So, you are in management in an SME company in the UK – should you be doing something about the risk of Cyber-attacks?
The answer is probably YES!
Before looking at all the dangers in the world today let us first be clear on who is responsible and what it means if there are breaches in a company’s security.
In small and medium enterprises (SMEs), cybersecurity responsibility typically falls on multiple roles due to limited resources. Often, a designated employee, such as HR or Compliance or more obviously the IT manager or business owner, oversees cybersecurity alongside other duties.
However, Company directors have significant responsibilities regarding cybersecurity, primarily focusing on risk management and compliance. They carry the burden and must ensure that adequate cybersecurity measures are in place to protect the organization from potential threats, as neglecting these duties can lead to severe financial and legal repercussions, including personal liability.
Directors are expected to stay informed about cyber risks and implement effective governance frameworks, which includes regular risk assessments and incident response planning.
Ultimately, while operational responsibilities may be delegated, accountability for cybersecurity rests with the board who are legally accountable.
In the UK, directors face significant legal consequences for breaches of cybersecurity. Under the Companies Act 2006, failing to exercise reasonable care, skill, and diligence can lead to personal liability, including claims from shareholders or the company itself for any losses incurred due to negligence in managing cyber risks. Additionally, breaches of the General Data Protection Regulation (GDPR) can result in fines up to £17.5 million or 4% of global turnover, and directors may be scrutinized for non-compliance with data protection laws.
Overall, inadequate cybersecurity governance can lead to both financial penalties and reputational damage for directors.
As a starting point all UK SMEs should consider Cyber Essentials which provides the basic controls a company should have in place to protect themselves. This can be a stepping stone to Cyber Essentials Plus which is a more rigorous test of a company’s cybersecurity systems and vulnerability to attack.
Cyber Essentials is mandatory for businesses looking for specific government contracts. Moreover, many larger organisations will look to have their suppliers and strategic partners have the certification particularly if they are sharing personally identifiable information (PII).
Contact Archway Securities today for a short consultation which will help you decide how vulnerable you are, or you would like to know more about Cyber Essentials.