Solving cyber security risks has become a growing concern for mid-sized businesses. The government recently released its yearly Cyber Security Breaches Survey, and it’s illuminating. Whilst larger businesses are getting better at protecting themselves, security remains an ongoing concern, and many SMEs and charities still need to do a better job.
Cybercrime can be a particular stress for mid-sized organisations, which rarely have the resources of larger enterprises. We regularly speak to CEOs who worry about whether they are doing enough to keep their business safe. Others only realise the gaps after suffering a cyberattack and then struggle to recover and prevent the next one.
It’s true that cybercrime is on the rise. But it’s also true that the vast majority of cyberattacks can be prevented before they start. Our report, recently updated in light of the latest survey, explains how CEOs can take practical, proportionate steps to protect their businesses. For mid-sized organisations, solving cyber security risks starts with understanding where your vulnerabilities really sit, and then taking practical, affordable action before an incident forces your hand.
Table of Contents
What’s at stake?
The government recently released its yearly Cyber Security Breaches Survey, and it’s illuminating. Whilst larger businesses are getting better at protecting themselves, security remains an ongoing concern, and many SMEs and charities could be doing a better job.
We’re not surprised. Almost every day we hear from companies that have been victimised by some kind of security breach. Brands and personal reputations are damaged, sometimes irreparably. Money or other valuable assets may be lost, either their own or their clients’. Often they’re not sure what to do next.
But uncertainty can begin much earlier. Even the threat of a cyberattack makes many CEOs of mid-sized companies feel exposed and vulnerable.
This is understandable given the sharp increase in threats like phishing and the adoption of new technologies. With Artificial Intelligence, for example, bad actors can use tools like ChatGPT to generate new scams, and employees may accidentally reveal sensitive information when using such tools.
Then there’s regulation. Many companies risk major contractual penalties after a breach, and the law is tighter than ever, with severe government fines regularly making headlines.
That’s why we prepared this report. It outlines straightforward steps every CEO should take before an attack. Freeman Clarke CIOs, CTOs, and CISOs contributed their combined experience to provide practical guidance for protecting your business.
Cyber security is a leadership challenge
In our experience, one of the first hurdles is ensuring leadership understands that responsibility ultimately sits with them. This isn’t about blame, it’s about recognising that only the Board has the authority to ensure the right actions are taken and that cyber security becomes an ongoing effort across the organisation.
Solving cyber security risks is not a technical exercise alone, it requires CEO-level ownership, clear accountability, and consistent follow-through across the whole organisation.
Often the issue is lack of executive-level expertise. IT teams understand technical risks, business teams understand commercial pressures, but there may be no one at leadership level who grasps the whole picture.
Meanwhile, external advisors frequently push expensive tools like AI intrusion detection or malware protection. Too often, selling takes priority over genuinely helping your business.
Based on our experience with hundreds of mid-sized companies, nearly every breach results from basic mistakes caused by carelessness, lack of training, or lack of expertise. Sophisticated attacks do happen, but they’re rare. And even when they occur, basic protections allow businesses to recover quickly with limited damage.
There’s no such thing as perfect security. There’s no finish line. But there are practical steps every CEO should take. Given today’s risks and regulations, action is no longer optional.
Six steps to a safer business
1. Analyse and log your risks and issues
Executive teams must identify specific risks, not vague concerns, and at least have a plan, even if that plan is “do nothing”.
Create a risk and issue log. It should describe each risk, estimate likelihood and impact, and prioritise resolution. Nothing should be excluded, even unlikely scenarios.
A risk may happen. An issue is happening.
Examples we’ve seen include:
- An IT provider collapsing and leaving a company without access to servers
- Flooding threatening power supplies
- Hundreds of thousands of files encrypted by ransomware
Appoint a senior executive to own mitigation efforts. Keep the log current. An outdated log is useless.
2. Review your cyber insurance (or get some)
Not all cyber insurance is equal.Ensure providers understand your risks. Confirm coverage for ransomware, recovery costs, and business interruption. Crime insurance may be required for stolen funds.
Understand claims processes and recovery partners in advance. Ensure IT complies with policy requirements, otherwise coverage may be invalid.
3. Get training for everyone
People are usually the weakest link. Security policies are often ignored, or bypassed under pressure. If managers cut corners, staff will follow.
Build a culture of security. Empower finance teams to challenge suspicious payment requests. Verify supplier bank changes. Allow IT to challenge poor practices, even from senior leaders. Awareness training is inexpensive and far cheaper than a breach.
4. Have a third party perform an external review
Use independent experts to review systems, applications, and infrastructure, including penetration testing.
Ensure OWASP Top 10 vulnerabilities are assessed. Address high and medium risks immediately. Review low risks case by case. This can be scaled for mid-sized businesses and costs far less than a breach.
5. And don’t forget the basics
- Secure your perimeter, physical and digital
- Enforce least-privilege access
- Keep systems patched and updated
- Encrypt data, especially customer information (hashed and salted where appropriate)
- Maintain offline backups with multiple versions (air-gapped)
Good backups can mean survival after an incident.
6. Get certified
Cyber Essentials Plus provides government-backed validation and can help win business.
For broader needs, ISO27001 embeds security across operations. It requires external assessment and meaningful organisational change, but it carries real weight.
The NIST Cybersecurity Framework is also a useful voluntary guide for building effective security practices.
Remember: secure companies are more efficient and reliable
These steps reduce risk, speed recovery, improve governance, and support automation and reporting. They make businesses more effective, profitable, and dependable.
Cyber security certifications are also powerful sales assets. We’ve seen clients win contracts simply because they were certified.
If questions arise as you take these steps, about cyber security or any IT issue in your mid-sized business, get in touch. We’re always happy to have a no-pressure, no-obligation conversation.