Boards, Breaches and Accountability: Why Small Firms Need Risk Registers Now

Episode notes

Do UK small businesses need cyber risk registers? Graham said no. After this 40-minute debate with Noel Bradford, he changed his mind completely. This Small Business Cyber Security Guy podcast episode tackles cyber risk management for UK SMEs through a heated debate about whether small business boards need formal cyber risk registers. UK cyber security statistics that changed Graham's mind: 43% of UK small businesses experienced cyber breaches last year (DSIT 2025) 73% have no board-level cyber security responsibility 28% of SMEs say one cyber attack could close them permanently (Vodafone 2025) Average UK small business breach costs £3,398 Real-world cyber risk register failures: UK manufacturing company with "satisfactory" security controls destroyed by ransomware. Had antivirus, firewalls, backups. No documented cyber risk assessment. No board-level governance. Business nearly closed. Companies Act director duties most UK boards ignore: Section 174 requires directors exercise "reasonable care, skill and diligence" in managing company risks. With 43% breach rates, cyber risk is material. Failure to document cyber risk management exposes directors to personal liability.