On Tuesday 3rd June BCS, The Chartered Institute for IT held a roundtable in Portcullis House, House of Commons with the All-Party Parliamentary Group for Cyber Innovation, exploring how small and medium-sized enterprises (SMEs) can best protect themselves from cyber incidents.
There were representatives from across industry, academia, and government who had a thriving discussion that covered the following.
The Cybersecurity Skills Gap
Participants agreed that while many graduates possess solid technical skills, they often lack real-world experience. Employers - particularly in small to medium-sized enterprises (SMEs) - are hesitant to invest in training early-career professionals, citing resourcing pressures and a lack of internal expertise.
There were calls for:
- Greater employer support for graduates and new entrants.
- Increased capacity at the National Cyber Security Centre (NCSC) to support skills development and industry partnerships.
- Exploration of social value frameworks to compel larger organisations to support digital skills development and community training programmes.
Challenges for SMEs
Many SMEs are unaware of the extent of their reliance on IT and digital infrastructure, and therefore underestimate their cyber risk.
The discussion highlighted that:
- SMEs with national or strategic significance may remain under the radar, making it difficult to target support or regulation.
- IT roles in SMEs are often informally assigned, with the "most tech-savvy person" responsible for critical systems.
- A cultural and capacity shift is required to recognise cybersecurity as a core business function, not an ancillary service.
Participants suggested a potential "Cybersecurity Buddy System", where larger organisations or cyber-capable charities could provide mentorship, guidance or shared services to SMEs and voluntary sector organisations.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Role of Outsourced Cyber Providers
Outsourced cybersecurity companies were likened to general practitioners (GPs): they are often the first line of defence but should be better connected to specialist services.
There was support for a regulated model that ensures:
- A baseline standard of service.
- Clear escalation pathways to expert support in high-risk incidents (e.g. ransomware).
- Better-informed procurement choices for SMEs.
This approach would raise the industry bar and shift expectations, prompting SMEs to actively question the quality and credentials of the services they use.
Making the Risk Clear and Actionable
The need for clearer, simpler messaging was a recurring theme. Suggested approaches included:
- Government-backed public messaging campaigns, akin to past national security awareness efforts.
- A strong emphasis that basic cyber hygiene doesn’t have to cost anything.
- Use of social value commitments and market differentiation as drivers—particularly in supply chain risk management.
- A "one-stop shop" - similar in simplicity and accessibility to HMRC’s self-assessment service—was suggested as a way to cut through inertia and guide SMEs step-by-step through cyber preparedness and response.
Embedding Cyber Support at Inception
Roundtable attendees proposed that cybersecurity advice should be integrated into the early stages of business creation. This could include:
- Embedding cyber advice into the process of company registration with Companies House or HMRC.
- Linking startup resources with national cyber best-practice materials and support networks.
Thanks to Daniel Aldridge MP, Chair of the APPG, for hosting and chairing the roundtable, and if you are interested in collaborating with BCS on cyber in the future please contact Head of Policy, Dan Howl, dan.howl@bcs.uk.