By Glen Williams, Cyberfort CEO
Just as the C-suite are familiarising themselves with this year’s cyber threats, it seems a bigger risk is looming on the cyber security agenda. A deeply concerning disconnect has emerged between cyber security board responsibilities and cybercrime reality that could lead to sub-standard cyber defences, successful data breaches, and worse.
Cyber threat levels remain high. In fact, the recent UK Government Cyber Security breaches 2025 report reveals that 43% of businesses and three in ten charities reported having experienced any kind of cyber security breach or attack in the last 12 months. With the stakes typically higher for SMEs with lower resources than their larger peers, the real question is: are CEOs and board directors truly aware of their cyber security responsibilities?
Cyberfort’s own customer research has highlighted that many UK businesses consider a Cyber Essentials Plus (CE+) certification sufficient to keep their organization secure and fulfil board requirements. In today’s dangerous cyber threatscape, where high-profile breaches have paralysed a business for several months, their views couldn’t be further from reality.
Beyond ignorance, it’s worth checking first if lagging in their responsibilities could be down to other underlying reasons.
Trending cybersecurity detachment at board level
The above Cyber Security Breaches Report also highlights that boards are reducing their specialist cyber security representation. Board level responsibility for cyber security at company director level has dropped 11% (from 38% to 27%) in the past four years. But with 72% of businesses responding to the survey stating that cyber security is a high priority, there is clearly a gap between board representation and cyber security reality.
From our customer interactions, we know there is often a disconnect between board level and the IT department in terms of cyber security responsibility understanding. This is likely the reason for the low average CISO tenure, estimated at 18–26 months according to the CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures.
There is clear evidence of the need for information security representation at board level. Research by the World Economic Forum shows that organizations with strong executive involvement in cyber security are 400% more likely to repel or rapidly recover from attacks.
The CE+ certification’s limitations
One of the most glaring gaps in the belief that CE+ is enough to keep an organization secure is that it does not include a section on one of the most important tools for cyber survival: real-time threat detection and response. CE+ was never designed to protect organizations against advanced persistent threats (APTs), targeted attacks, or evolving techniques used by criminal groups.
While CE+ covers patch management, access control, malware protection, secure configuration, and boundary firewalls, it does not address critical areas such as:
Real-time threat detection and response
CE+ does not require the use of Security Operations Centres (SOC), Security Information and Event Management (SIEM) platforms, or Endpoint Detection and Response (EDR). These are the most effective ways to stop a breach in its tracks.
Phishing and social engineering resilience
According to the UK Information Commissioner’s Office (ICO), over 80% of successful cyber incidents begin with phishing, yet CE+ has no requirements around simulated phishing or awareness training beyond general advice. This is the only way of outsmarting social engineering attacks, where emails are highly personalised and appear to come from a known person.
Cloud and hybrid environment protection
CE+ still assumes a traditional network perimeter, ignoring many risks associated with modern SaaS, IaaS, and BYOD environments. The complexities of growing ecosystems are allowing vulnerabilities to grow.
Business continuity and incident response planning
Remarkably, there is no requirement under CE+ to prove you can recover from a ransomware attack or data breach. Planning for the worst is essential to fully understand potential risk.
Third-party and supply chain risk
As seen in the infamous SolarWinds breach, attackers often exploit vendors or contractors to access their targets. CE+ does not assess or govern these relationships, so it’s up to each business to connect with suppliers to discuss cyber defence policies and practices.
Costs and consequences of gaps in protection
If executive teams don’t go beyond CE+, they are taking serious risks. Relying solely on CE+ gives the entire business ecosystem a false sense of security, with huge consequences if a breach is successful.
Regulatory and legal exposure is a key consequence of a cyber breach, with hefty fines payable for non-compliance. The average ICO fine for a serious cyber incident in the UK was £153,722 in 2024, according to URM Consulting.
Secondly, the industry is calling for it. Insurers are tightening their requirements, with some major underwriters requiring evidence of 24/7 monitoring and incident response plans to maintain coverage. It’s also fast becoming a business requirement, with large clients demanding ISO 27001 or sector-specific certifications such as NHS DSPT or PCI-DSS to continue partnerships. Lacking parity with a prospect on cyber security diligence could be a deal-breaker.
The sheer scale of the risks of reputational and financial damage can’t be ignored. Businesses don’t always bounce back. In fact, Hiscox’s 2024 Cyber Readiness Report reveals that 47% of organizations struggled to attract new customers following a cyber attack.
The impact on business operations can be extensive, with far-reaching consequences. In 2024, the average ransomware incident led to 21–24 days of downtime and cost $2.73 million, according to NinjaOne.
Reasons for board directors to take action
Cyber risk is not something that directors can delegate accountability for, particularly when investors, customers, and regulators all expect board-level ownership of cyber resilience.
The c-suite must take action. As directors, they have legal duties under the Companies Act and UK GDPR. Ignorance is no longer a shield.
Threat actors are evolving faster than defences. The time to act is before a breach, not after. Cyber resilience is now a competitive differentiator, and clients, partners, and investors expect it.
The four key actions that business leaders must take
After understanding all this, there are four key actions directors must take to ensure their organizations start on the right path to becoming secure, resilient, and compliant:
- Commission an independent cyber risk assessment that goes beyond Cyber Essentials Plus.
- Invest in detection and response capabilities – whether in-house or outsourced
- Adopt a recognised security framework such as the NCSC’s Cyber Assessment Framework, NIST CSF, or ISO 27001
- Ensure board-level oversight of cyber risk through regular briefings, KPIs, and executive ownership.
CE+ onwards and upwards
Business leaders must embrace Cyber Essentials Plus as the beginning of a journey in cyber protection, not a goal. Wherever a business is in terms of cyber security maturity, there are always improvements to make. But by acting now, business directors can secure the business, protect stakeholder trust, safeguard customers and employees, and meet their obligations in an increasingly hostile threat landscape.
Read the article on Resilience Forward here: https://resilienceforward.com/cyber-essentials-plus-is-not-enough-uk-board-directors-must-take-action-for-holistic-cyber-protection/
