are these institutions doing enough?

Durbin believes that while national institutions are doing well on the technical front (offering advice on patching systems, updating software, etc.), they are often lacking in another vital area: educating leadership on the importance of cyber risk.

Leaders often don’t grasp how closely security and business objectives are tied together, and this creates a gap. National institutions should step up to help organizations (especially smaller businesses) understand that cybersecurity is not just an IT issue—it’s a fundamental business risk.

Reminder: Cybersecurity isn’t just about firewalls and antivirus software. Educating leadership on cybersecurity risks and the cost of inaction is key to securing buy-in for necessary investments.

🔍 Governments Need to Do More: Should We Expect Tougher Regulations?

Durbin raised an important point about the role of government and regulators in holding companies accountable. The UK, for example, has taken a relatively “light touch” approach to cybersecurity regulation, particularly when compared to the EU’s stricter stance with initiatives like the AI Act.

This leniency might benefit businesses in the short term by reducing compliance costs, but it could also leave them vulnerable to attacks and unprepared for future regulatory changes. As cyberattacks grow more sophisticated, government oversight is likely to increase, and companies may find themselves playing catch-up.

💡 Insight: A less stringent regulatory environment doesn’t mean you can relax. In fact, it means your business needs to self-regulate and stay ahead of potential changes. Keep an eye on regulatory developments and make sure your cybersecurity practices are ready for future shifts in legislation.

💸 Security Investment: It’s Time to See Cybersecurity as a Business Priority

A common challenge businesses face is viewing cybersecurity as an unnecessary expense rather than an investment. Durbin points out that while tech vendors often focus on selling products to “solve” security issues, businesses need to approach cybersecurity from a risk management perspective. Simply buying the latest software won’t keep you safe if it’s not part of a comprehensive strategy.

Companies that balance their cybersecurity investments with their business goals tend to perform better in the long run. This approach not only reduces risk but also enhances customer trust, which can become a key differentiator in competitive markets.

Key takeaway: Don’t cut corners on cybersecurity. Instead of seeing it as a cost centre, frame it as a long-term investment that will help your business build resilience and grow confidently. In fact, having strong cybersecurity practices can be a competitive advantage when clients or partners need reassurance that you’re safeguarding their data.

🤖 Technology Alone Won’t Save You: The Importance of Human Oversight

One of Durbin’s most striking points was that businesses often over-rely on technology, assuming that once they’ve implemented the latest software, their cybersecurity is rock solid. However, when breaches occur, it’s people—not technology—who typically step in to resolve the issue.

Whether it’s employees detecting phishing emails or leadership making decisions during a security crisis, humans are the linchpin in cybersecurity resilience. Durbin suggests that businesses need to focus more on training their teams, improving incident response plans, and encouraging leadership to stay engaged in cybersecurity discussions.

💡 Pro tip: Regular security training and scenario-based testing can significantly reduce your chances of falling victim to common cyber threats. And make sure your incident response plan is well-practiced—it’s your best defence when the unexpected happens.

Fun fact: Over 90% of successful cyberattacks stem from human error, making employee training one of the most cost-effective defences you can invest in.

🔥 Emerging Threats: AI, Cyber Gangs, and the Geopolitical Landscape

Durbin also touched on some of the emerging threats businesses should be concerned about, including the rise of AI-powered attacks and the increasing sophistication of cyber gangs. He noted that while many of these gangs operate from regions like Russia and China, international tensions make it difficult for governments to combat these groups directly.

This means businesses must focus on resilience. Attacks will happen—it’s about how quickly and effectively you can bounce back. Incident response, backup systems, and proactive risk management strategies are more critical now than ever before.

Key takeaway: Preparing for the worst is the best way to defend against it. Building resilience into your systems ensures that if (and when) an attack happens, your business can recover quickly and keep operating with minimal disruption.

📊 Key Reminders for Building a Robust Cybersecurity Strategy

  1. Accountability stays with you: You can’t outsource your responsibility for data protection, no matter how good your vendor’s cybersecurity is.
  2. National institutions offer great technical help but leadership needs to focus on the human side of cybersecurity.
  3. Government regulation may be lenient for now, but don’t wait to make cybersecurity a priority. Stay ahead of the curve.
  4. Invest in cybersecurity: It’s an asset that not only protects you but also strengthens trust with customers and partners.
  5. People are your strongest asset: Train employees, prepare leadership, and keep human oversight at the core of your security plan.
  6. Resilience is key: Build a response plan that enables quick recovery from attacks.

Conclusion: Be Prepared, Not Surprised

Cybersecurity isn’t just about protecting your data—it’s about ensuring the long-term success and sustainability of your business. By embracing accountability, investing in your risk management strategy, and balancing technology with human oversight, you’re not just protecting your business from potential threats—you’re setting it up for future growth and resilience. In a world where attacks are inevitable, the companies that survive and thrive are the ones who are prepared for the worst. Keep these insights in mind, and you’ll be better equipped to handle whatever the cybersecurity landscape throws your way. 🌐

Share this article:

Related Posts