Few business leaders are surprised by the headlines: cyber attacks are now part of daily business life. But the gap between technical controls and genuine business risk is widening. The recently published Cyber Security Breaches Survey (2025/2026) by the Department for Science, Innovation and Technology (DSIT) is a wake-up call, especially when viewed through the lens of Article 32 of the UK GDPR.
This survey highlights the disconnect many SMEs face—not just between tools and threats, but between compliance requirements and authentic governance. As a result, senior leaders are left uneasy about their true exposure and accountability.
What Is the Cyber Security Breaches Survey — and Article 32?
The annual Cyber Security Breaches Survey is the UK's yardstick for tracking the incidence and response to cyber attacks across thousands of businesses. This year's edition finds that 43% of UK businesses suffered a cyber breach or attack in the past 12 months. Most incidents involved phishing, but ransomware and unauthorised access continue to disrupt organisations of all sizes.
At the heart of the survey's recommendations is compliance with Article 32 of the UK GDPR. Article 32 goes beyond technical defences: it requires "appropriate technical and organisational measures" to secure personal data. This means that security is not just a technology challenge—it is a governance and business leadership issue. For detailed requirements, refer to the ICO’s guidance on security under the UK GDPR.
Why This Matters for SMEs
Many SME leaders believe that possessing Cyber Essentials, deploying a firewall, or buying insurance is enough. Yet, the survey reveals serious gaps:
- Only 47% require two-factor authentication on critical accounts.
- Just 25% have a formal incident response plan.
In my experience working with UK SMEs, the real challenge is ownership. When something goes wrong, who at board level is accountable for the outcome—not just the process? Article 32 expects senior management, not just IT teams, to be able to demonstrate how they protect data and respond to incidents. Failing to meet these obligations increases exposure to regulatory, financial, and reputational risks.
Real-World Implications: Accountability in Action
The most common gap I see is the conflation of compliance with protection. Many organisations treat certifications as a finish line, not a baseline. For instance, I often review incident logs for SME clients after a breach and see that, while technical patching was up to date, there was no clarity on escalation routes, external reporting obligations, or decision-making authority during the incident.
This current survey reinforces that:
- Incident response planning is neglected. Without a board-approved incident response plan, organisations are unprepared to coordinate a rapid, compliant response.
- Multi-factor authentication is not universal. Where it is missing, compromised credentials frequently lead to data loss or regulatory notification events.
- Patchwork ownership leaves risks unmanaged. When there is no clear owner for cyber risk, decisions get deferred and vulnerabilities persist.
For SMEs, such oversights are not just technical lapses—they expose directors to personal liability and the business to avoidable disruption.
Key Challenges and Risks
Translating Article 32 into day-to-day practise is demanding for resource-constrained SMEs. The most significant challenges are:
| Demonstrable Accountability | Regulators increasingly expect documented evidence of decision-making, not just an IT policy file. |
| Balancing Resilience and Resources | Most SMEs cannot justify an in-house CISO yet face the same regulatory standards as larger enterprises. |
| Evolving Threat Landscape | As cyber threats become more sophisticated, yesterday’s controls are quickly outpaced. |
| Fragmented Toolsets | Many have accumulated security products via compliance or insurance requirements but lack a joined-up approach to governance, risk and compliance. |
A key risk is that board-level responsibility for cyber security remains nominal, resulting in a dangerous gap between technical controls and business outcomes. For SMEs handling personal data or working in regulated sectors, this risk is compounded by heightened data protection obligations.
Practical Actions and Recommendations
| Formalise Clear Risk Ownership | Appoint a specific executive or board member with overall accountability for cyber risk and reporting. This bridges the gap between IT actions and business consequences. |
| Develop and Test an Incident Response Plan | This plan should involve not just technical staff but the executive team—so the organisation can act quickly and compliantly under pressure. |
| Implement (and Enforce) Multi-Factor Authentication | Make MFA non-negotiable for all key accounts and systems. This single step mitigates a significant proportion of attacks. |
| Review and Rationalise Security Controls | Periodically assess your suite of technical and organisational measures against real-world scenarios, not just compliance checklists. Use external benchmarks—like the Cyber Security Breaches Survey—to inform your approach. |
| Adopt a Governance-Led Security Model | Shift from control-by-tool to control-by-ownership. Boards should review regular reports on cyber risk posture and mitigation, translating technical status into business language. Embedding a governance, risk and compliance framework helps make this routine and auditable. |
From a security perspective, these steps make it much easier to demonstrate compliance (to the ICO or clients), to recover quickly when incidents occur, and to drive a security culture beyond tick-box exercises.
Future Outlook
The regulatory bar is only rising. The ICO and government are linking survey results directly to compliance monitoring and enforcement. We can expect greater scrutiny of practical governance—not just policy documentation. Boards and executives should anticipate a future where demonstrating Article 32 compliance requires evidence of regular testing, board-level visibility, and business-wide participation in cyber risk management.
A further trend is the normalisation of board-level cyber advisers—the so-called vCISO—who provide independent assessment and keep security aligned with commercial strategy. For SMEs, accessing this expertise on a fractional or advisory basis may soon become the norm, not the exception.
Conclusion
The 2025/2026 Cyber Security Breaches Survey is a clear signal: security is now about governance and ownership, not just technology. For SME leaders, Article 32 means building a culture of accountability—demonstrating not only the presence of controls, but the leadership to use them effectively. True resilience comes from embedding risk management and incident response at the board level, not just the IT desk.
Henry Lawrence
Henry is the Managing Director of ITbuilder. He is also a CISM professional with over 7+years experience leading cyber security strategy and transformation initiatives across public and private sector clients. He has a strong track record of delivering maturity assessments, cyber governance models, and Secure by Design programmes in FS, Public Sector and E&U
More articles from Henry Lawrence
