Many small and medium-sized businesses emerge from a cyber incident with the same conclusion: ‘We thought we’d done enough’.

They often have an IT provider, might have invested in security and obtained certifications, and have insurance policies in place.

Yet even those measures still fell short.

Paul Abbott’s ransomware experience with East Midlands-based KNP in 2023 suggested to him that there was real value for Boards in being equipped to ask clear questions.  

He told delegates at the East Midlands Cyber Summit that the best move for Boards is to go from ‘we thought we’d done enough’ to ‘we know what we’re doing next’.

Mr Abbott suggests that this can be supported by senior leaders asking practical, straightforward questions of their IT teams and providers as part of normal working governance.

So how might this be achieved?

Start with plain‑English risk

Instead of technical detail, focus on everyday impact. Ask your MSP or IT lead:

• What are the most likely ways someone could break into our systems right now?
• If our main systems went down for a week, which ones would hurt us the most?
• When did we last practice getting everything back up – and what went wrong?

If your experts struggle to explain this in simple language, push for clearer answers.

Always double‑check

KNP used the same IT provider for years, later realising they’d never really challenged them.

Therefore, directors might ask questions such as:

• Who, outside your own team, has checked our security in the last year? What did they find?
• If you were trying to hack our business, where would you start? What have we done about that?
• Can you show me recent problems you fixed that we didn’t notice?

It’s important to note that you’re not accusing them – you’re simply making sure someone is checking the checker.

Make certificates work every day

Companies might have certifications like ISO 27001 or Cyber Essentials – but shouldn’t then assume they’re safe. Ask questions such as:

• How does this certificate change what we actually do day to day?
• What do we check every month or quarter to make sure we’re still doing it?
• What’s one thing we’ve changed this year because these checks showed a gap?

If the only time anyone talks about the accreditation is when renewal is due, then it’s probably just a badge.

Be clear about who does what in a crisis

Company leaders don’t want to be figuring out who is in charge of what in the middle of an attack. Therefore, directors should ask themselves and their IT teams and MSP:

• If something big happened tomorrow, who are the first three people we’d call?
• How quickly could we pay staff and talk to customers if our systems went down?
• Have we ever walked through a pretend incident together? What did we learn?

You’re looking for a simple, written recovery plan you can understand and follow if the situation demands it – not trying to make one up on the spot.

Make these questions a habit

Finally, don’t wait for trouble before you start asking these questions.

At least every few months, ask your MSP or IT lead to attend a company meeting and put to them:

• What worries you most about our setup right now?
• If you were me, what would you fix first?
• If we had to cut costs, what should we never cut on the IT/security side?

This post is part of a series based on content from speakers at the East Midlands Cyber Summit. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.