That’s a good question and one that I’ve often pondered upon.  Cost effectiveness obviously, everyone’s on a budget, especially these days and there is a healthy reluctance to spend money on what is seen as not being your core business. 

I would argue that these days IT is part of your core business, or perhaps part of your core business operations.  Ask yourselves how many of you can continue business without access to your IT systems and the data they hold.  If IT is part of your business operations, then so is its integrity and security.

Let’s take a quick look at some of the reasons why security doesn’t feel like core business to many people:

• It’s invisible when it works

If cybersecurity is doing its job, nothing happens. No alerts, no fires to put out, no obvious ROI. Compared to sales, ops, or product delivery, it feels abstract and thankless.

• It’s framed as an IT problem, not a business risk

Many SMEs still see cyber as “the IT guy’s job.” Leaders think in terms of revenue, customers, and growth whereas cybersecurity often isn’t translated into those terms.

• Short-term survival beats long-term risk

SMEs run lean. Cash flow, hiring, and winning the next customer feel urgent. Cyber risk feels probable someday rather than painful today, so it gets deprioritised.

• Lack of personal exposure

If a leader hasn’t personally experienced a cyber incident, or heard a close friends horror story, it’s hard to internalise the risk. Threats feel like something that happens to “big companies” or “other people.”

• Complexity and jargon turn people off

Cybersecurity language is often technical, fear-based, or compliance-heavy. When leaders don’t fully understand something, they’re less likely to own it as core strategy.

• No clear ownership at the top

In many SMEs there’s no CISO, no risk committee, no board pressure. If no one at leadership level “owns” cyber risk, it floats somewhere below the surface.

• Seen as a cost centre, not a value driver

Cybersecurity is usually positioned as insurance or compliance spend, not as something that enables trust, customer retention, or business continuity.

• Optimism bias

Many SME leaders quietly think: “We’re too small / not interesting enough to be targeted.” Unfortunately, attackers often prefer SMEs because they’re easier targets.

Now let’s flip the mindset.  Cybersecurity starts to feel like it’s part of the core business when it’s framed as:

• Protecting revenue not systems.
• Protecting customers not servers.
• Protecting the ability to operate.

Cyber incidents have to be seen as business stopping events, not just technical inconveniences.  Once that is recognised at the top, it tends to be moved into core business territory very quickly.

So, going back to the question I posed above, what do SME owners want from cyber security, assuming now that they truly embrace its importance to the core of the business they are running?  I did mention cost effectiveness above and what follows has to be seen in the context of individual budgets, which will necessarily affect the spend.  In order to make sure that happens any security spending must be targeted on what is important and indeed, critical to the business, and not just what is thought of as critical or important.

What comes top of my list every time is the protection of critical business data.  Think of this in terms of what outcome is wanted.  Generally, that means that customer data, financial records, HR data and intellectual property remain confidential and intact.  From the angle of cost-effectiveness:

• SMEs prefer low-cost but high-impact controls such as strong passwords, multi-factor authentication, and encrypted backups rather than expensive enterprise systems.

• Preventing a data breach is far cheaper than paying fines, compensation, or suffering reputational damage.

High on the list of importance comes business continuity and minimal downtime.  It’s vital that systems stay available so the business can keep operating even after an incident.  This generally means simple, automated backups and basic disaster recovery plans that can be pulled own from a shelf, having been regularly updated and tested, and taken into use.  Plans must minimise lost sales and staff productivity.

There’s a lot more too this whilst trying to keep it simple.  Some headlines:

• Compliance and regulatory requirements – industry dependent except for things like PCI, GDPR etc.
• Reducing risk to a level that the organisation deems acceptable.  What is known as the risk appetite.  There is no such thing as 100% security, you are essentially managing risk down to a level you can live with.
• Ease of use for staff.  Security shouldn’t cause frustration and slow things down. 
• Predictable costs.  Clear, predictable cybersecurity costs that fit within limited budgets.
• Reputational and customer trust.  Whilst the fallout from loss of trust with your customers can vary from company to company, it is often extremely damaging, especially for companies that hold lots of personal client data.  Maintaining trust through basic security measures is far cheaper than trying to rebuild after a breach.

SME owners and managers are usually not looking for “perfect” security. Their focus is on practical outcomes that protect the business without overspending.  Don’t be lulled into a false sense of security, believing that the technical solutions you have been sold are adequate protection.  Ask questions, look for assurance that you have this covered, remember that often the best solutions are procedural not technical.  Look at things from the angle of people, process and then technology.

Good Luck!!