They stand at the helm - directors, managers and owners - proud stewards of small and medium-sized enterprises. They’ve weathered economic storms, tamed supply chain chaos, and even survived the great toner cartridge famine of whenever.
When it comes to cybersecurity, they're absolutely certain they know enough, and to be frank, that’s the problem.
In today’s threat landscape where phishing emails wear pinstripes and ransomware is smarter than your most charming intern, confidence without competence isn’t just a weakness waiting to be exploited - it’s an open invitation.
Most SME leaders don’t wake up thinking, “Today, I shall be the weakest point on my company’s attack surface.”
They believe they’re doing just fine. They’ve got antivirus, their passwords are long-ish, and they once sat through a thirty-minute webinar called ‘cyber hygiene for the busy professional.’
That should do it, right?
Wrong!
We’re increasingly seeing cases of the Dunning-Kruger effect - a cognitive bias where those with the least understanding of a subject tend to overestimate their ability. The less you know, the more convinced you become that you’ve nailed it.
It’s not laziness. It’s not arrogance. It’s just human nature.
However, when it comes to cybersecurity, that misplaced confidence can be devastating.
Consider the overconfident CEO who clicks on an ‘urgent invoice’ attachment, believing themselves too savvy to fall for a scam. Or the managing director who waves away cybersecurity training with a breezy, ‘we’ve got IT for that.’
They’re not holding the line, the measures they’re using are completely ineffective against the kind of threat they’re facing.
The security threats facing businesses today are not the same as the ones five years ago. We’re talking about:
But leadership strategies in many SMEs remain stuck in an era where a good firewall and a stern password policy felt like enough.
That era is over.
The result? An open door, and on the other side - cybercriminals who are no longer bedroom-bound amateurs, but adaptive, well-funded, chillingly efficient, professional organisations.
One of the most common mistakes is treating cybersecurity as a purely technical problem - something to be delegated entirely to IT.
Don’t get me wrong, your IT team is essential. But assuming they’re solely responsible for security is like assuming your finance team handles fraud by instinct.
Cybersecurity is no longer just a tech issue. It’s a strategic leadership issue. Because when a phishing email tricks you - when you click, you approve or you dismiss the risk - the resulting breach isn’t just a technical failure, it’s a failure of leadership.
There’s a strange and persistent trend in SMEs: the belief that cybersecurity training is for everyone else. The staff need it, the junior managers, sure, but the people at the top? They already know enough … this isn’t true.
In fact, the higher up the ladder you are, the more essential training becomes because the decisions you make affect everything below.
When leadership refuses to engage, the message is clear - security isn’t that important. Then, when the breach comes, and it will - it’s not just data you lose, it’s trust, it’s reputation and sometimes it’s even the business itself.
They can start by acknowledging the problem, admit what you don’t know. That’s not weakness- that’s a sign of strength. Talk to the people who do understand the landscape. Get educated, not with box-ticking compliance modules, but through real-world, threat-focused, ongoing training. Bring cybersecurity into the boardroom, make it a part of every strategic conversation.
If you’re making decisions about digital infrastructure, partnerships, client data or supply chains, then guess what? You are an integral part of the cybersecurity perimeter whether you like it or not.
Small and medium-sized businesses are targeted because they’re seen as soft, underfunded, underprepared and overconfident.
That’s the assumption. Prove them wrong.
The cyber war isn’t coming. It’s already here.
To read more articles like this, click here.