My recent articles have been all about data leakage and I very briefly indicated that we have a solution for that.  I am aware though that in cyber security and in fact data protection, technical solutions on their own, are not sufficient.  They must be underpinned by sound policies and procedures.  One of my favourite quotes, that I probably use too often, but I make no apologies for that, is by a Harvard professor and cyber security evangelist, Bruce Schneier.  He says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

What am I getting at here exactly?  Well, some solutions are not about technology and in fact are best done procedurally and with sound cyber awareness training.  Other solutions are technical in nature but must be underpinned with sound policies and processes that are rolled out and understood by staff via sound cyber awareness training which covers these policies and processes and why they are necessary.

The great cry from cyber security professionals is – People, Process and then Technology.

For many SMEs, cybersecurity policies do exist but real visibility into cyber risk does not. Policies are often written to satisfy compliance requirements, reassure clients, and demonstrate intent, yet they rarely answer the questions executives care about most: Where are we vulnerable? What could realistically disrupt the business? Are we investing in the right protections?

What we are saying here is that security documentation should be more than a defensive tick box. When policies are actively mapped to vulnerability assessments, they become a powerful source of risk intelligence. Gaps between documented controls and technical reality surface quickly, exposing weaknesses that attackers are far more likely to exploit than auditors are to find.

In an environment where cyber incidents increasingly target smaller organisations, the difference between written policy and operational security is no longer academic. Converting policy into protection is a practical, achievable step that materially reduces risk and one that executive leadership is uniquely positioned to drive.

The trick is understanding what your risks are and what needs protecting and at what level.  What we mean is separating out what is highly sensitive, sensitive and not so much.  Our system helps you map this and helps you make some informed decisions, but it won’t write your policies for you.

I’ve written articles in the past on risk management and identifying threats and vulnerabilities and mapping them to risks Identifying what could go wrong digitally, understanding how bad it would be for the business, and deciding what to do about it, all within your budget and risk appetite. Think of it like financial or operational risk, just applied to data, systems, and online operations.

You can’t protect everything equally.  You don’t need a threat catalogue, just a broad understanding of the common ones that hit SMEs.  You can then assess:

Risk = Likelihood × Impact

Translate tech issues into:

• Revenue loss
• Operational downtime
• Legal/regulatory exposure
• Reputational damage
• Customer trust erosion – reputational damage

What we are looking to do is to decide how we treat each risk.  There are really 4 options that you need to think about in terms of each risk:

• Reduce – put controls in place (e.g., MFA, backups)
• Accept – consciously live with the risk
• Transfer – insurance, contracts, outsourcing
• Avoid – stop doing the risky thing

There was an interesting post on LinkedIn recently about the Bank of England having just dropped its 2025 CBEST Thematic Report with some interesting findings.

After 13 threat-led penetration tests across UK financial services, the message is clear: most vulnerabilities aren’t sophisticated. They’re foundational.

• Passwords stored in spreadsheets and shared drives
• Weak MFA enforcement and poor credential hygiene
• Inadequate network segmentation
• Detection capabilities that couldn’t spot simulated attacks early
• Staff still falling for social engineering

The regulators’ call to action is direct:

• Harden your systems – patch and configure properly
• Fix your credentials management – MFA, strong passwords, no plaintext storage
• Detect faster – monitoring and alerting that actually works
• Remediate based on risk – with proper oversight, not just tactical patches
  
  

What I’m touching upon here is multi layered security, what in the military we referred to as strength in depth.  Monitoring systems has often been thought of as too difficult and expensive for SMEs but that’s no longer true and we now have a solution that is affordable and designed specifically for SMEs which handles monitoring but also has some useful addons such as vulnerability assessment, phishing simulations and a built in cyber awareness programme, all within the licence costs, no hidden extras.