SMBs are now the primary target of cyber attacks in Europe - 60% of all attacks hit companies with fewer than 250 employees. The reason: SMBs hold valuable data but devote far fewer resources to security than enterprises. The typical cost of a successful attack on an SMB is €20,000-€500,000+. A properly configured security baseline costs €3,000-€15,000 per year - dramatically less than the fallout from one incident. Security is the operational twin of GDPR compliance.
Five most common threats
- Ransomware. Attacker encrypts your data, demands €10,000-€500,000. Business halts 3-30 days. Defence: regular offline backups, patch management, phishing training.
- Phishing. Fake email harvests passwords. Entry point for 60-70% of serious attacks. Defence: continuous training, MFA, email security gateway.
- Business Email Compromise. Attacker compromises the owner’s or CFO’s email and issues fraudulent payment instructions. A €20,000-€200,000 transfer lands in the wrong account. Defence: MFA, second-channel confirmation for large transfers (“call before changing an IBAN”), DMARC/SPF/DKIM.
- Cloud account takeover. Attacker reaches your Microsoft 365 or Google Workspace. Defence: mandatory MFA, conditional access, activity monitoring.
- Insider threats. Former or disgruntled employee retains access. Defence: least privilege, prompt revocation, audit logs.
Minimum security baseline
Technical: MFA on every business account (non-negotiable), endpoint protection (€30-€80/machine/year), patch management, email security gateway (€3-€10/user/month), 3-2-1 backups, password manager.
Process: written security policy, incident response plan, 2-4 hours training/year (repeated), least-privilege access with prompt revocation.
Typical annual cost for a 20-50 employee company: €5,000-€15,000.
NIS2: the EU regulation to know
NIS2 extends cybersecurity obligations to companies in banking, energy, telecoms, healthcare, water, food production, digital services, and public administration. Non-compliance fines reach €10 million or 2% of global revenue.
NIS2 requires: security policies, incident response, supply chain security, cryptography, HR security, MFA, training, and regular audits. Typical first-year compliance cost for a mid-sized company: €15,000-€80,000, plus €5,000-€20,000/year ongoing.
The 5 most common SMB security mistakes
- “We have antivirus, that’s enough.” Antivirus covers ~10% of threats.
- “We’re too small to attack.” Attacks are automated; attackers pick by weakness, not size.
- “Our IT maintenance firm handles security.” IT maintenance and cybersecurity are different disciplines. See in-house vs agency.
- “We have backups.” Untested backups are worthless. Test restores quarterly.
- “Our employees know phishing.” 20-40% click on realistic simulations. Training must be continuous.
Frequently Asked Questions
Do we need a CISO? Usually no. An external fractional CISO on a monthly engagement is enough for most SMBs. Typical cost: €500-€2,000/month.
Who responds when we get attacked? Have a plan beforehand: external incident response team, legal counsel contacts, client communication plan. Without one, expect panic.
Do we need cyber insurance? For any company processing sensitive data, yes. €1,000-€5,000/year for an SMB. Covers restoration, legal support, and fines.
Can we use EU funds for cybersecurity? Yes, via NPOO and dedicated programmes. See our article on EU funds.
Related Articles
- GDPR and custom software - the technical half of compliance.
- Digitalisation mistakes companies make - ignoring security ranks among the costliest.
- Custom software vs SaaS - different security models per sourcing decision.
Need a security audit?
Book a free Discovery call. We will review your current baseline, identify the largest risks, and propose a phased plan to fit your budget.
Reach out at [email protected] or via the form on our homepage.