You Can Buy IT, Not Responsibility
A lot of SME owners say the same thing when security comes up: “But we have IT.” That sentence is a warning sign, not a comfort. Having an IT supplier does not mean your business is secure, and it definitely does not mean the supplier has taken over your responsibility for resilience, continuity, or cyber risk.
This is the first uncomfortable truth: responsibility does not transfer with the invoice. Guidance is clear that cybersecurity is a shared responsibility, and even in a small business, roles, awareness, and decision-making still matter. If the business does not know what it expects from IT, what risks it accepts, and how it will respond when something goes wrong, then it has not delegated security, it has merely outsourced parts of the work.
That distinction matters because many SMEs confuse endpoints with protection. An IT company can provide laptops, network access, cloud services, patching, and support tickets. It may even do those things well. But that is not the same as securing the business as a whole, because security also includes identity management, backup strategy, logging, response planning, supplier risk, data recovery, and business continuity.
The harder question is whether the IT supplier is actually secure itself. An SME that hands over access to email, files, endpoints, remote administration, and cloud administration is trusting that provider with a lot more than device management. If that supplier is weak on patching, access control, incident response, subcontractor oversight, or staff training, the SME inherits that weakness whether it knows it or not. Trust is not a control.
Regulation is moving in the same direction on this point. Organizations must assess and safeguard the cybersecurity of their suppliers and service providers, which means chain responsibility is no longer optional for the regulated buyer. NIS2 has the same basic logic: the organization in scope remains responsible for continuity and security, and vendors are pushed into the chain as risk-bearing partners rather than magic shields.
That is why the phrase “our IT company handles that” is too weak for serious business risk. A supplier can help you implement controls, but it cannot magically absorb the legal, operational, or commercial consequences of a breach. If your customer, insurer, regulator, or bank asks how your business stays secure, the answer cannot be “our provider said it was fine”.
The brutal reality is that many IT providers are good at delivering services and mediocre at proving resilience. Some are strong on endpoint deployment and network support but weak on business continuity, supply-chain transparency, escalation discipline, and evidence of their own security posture. If they cannot answer basic questions about how they protect privileged access, back up critical systems, handle incidents, and segregate customer environments, then they are not a resilience strategy, they are a dependency.
SMEs need to stop treating vendor selection like a purchasing exercise and start treating it like risk governance. Ask for more than a service brochure. Ask how the provider secures itself, who can access your environment, how incidents are reported, how backups are tested, where data lives, what subcontractors are involved, and what happens if the provider fails. If those questions make the supplier uncomfortable, that is useful information.
This is especially relevant, where larger regulated customers are increasingly going to push supply-chain obligations down into their smaller suppliers. If you are an SME and you cannot show basic control over your own environment, you may not just face security risk, you may lose business because your customers cannot defend your assurance posture to their own auditors. That is how indirect regulation works in practice.
The smartest SMEs will understand that “having IT” is not the same as having a security model. The IT supplier can be part of the solution, but the business still owns the decisions, the risk appetite, the continuity plan, and the accountability. If you do not know what your supplier is doing, how secure they are, or whether they are actually protecting your business instead of merely keeping the lights on, then you do not have control, you have hope.
Why this matters
This is not about blaming IT providers. It is about refusing to outsource accountability to a contract. The SME remains the owner of its data, its operations, its customer obligations, and its reputation, even when technical work is delegated.
For SMEs, the message is blunt: if your resilience depends on someone else, then you need proof that the someone else is worthy of that trust. Otherwise, you are not secure, you are merely connected.
Practical checks
A good SME baseline is simple:
Know exactly what your IT provider is responsible for, and what it is not.
Ask for evidence of their own security controls, incident handling, and backup testing.
Verify whether they use subcontractors or cloud dependencies that affect your risk.
Document who decides what when something breaks.
Make sure your own business can recover if the provider is unavailable.
If you cannot answer those questions, the problem is not your supplier alone. It is governance.
Forculus paragraph
Forculus can help SMEs cut through the “but we have IT” illusion by mapping what is actually outsourced, what remains the company’s responsibility, and where the hidden dependency risk sits.
The pro tip is brutally simple: do not assume your IT provider is securing your business just because they manage endpoints and networking; verify, document, and test the controls that matter before a customer, insurer, or incident exposes the gap.
