Solving cyber security and compliance risks is now a board-level priority for mid-market CEOs. Every day, businesses confront the stark reality of cyber threats, with breaches damaging reputations, disrupting operations, and creating financial losses that leave leaders uncertain about next steps.
Our comprehensive white paper presents a solution. Tailored specifically for busy mid-market CEOs, it furnishes a practical framework to alleviate the strains and vulnerabilities linked with cyber security and compliance. Drawing upon the collective wisdom of our seasoned CIOs, CTOs, and CISOs, we delineate essential measures that every business should adopt to shield themselves from cyber threats.
While sophisticated attacks may grab headlines, they are, in truth, uncommon. More often than not, hacks and breaches originate from rudimentary errors that could have been prevented. This underscores the critical importance for CEOs to undertake proactive leadership initiatives in safeguarding their organisations.
Explore the proactive measures you can initiate today to fortify your business against cyber threats.
Table of Contents
Why solving cyber security and compliance risks needs CEO-level ownership
Cyber security is complex, fast moving, and increasingly commercial in impact. A serious breach can halt operations, damage customer trust, and consume management time for months. Most attacks succeed because of basic failures, not advanced hacking, which is why CEO leadership matters.
Executive Summary
It is not an exaggeration to say that most days we hear from companies who have been hacked. Their reputations are damaged, they’ve lost money, and they’re not sure what to do next. This white paper provides a template for solving cyber security and compliance risks, helping busy mid-market CEOs reduce exposure while building practical, affordable protection. We draw on the combined experience of our CIOs, CTOs and CISOs to list the basic, practical steps every business should take to protect itself. Yes, sophisticated attacks do happen. But they’re very rare. Most hacks and breaches result from basic errors. What are the leadership actions for a CEO?
Solving cyber security and compliance risks: how a mid-market CEO can sleep soundly
What’s at stake?
Almost every day we hear from companies who have been hacked or who have some kind of security breach. The company’s brand and the personal reputations of its key leaders are damaged, sometimes irreparably. They may have lost money or other valuable assets. They may have lost money or valuable assets belonging to their clients. They’re not sure what to do next. Fortunately, Freeman Clarke CIOs, CTOs and CISOs have deep experience in helping clients navigate these dangerous waters. But the uncertainty can begin much earlier: we’ve also seen how even the threat of a cyber attack makes many CEOs of midmarket companies feel exposed and vulnerable.
A related stress is the task of compliance: in addition to the need to regularly demonstrate compliance, many companies are at risk of huge contractual penalties in the event of a data breach or the like. And the law is tighter than ever, with severe government fines making headlines.
These are complex issues. And a CEO’s time is short. It can be difficult to find a simple, affordable strategy for security and compliance. Often there is no one person on the Board with the necessary technical knowledge, experience, and sensible attitude to lead the approach.
That’s why we’ve prepared this report: to provide busy CEOs with a template for mitigating the stresses and risks of cyber security and compliance.
Why it’s hard to get started
In our experience, the underlying issue is that mid-market companies lack the expertise to feel confident. The IT team understands the technical issues; business teams understand the commercial issues. But there may not be someone at the executive level with a firm grasp of all sides of the problem.
Meanwhile, external advisors are typically selling expensive products like AI-based intrusion detection, data loss prevention software, or advanced malware protection. But they’re often more concerned with making a sale than helping your company.
Many high-profile hacks have occurred at large well-funded organisations who have all the clever products you can imagine. These do not provide the solution.
For a mid-market business, often the starting points are relatively straightforward, such as training sessions that cultivate a culture of compliance in your company. And there are simple steps to reduce threats and to minimise impact in the event of a breach.
But the execution can be complicated, and it can be difficult to get buy-in from Board members. For better or worse, it falls to the CEO to insist upon certain changes—and to convince everyone that keeping the business secure is worth the investment of effort and money.
Above all, given the real risks and a tightening regulatory environment, there is no alternative to taking action.
How to mitigate the risks and sleep better at night
You may have heard that there’s no such thing as being truly secure. That is true—when it comes to cyber security, there is no finish line. But there are a set of basic, practical steps that every business should put in place.
Consultants, vendors, and the media would have you believe that it’s much more complicated. But based on our years of experience with hundreds of mid-market companies, nearly every single hack or breach were a result of basic errors—mistakes due to carelessness, lack of training or lack of expertise.
Yes, sophisticated attacks do happen. But they’re very rare. And even when sophisticated attacks have occurred, basic measures have allowed our clients to recover quickly with limited damage.
What follows is a straightforward, non-technical, actionable lists of steps a CEO needs to take to protect their business and stay on top of compliance.
1. Make a risks-and-issues analysis
Every substantial business should maintain a list of risks and issues, with analysis of the mitigation options. The Board should review this document at least annually, and each risk or issue must be owned by an executive with the expertise and time to manage it.
A certain level of risk is of course inevitable. Nevertheless, documenting the risks, and having an open discussion about them, will drive sensible decisions about how to mitigate them and take action when and if the worst happens.
Even better, a risks-and-issues analysis avoids sweeping issues under the carpet. Instead, you confront them, identify a proportionate response, and ensure you are looking after the things that matter.
Make sure that the analysis leads to proper backup plans, a disaster recovery plan, and crisis management plans. In our experience, such planning can not only save a business in the event of a serious problem—it also reduces everybody’s day-to-day anxiety. Furthermore, many of these plans cut across the business, and working together to write the plans fosters trust and teamwork.
2. Sort out your cyber insurance
It’s prudent to consider cyber insurance. But not all cyber insurance is created equal. Here is how to carefully select an appropriate policy and provider.
The first thing to watch out for is if the provider takes the time to understand your risks and requirements. If they don’t, then they’re simply looking to sell you a policy, and you should walk away.
Next, check the exclusions on the policy. Make sure a member of your Board understands the coverage—most importantly, if it covers ransomware payments, recovery costs, and lossof- business. Remember that cyber insurance may not give you back money that’s stolen from you: that generally requires criminal insurance.
Also, you should learn how claims work with the insurer. If you have to make a claim, will the insurer specify who runs the recovery programme? If so, how quickly can this third party mobilise? If the insurer does not stipulate a third party, don’t wait for an incident to evaluate potential suppliers—identify the best one now.
Ensure that your IT is compliant with the policy. The insurer may impose requirements on your IT, and these requirements may be obscure and complicated. Often the CFO signs the insurance policy without communicating the requirements to the IT team. And the IT team may need to document how they meet the requirements so that the insurer can audit if necessary, otherwise your policy may be invalid!
Finally, are your suppliers’ contracts clear about their liability? And are they appropriately insured?
The cost of good cyber insurance has mushroomed in recent years, with many insurers withdrawing from the market entirely. This is telling us something about the frequency of claims! In the end, there is a difficult balance to strike between the cost and the potential damage, but only by understanding your risks can you make an informed choice.
3. Foster a culture of security
The weakest security link in any business is often the people, and there is a strong possibility that at least some of your employees don’t understand the issues.
Don’t rely on the security protocols: lots of companies have guidance documents that nobody reads. Or perhaps people circumvent the rules with the tacit approval of their managers, who are busy and under pressure to deliver results—if managers are writing passwords on sticky notes or accessing business systems from insecure home computers, then their subordinates will do the same.
Instead, foster a culture of security. We recommend you start with awareness training, which is relatively inexpensive—a few hundred or thousand pounds, a small price to pay compared to the expense of getting hacked!
Next, as opposed to vague protocols, make sure there are clear standards in place, and the right people have the power to enforce them. For example, is your finance manager empowered to challenge an email that looks like it’s from you calling for an ‘emergency payment?’ How are suppliers’ bank details verified? Are your IT people empowered to call out poor security practices from senior managers?
The thing to remember is that in any business, culture starts from the top. If the CEO and the Board are lax about security, everyone else will be.
4. Get Cyber Essentials Plus
For most businesses there is a simple route to getting basic security right—certification from the UK government-sponsored scheme, Cyber Essentials Plus.
Specifically, this scheme identifies the basic technical measures to ensure your equipment is properly looked after, your network properly setup, and access properly controlled.
Most importantly, Cyber Essentials Plus requires all these things to be independently checked. (And ask your existing IT supplier to do it, get an independent assessor!)
The total cost of this certification should be just a few thousand pounds and take a few weeks from start to finish.
We advocate that every mid-market business attain Cyber Essentials Plus. It certainly isn’t the whole answer, but it’s a big step forward for a lot of companies.
5. Do a Website Penetration Test
A penetration test is when a third party looks for weaknesses in your website. Most companies can have a full, detailed penetration test for just a few thousand pounds.
This is essential if your website includes custom software or any kind of ecommerce services, because poor technical practices can result in custom software being full of holes. The OWASP top 10 is a list of the standard vulnerabilities that almost all hackers focus on—ensure your penetration test includes this list.
Typically, penetration test findings are divided into high, medium, and low priority. Address all highand medium-priority issues immediately. Address low-priority issues on a case-by-case basis.
6. Comply with GDPR
We’ve seen many mid-market businesses ignore the General Data Protection Regulations, perhaps just hoping it will all go away. Often we speak to American businesses who don’t understand that GDPR may apply to them as well. But the penalties for breaking the rules are high, so it’s important to pay attention.
The good news is that for the most part, the compliance measures are sensible and worthwhile. And most businesses can organise an expert assessment of their GDPR compliance for a few thousand pounds.
The recommendations, however, can be complicated, and GDPR compliance can be a long process. So you’ll need to plan the work as a series of projects. Someone on the Board needs to have ownership of it, preferably someone both commercial and systematic in their approach.
GDPR compliance can be daunting. But you will actually make useful steps towards wellmanaged and well-organised back-office systems. Consider it a useful tool quite apart from the legal requirements. In the end, your company will run more efficiently and make better use of its data, which is a valuable asset.
7. Comply with ISO27001
ISO27001 is a more serious information security and management standard. Some companies have this standard imposed on them by corporate or government customers.
Either way, if your business is complex or has specific security requirements, then ISO27001 provides you with a means to bolster the culture of security we mentioned above. For example, if you manage sensitive data or valuable IP; if you want to demonstrate your credentials to demanding corporate clients; or if you plan for your business to offer important IT services, then ISO27001 gives you a means to embed security into every aspect of your business operations.
This is another standard that requires external assessment. Although it may only cost a few thousand pounds, implementing the necessary changes can be complicated and invasive. But that’s why companies brag about their ISO27001 accreditation—it’s a demanding standard and it means something.
Remember: secure companies are more efficient and reliable
Solving cyber security and compliance risks is not a one-off project, it is an ongoing leadership responsibility that strengthens resilience, improves operations, and builds trust with customers and regulators.
Let’s emphasize that the above steps are sensible. They will make your business more secure, so that you can sleep soundly. They’ll make it easier to demonstrate compliance. And in the event of a problem—because there are always problems—you will have mitigated the damage.
Your business will recover more quickly, and you will have avoided accusations of negligence.