75% of UK Leaders Don't Trust Their Own Security: The Confidence Gap You Need to Close
I want to begin with a data point, because precision matters here.
A survey published in January 2026 by investigations firm Nardello & Co, covering 250 UK business leaders at enterprises with a minimum turnover of £250 million, found that 58% ranked cyber-related breaches as their top risk for 2026. Of those same leaders, three quarters said they doubted their organisation’s ability to manage those threats effectively.
I am aware that this survey covers larger enterprises rather than SMBs. I am citing it deliberately, because what it reveals is a pattern that does not respect business size. These are not small businesses without resources. These are substantial organisations with security budgets, teams, and tools. And three quarters of their senior leaders do not trust what they have built.
That should tell you something important.
What the Confidence Gap Actually Means
A confidence gap in security is not an unusual thing to identify in a survey. What is worth examining is what produces it.
When a business leader says they are not confident in their organisation’s ability to handle a breach, they are not usually saying they have no tools. They are saying, implicitly, that they do not know whether the tools are configured correctly, monitored actively, and supported by processes that would actually function under pressure.
That is a different problem. And it is a more serious one.
A business that knows it has no endpoint protection can purchase endpoint protection. A business that has endpoint protection but does not know whether it is working correctly has a harder problem to solve, because it requires looking honestly at the gap between what was purchased and what is actually happening. That kind of honest assessment is uncomfortable. It tends to produce findings that someone needs to take ownership of.
The research suggests most businesses are not doing that assessment. They are instead sitting in the space between “we have tools” and “we are not confident in those tools” and managing the discomfort by not looking too closely.
This week on the podcast, Mauven described this condition accurately: organisations are narrating themselves into a breach.
The Specific Conditions That Create This Gap
I want to be concrete about the mechanisms, because they are identifiable and addressable.
Configuration debt. Security tools configured during initial deployment and not reviewed since. Firewall rules written for a network topology that no longer exists. Alert thresholds set to reduce noise and never re-calibrated. The tool works. It may not be doing what anyone believes it is doing.
Ownership gaps. In smaller organisations particularly, security responsibilities are often shared between IT generalists, MSPs, and whoever happens to be paying attention. The consequence is that when an alert fires, the question of who is responsible for acting on it is not always clear. Alerts that do not have clear ownership tend not to get acted on.
The backlog that never shrinks. Every organisation accumulates a list of known security issues that are not urgent enough to act on immediately and not trivial enough to dismiss. In healthy organisations, this list is actively managed. In most organisations, it grows. The items at the bottom have been there for two years and nobody wants to raise them because raising them would require explaining why they haven’t been addressed.
Processes that exist on paper. Incident response plans that were written for a compliance requirement and never tested. Password policies that apply in theory and in practice are inconsistently enforced. Change management procedures that developers work around because they slow things down. The process exists. The security outcome does not.
Why SMBs Are Not Immune to This
I noted that the Nardello research covers larger organisations. I want to address directly why this analysis applies to small and medium businesses.
In large organisations, the confidence gap is produced by complexity: too many tools, teams, and processes for any one person to have an accurate picture.
In small businesses, the same gap is produced by resource constraints: not enough time, staff, or dedicated security expertise to maintain accurate oversight of what is actually happening.
The result is structurally similar. The business has tools and some form of security posture. Nobody has a fully accurate picture of whether those tools are configured correctly, whether the known issues have been addressed, or whether a process would function under real conditions.
The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber incident in the past twelve months. The proportion is lower for small businesses than large ones, but it is not negligible, and it does not reflect the significant number of incidents that are not identified or reported.
The businesses that discovered they had a breach in 2025 were not, in the main, businesses that believed they were completely unprotected. They were businesses with some level of security investment that turned out to have a specific exploitable gap that nobody had looked at recently enough.
The Three Closing Questions
If I were advising a business leader reading this, I would recommend three specific conversations before the end of this week.
First: ask your IT team or MSP for an honest list of what they are worried about.
Not the formal risk register. Not the items already scheduled for attention. Ask specifically for the things that concern them but have not made it onto any formal list, because they are not quite urgent enough, or because previous attempts to raise them did not land.
If you do not get an answer, that is itself an answer. Either your team has nothing to raise, which is possible but statistically unusual, or they have learned that raising concerns is not productive in your organisation. Both outcomes require action.
Second: test one process.
Pick one element of your security posture and test whether it actually functions. Send a simulated phishing email through a reputable service and see what happens. Attempt to restore data from your most recent backup and time how long it takes. Walk through the first three steps of your incident response plan and identify where it breaks down.
The purpose is not to find failures to punish. The purpose is to get an accurate picture. You cannot close a confidence gap by assumption.
Third: find one item from your oldest backlog.
Every business has security issues that have been deferred so many times they have become invisible. Find one. Understand why it has not been addressed. If the answer is that fixing it would be inconvenient, or would require a conversation nobody wants to have, that is the item to address first.
How to Turn This Into a Competitive Advantage
The confidence gap your competitors have is an opportunity for you.
When a potential client, partner, or supplier asks about your security posture, most businesses produce a compliance certificate and hope the conversation ends there. A business that can explain specifically: what tools it uses, how they are monitored, what the known risks are and how they are being managed, and what its incident response process looks like, stands out considerably.
This is becoming more relevant, not less. The Cyber Security and Resilience Bill is expected to pass into law later in 2026. Supply chain security requirements are tightening across multiple sectors. Cyber Essentials v3.3 goes live in April with strengthened requirements around cloud services and MFA.
The businesses that have closed the confidence gap are not scrambling to meet these requirements. They already have.
How to Sell This to Your Board
The board framing here is direct: the confidence gap is a governance failure, not a technical one.
Boards are responsible for ensuring that material risks are accurately understood and appropriately managed. A situation in which senior leaders doubt their organisation’s ability to respond to their number one identified risk is, by definition, a governance gap.
The practical question to put to the board is not “do we have enough security tools?” It is: “Can we, today, give an accurate account of whether our security controls are functioning as intended?” If the answer is no, that is the gap to close.
The Nardello research noted, with some understatement, that the data “highlight a degree of complacency that could well be existential for a business.” That is a reasonable summary of the situation. It is also, framed correctly, a board-level priority.
What This Means for Your Business
-
Schedule a configuration review. For each security tool you operate, confirm: who configured it, when it was last reviewed, and whether the alerts it generates are being acted on. This is not a tool purchase. It is an operational question.
-
Assign clear ownership. Every security function needs a named person responsible for it. Not a team. A person. Shared responsibility produces the same outcome as no responsibility.
-
Test one process this month. Backup restoration. Phishing simulation. Incident response walkthrough. Pick one. Do it.
-
Create a mechanism for honest reporting. The people closest to your systems need a route to surface concerns without career risk. This week, tell them explicitly that you want to hear bad news early. Then prove it by responding constructively when you do.
Sources
| Source | Article |
|---|---|
| Infosecurity Magazine | Cyber Breaches, Compliance and Reputation Top UK Corporate Concerns (January 2026) |
| DSIT / UK Government | Cyber Security Breaches Survey 2025 |
| NCSC | Cyber Security: Board Toolkit |
| ICCSO | The Cyber Threat Landscape in 2026: What Organisations Are Still Underestimating |
| Lexology / Morton Fraser MacRoberts | Cybersecurity in 2026: Why Vigilance Remains Critical for UK Businesses |
| UK Parliament | Cyber Security and Resilience Bill — Progress |
| ICO | Data Security Incident Trends |
Related Posts: