Insights
Insights
You lead an organisation. That means, managing people, watching cashflow, winning customers then keeping them happy, navigating regulation and dealing with the urgent item that just landed in your inbox. Cybersecurity is probably on the list, but usually its found nearer the bottom than the top.
For most leaders, cybersecurity sits within a curious place. It is handled by whoever looks after your IT, but it consists of some antivirus software, maybe a firewall, possibly a policy, but definitely not one that has been read recently. On the list of urgent tasks you need to complete this week it’s not close to making the cut, it hasn’t caused an issue, and there are more pressing concerns that need seeing to.
That’s not an uncommon or unreasonable position. But it’s an increasingly risky one because of a fundamental shift in how cybercrime now operates that most business leaders have not had clearly explained to them, and certainly not without an ulterior motive.
The latest UK government Cyber Security Breaches Survey provides comprehensive insight from 2000 UK businesses and gives a familiar story. It says that cyber defences are becoming increasingly frequent, and while business leaders are aware of the threat, in today’s economic climate, it cannot be prioritised effectively.
For most of the history of cyber threats, large-scale cyberattacks required serious technical expertise, significant financial resource, and a deliberate choice of target. Targets were, logically, organisations large enough to make the effort worthwhile, such as major financial institutions, critical national infrastructure, or large retailers.
That model has broken down.
Recently, the barrier to entry for wannabe cyber attackers has been lowered. Cheaper ready-made attack toolkits are available on the dark web for a few hundred pounds. AI can generate phishing campaigns at a scale previously unimaginable. Attacks that once required a sophisticated criminal enterprise are now available on a subscription basis.
As a consequence, every organisation is now a target.
While smaller organisations have shallower pockets than the traditional large enterprise targets, malicious actors are attracted by the less sophisticated defences, smaller or non-existent security teams, and a higher likelihood of a ransom being paid quickly.
The threat landscape faced is not related to the size of the organisation.
As an example, comparing the threats faced by a medium-sized local firm of 80 employees with a FTSE 100 company produces a list of similarities. The entry points or attack vectors are the same: email, remote access, supplier connection, and user error. The potential consequences are the same: data loss, operational disruption, and reputational damage.
What is different between these two example organisations is the resources available to respond to cyber threats. The FTSE 100 company can deploy a range of defences, including employing a dedicated cybersecurity team with a Chief Information Security Officer, as well as investing in enterprise-grade monitoring and detection tools. The local firm with a single IT generalist, cannot replicate that model, and nor should it.
That tension between the size of the threat and the scale of the resource available is the paradox. It is not a niche problem. It is the cybersecurity challenge for the vast majority of organisations.
The good news is that the paradox is resolvable. Not by spending your way to enterprise-grade security, nor by ignoring the problem and hoping for the best, but through a structured, proportionate, and practical approach that medium-sized organisations are already using.
There are three principles that form the credible achievable cybersecurity defences, they are:
The most important shift an organisation can make to being more cyber resilient is moving from ad-hoc, reactive security decisions taken in isolation to a structured framework-based approach that reflects the risks and profile of the organisation. In practice, this means starting from a clear understanding of what you need to protect, what the realistic threats are, and where the most significant gaps exist.
While there are internationally recognised frameworks (such as NIST, ISO 27001 or the UK’s Cyber Essentials), they all boil down to 5 fundamental questions:
These five elements provide a guiding light to organisations and a principled basis for making decisions about where to invest, what to prioritise, and what good could look like for their unique situation.
The 2025 survey data support this: small businesses that undertook cybersecurity risk assessments and engaged with a framework improved their cyber preparedness.
Effective cybersecurity for one organisation does not equate to suitable protection for another. Each organisation should invest in an appropriate budget, size and risk profile, critically starting with the areas of greatest threat and exposure, then building from there.
In practical terms, this means focusing on the fundamentals. The 2025 survey found that while most businesses have basic controls in place, 77% have updated malware protection and 72% have network firewalls, adoption of more effective controls, such as two-factor authentication, remains lower than it should be at only 40%. These are not expensive or complex to implement. They simply require someone to make them a priority.
Research consistently shows that a relatively small number of well-implemented appropriate controls prevent the majority of attacks being successful.
The skills shortage in cybersecurity is genuine and well-documented. Finding, hiring, and retaining the in-house expertise needed to operate a modern security programme is prohibitively expensive for most organisations of 50 to 500 people. The managed service model exists precisely to solve this problem.
The 2025 survey data reflects this: external cybersecurity consultants and IT providers are the most common source of cybersecurity guidance for businesses overall, including for 43% of medium-sized organisations.
For mid-market organisations without the budget for a dedicated security team, a strategic cyber partner is not a luxury, it is the mechanism to resolve the cybersecurity paradox.
Alternatively, medium-sized organisations are at the mercy of vendors who focus on selling tooling rather than understanding their needs, compliance requirements and being proactive should something go wrong.
Over the next twelve weeks, we will take you through every major dimension of the cybersecurity paradox: the threat landscape, the investment case, the human factor, the compliance and certification landscape, the specific risks that matter most for organisations, the incident response question, the insurance implications, and the stories of organisations that have navigated this before you.
We aim to deliver clear speaking actionable advice that gives you and your organisation a genuinely useful window into improving your cyber defences. Whether you are a business or technical leader, looking to demystify cybersecurity or build a case for internal investment, this blog series will talk through the frameworks and language to use in those conversations.