Whilst the title of this article may have made you smile, it is a typical approach to cyber security by too many companies and charities. Protecting against cyber-attacks is seen by lots of leaders as just a cost drain considering the investment in the software, monitoring and insurance. But is this the right mindset for leaders to have?...
A leader’s responsibility to cyber security
The news has recently been full of major cyber-attacks and here Andrew Marsh, Vistage Chair for the North East and Northumberland talks about why it so important that cyber security is an important and strategic topic for leaders of SME.
“There has been a spate of high-profile cases across the news lately which has brought the whole issue of cyber-attacks and security to life in a more serious and substantial way. What is even more alarming is that the reported attacks have been across sectors you would normally consider safe.
“Whilst the names dealing the fall out of their recent attacks are large – Marks and Spencer and The Co-op for example – they do act as good case studies for us all to learn from. You might think ‘why would they bother with small SMEs when they are targeting such huge companies?’. But the reality is that SMEs and companies of all sizes are being targeted daily, with only the more impactful reaching the national news.
“A great takeaway from the Co-op situation is that they were prepared, and their software detected the malware threat, which alerted the relevant people leading to them making the decision to shut down the entire system, rather than allow the hack to continue – which meant no sales, goods on shelves, employees idle and frustrated customers. They viewed this as better than allowing the attack to gain momentum – as a leader are you prepared to do that? The Co-ops’ strategically thought-out move paid off and even the hackers admit that they would have done much more damage than the temporary disruption ended up being.
“Typically target ransoms can demand up to 10% of a company turnover, so even when looking at a smaller SME hackers will find it worthwhile. For example, if hackers’ trawling software /malware find a vulnerability online, the people behind it will look at publicly available information to understand your profit and loss, and so a £3m turnover will equate to anything up to £300k for them.
“Larger companies have bigger budgets to throw at recovery, so downtime and breaches cost less in the long run. But for an SME the damage can be costly and not just on a cash front – the cost to put it right or the lost revenue can be significant.
“Any cyber-attack won’t just affect the company. It also affects customers, suppliers, partners, stakeholders, staff and consumers on a personal level. You can lose customers, have a damaged reputation, and in very severe cases suffer the loss of the entire company.
“Please don’t dismiss this article as a scare tactic aiming to make you to go and buy some cyber protection or software. At Vistage we cover topics that make-or-break businesses and through that we realise what is important to have on our radar and give due consideration to as a leader.
“You may be receiving all the reassurances from your IT team, telling you that you are cyber secure with software, but ultimately it is the board and SLT’s responsibility to make sure there are procedures in place for if that software doesn’t work. It is also important to make sure that in your budgets (and budget forecast) security and recovery is considered for a worst-case scenario. My advice would be to allocate as much to this as you can – there is no upper cost for peace of mind, and when you look at the total impact, that budget could be small change when compared to the potential damage of that 10% ransom.
“I’m not suggesting that we all run out and throw unreasonable amounts of money around – it just has to be appropriate for your business. And there is no need to panic. In fact Rob Hankin, Chief Technology Officer at Cybit and Vistage Alumni Member, is well placed to advise SMEs feeling a bit lost. He said: “Many SME leaders still believe they’re too small to be targeted, but that’s exactly what makes them attractive to cybercriminals – they follow the path of least resistance. The reality is that standard IT support rarely provides comprehensive security. What business owners need to understand is that cybersecurity isn’t just an IT expenseit’s a fundamental business investment comparable to locks on doors or fire alarms. The most effective approach combines appropriate technology, staff awareness training, clear policies, and external expertise when needed. Most importantly, it requires honest assessment of your current vulnerabilities and leadership attention from the top.”
As larger enterprises invest heavily in cybersecurity, Rob reinforces the belief that cybercriminals follow the path of least resistance. The statistics tell a compelling story: according to the UK Government Cyber Security Breaches Survey of 2024, 50% of UK businesses reported a cyberattack, with that percentage rising among those who actively look for breaches. For small businesses and charities, the impact is disproportionately devastating. Andrew concluded:
“In conclusion, it is very clear that boards and senior leaders should be shaking the tree to make sure they have looked at the risk properly. If you want to explore other risks and opportunities for your business, why not consider joining one of my Vistage cohorts?”
You can contact Andrew on Andrew.Marsh@vistagechair.co.uk