InfoSec, CyberSec, IT Security: Vendors Are Selling You the Wrong One on Purpose

It's 2025, and UK small business owners are still being sold cybersecurity snake oil by vendors who wouldn't know real threat protection if it bit them on the arse.

Every week, I speak to business owners who've spent thousands on "comprehensive InfoSec programmes" when they needed basic IT security. They've bought "cutting-edge CyberSec platforms" when their most significant risk was someone walking off with an unencrypted laptop. They've hired consultants to develop "enterprise-grade information security frameworks" for 15-person companies that can't even keep their Windows updates up to date.

The cybersecurity industry has turned into a carnival of confusion, with vendors deliberately muddying the waters between Information Security, Cybersecurity, and IT Security to sell you whatever makes them the most commission. Meanwhile, 50% of UK small businesses with 10-49 employees were breached in 2025, proving that all this expensive confusion isn't actually protecting anyone.

Time for some brutal honesty about what these terms actually mean and which approach will keep your business alive instead of just making security consultants rich.

The Real Definitions (Not the Marketing Versions)

Let's start with Information Security, or InfoSec if you want to sound like you know what you're talking about at conferences. InfoSec is about protecting information regardless of format. That means your digital files, yes, but also your paper records, your conversations, anything that contains sensitive information. It's the comprehensive approach to keeping your business secrets actually secret.

InfoSec follows the CIA triad, and no, that's not the American spy agency. It's Confidentiality, Integrity, and Availability. Can unauthorised people access your information? Can someone tamper with it? Can you get to it when you need it? InfoSec addresses all three across every format and every stage of information handling.

Cybersecurity, or CyberSec for the acronym-obsessed, is narrower. It's specifically about protecting against digital threats. When someone talks about cybersecurity, they're talking about defending against hackers, malware, ransomware, and phishing attacks. Essentially, anything that comes at you through a computer screen or network connection.

IT Security focuses on protecting the entire IT infrastructure: your servers, networks, endpoints, and the data flowing between them. Most vendors treat IT Security and Cybersecurity as the same thing, though technically, IT Security is broader because it includes the physical security of IT systems.

Here's where the confusion gets expensive. A comprehensive InfoSec programme might cost £15,000 to £25,000 in the first year for a 30-person business. A sophisticated cybersecurity programme could efficiently run £25,000 to £50,000 annually. But basic IT security fundamentals? You can get meaningful protection for £5,000-£10,000 per year.

Why Most UK SMBs Are Buying the Wrong Thing

The problem is that most small businesses think they need enterprise-grade solutions because that's what every vendor is selling them. I've seen 20-person marketing agencies paying for SIEM systems they can't operate, law firms buying threat intelligence feeds they can't interpret, and manufacturers implementing ISO 27001 programmes that cost more than their annual IT budget.

Meanwhile, their basic IT hygiene is appalling. No multi-factor authentication. Servers running Windows Server 2012. Backup systems that haven't been tested since the Blair government. Staff are sending client data via unencrypted email while the business pays for "advanced persistent threat detection."

The latest UK government data shows that 85% of cyber incidents involve phishing, and that 42% of small businesses experienced such attacks in 2025. You know what stops most phishing attacks? Proper email security, user training, and multi-factor authentication. That's IT Security fundamentals, not some £ 50,000-per-year "AI-powered threat detection platform."

Real-World Consequences of Getting This Wrong

Let me give you a concrete example. Last month, I consulted for a 25-person accounting practice in Manchester that had spent £18,000 on an "enterprise information security programme" including policy development, risk assessments, and ISO 27001 gap analysis. Lovely binder full of policies. Comprehensive risk register. Beautiful compliance documentation.

Then someone walked into their office and stole a laptop containing client data. No encryption. No remote wipe capability. No device management. The £18,000 InfoSec programme hadn't addressed basic endpoint protection because that was "IT Security," not "Information Security." The ICO investigation cost them £45,000 in legal fees alone.

Compare that to a Sheffield engineering firm that spent £8,000 on basic IT security: endpoint encryption, device management, email security, multi-factor authentication, and tested backup systems. When their office got burgled six months later, the stolen devices were encrypted and remotely wiped. Total impact: the cost of replacement hardware and a productive afternoon working from the café across the street.

The Vendor Problem

The cybersecurity vendor landscape is a minefield of companies selling overlapping solutions with deliberately confusing terminology. Microsoft calls its basic security package "Defender for Business" and charges £2.50-£4.50 per user per month. Sophos sells "endpoint protection" for roughly the same price. CrowdStrike offers "endpoint detection and response" starting around £7 per user per month.

All three do roughly the same thing: protect your computers from malware, but they're marketed as completely different categories of security. Meanwhile, consultancies like NCC Group charge £150 to £300 per hour to develop "information security frameworks" that might or might not include any actual protection.

Here's the brutal truth: most UK small businesses would get better protection from a £500 annual Cyber Essentials certification plus basic managed IT security than from a £25,000 "comprehensive cybersecurity programme." But nobody's selling the simple stuff because there's no money in it.

What You Actually Need (And When)

For most UK small businesses, the priority should be IT Security fundamentals. Get your basic controls sorted: endpoint protection, properly configured firewalls, regular patching, phishing-resistant multi-factor authentication, and regularly tested backups. This gives you protection against 80% of threats for 20% of the cost.

Here's a critical point about multi-factor authentication that most vendors won't tell you: SMS codes and app-based authentication can still be phished. Government data shows 85% of cyber incidents involve phishing attacks, yet most businesses implement MFA that's vulnerable to exactly those attacks. FIDO2 hardware security keys provide phishing-resistant authentication via cryptographic challenges bound to specific domains. Even if an attacker tricks you into entering your password, the security key won't authenticate to a phishing site.

Cost? £45 per key for FIDO Alliance-certified options from manufacturers like Authentrend (currently £40 until December 22nd with their special offer), or £50-60 for premium brands like YubiKey. Two keys per employee for backup, you're looking at £80-90 per person, one-time investment. Less than two help desk password resets, infinitely more effective than SMS-based MFA that can be bypassed with social engineering.

The NCSC's Cyber Essentials scheme is essentially an IT Security checklist: firewalls, secure configuration, access control, malware protection, and patch management. Those five controls address the vast majority of threats that UK small businesses face. Certification costs £300 to £500 annually. Compare that to a "comprehensive cybersecurity programme" that might cost £25,000 to £50,000 per year.

Once you've got IT Security fundamentals in place, consider what additional protection you need. If you're handling highly sensitive information —such as medical records, legal documents, or financial data —you might need a broader InfoSec approach, as the regulatory and reputational risks are higher.

If you're primarily a digital business, software company, e-commerce, or online services, you might need sophisticated CyberSec capabilities because that's where most of your threats are coming from. But don't skip the fundamentals to buy the fancy stuff.

Budget Guidelines That Actually Work

For a business with 10 to 20 employees, budget £5,000 to £15,000 annually for security. That's roughly 7-12% of what you should be spending on IT anyway. If you're not spending at least £5,000 per year on information security in 2025, you're gambling with your business.

Start with IT Security fundamentals: £2,000 to £5,000 annually, depending on your size and complexity. Add basic information security policies using free ICO templates: it costs you time, not money, but it's incredibly valuable. Then consider cyber security-specific threats: £3,000 to £10,000 annually, depending on your needs.

Don't try to do everything at once. Start with the highest-risk areas and work systematically through the rest. And for the love of all that's holy, test your controls. I see businesses that have spent thousands on backup systems but have never actually tested restoring from them.

The Bottom Line

Whether you focus on Information Security, Cybersecurity, or IT Security initially doesn't matter as much as actually doing something correctly. The biggest risk is doing nothing while you debate the perfect approach.

But understand what you're buying and why. Don't let vendors sell you enterprise solutions for SMB problems. Don't pay consultants £300 per hour to develop policies you can download for free from the ICO. And don't buy sophisticated threat detection systems when your basic IT hygiene is appalling.

The cybersecurity industry wants to keep you confused because confused customers pay higher prices. Cut through the marketing bollocks, understand your actual risk profile, and invest in protection that matches your real needs, not your vendor's sales targets.

Start with IT Security fundamentals. Add broader capabilities as you grow and your risk profile changes. And remember: the best security programme is the one you'll actually implement and maintain, not the one that looks most impressive in a sales presentation.