Small and mid-sized businesses are currently the main target of cyber attacks in Europe - 60% of all attacks target companies with fewer than 250 employees. The reason is simple: they have valuable data (clients, finances, IP), but fewer security resources than large enterprises. Typical cost of a successful attack for an SMB: €20,000-€500,000+ through operational loss, ransom payment, loss of trust, and regulatory fines. A properly set up cybersecurity baseline costs €3,000-€15,000 annually - dramatically cheaper than the consequences.
This article breaks down the main threats for SMBs, what minimum measures are needed, and how to prepare for new EU regulations like NIS2.
Five most common cyber threats for SMBs
What we actually do as development partners when analyzing a client’s security - five categories of threats we see regularly:
1. Ransomware
What: An attacker encrypts all your data and demands a ransom (€10,000-€500,000) for decryption.
How often: The most common successful attack on SMBs. Typical entry through a wrongly opened email attachment or unpatched system.
Consequence: The entire company stops for 3-30 days. If you pay, no guarantee you get the data back.
Defense: Regular backups (offline or in cloud with separate authentication), patch management, employee phishing training.
2. Phishing
What: A fake email that looks like it’s from a colleague/bank/supplier asks for a password or a click on a link.
How often: The entry point for 60-70% of all serious attacks.
Consequence: Theft of access credentials, leading to every other threat.
Defense: Employee training (repeated!), MFA (multi-factor authentication), email security gateway.
3. Business Email Compromise (BEC)
What: An attacker compromises the email of the owner or CFO, then sends wrong instructions to accounting from their name.
How often: Less common but with big consequences. Typical: “Change the IBAN for supplier X’s invoice.” Transfer of €20,000-€200,000 goes to the wrong person.
Defense: MFA on all email accounts, second channel confirmation for all large transfers (“call before changing IBAN”), DMARC/SPF/DKIM for email.
4. Cloud account takeover
What: An attacker accesses your Microsoft 365, Google Workspace, or AWS account. Access to everything - email, documents, infrastructure.
How often: Increasing as more companies move to cloud.
Consequence: Data theft, resource usage, deletion, moving to another account.
Defense: MFA mandatory, conditional access policies, activity monitoring.
5. Insider threats
What: A former or disgruntled employee has access they shouldn’t.
How often: Less frequent, but often the biggest consequences (insiders know where the important things are).
Defense: Least-privilege principle (everyone has only the access they need), fast access removal at termination, audit logs.
Minimum security measures for SMBs
The basic security package we’d advise every client:
Technical measures:
- MFA on all business accounts (email, bank, ERP, cloud) - mandatory
- Endpoint protection (modern antivirus) on all computers - €30-€80 per computer annually
- Patch management - all apps and OSes automatically updated
- Email security gateway (Mimecast, Proofpoint) - €3-€10 per user monthly
- Backup with offline copy - 3-2-1 rule (3 copies, 2 media, 1 offline)
- Password manager (Bitwarden, 1Password) for all employees
Process measures:
- Security policy - written, signed by employees
- Incident response plan - what to do if something happens
- Employee training - 2-4 hours annually, regular repetition
- Access rights - “minimum needed” principle, fast removal on departure
Typical annual cost for a company with 20-50 employees: €5,000-€15,000 total.
NIS2 - new EU regulation to know about
NIS2 (Network and Information Security Directive 2) is a new EU regulation that extends cybersecurity obligations to many more companies than before. Companies in sectors like:
- Banking and finance
- Energy
- Telecommunications
- Healthcare
- Water supply
- Food and beverage (production)
- Digital services (cloud, marketplaces)
- Public administration
…must implement a number of security measures. Fines for non-compliance can reach €10 million or 2% of global revenue.
What NIS2 concretely requires:
- Security policies
- Incident response plan
- Supply chain security
- Cryptography
- Human resources security
- Multi-factor authentication
- Security training
- Regular audits
Typical NIS2 compliance cost for a mid-sized company: €15,000-€80,000 in the first year, plus €5,000-€20,000 annually for maintenance.
5 most common security mistakes in SMBs
1. “We have antivirus, that’s enough.” Antivirus covers 10% of threats. Without MFA, backups, training, and monitoring - the system is open.
2. “We’re too small, no one attacks us.” Wrong. Cyber attacks are automated - the attacker doesn’t pick by company size, but by weakness.
3. “Our IT maintenance firm takes care of security.” A standard IT firm maintains systems. Cybersecurity is a separate specialty. Check what’s actually being done.
4. “We have backups but never tested restore.” A backup that can’t be restored is useless. Test restore must be regular (quarterly).
5. “Employees know what phishing is.” No. Tests show 20-40% of employees click on a realistic phishing test. Training must be repeated, not one-time.
What to do in the next 30 days
A practical list you can start on immediately:
Week 1: Audit
- List of all systems you use
- Who has access to what
- Where backups are and how old
- Identification of biggest risks
Week 2: Urgent measures
- MFA on email and banks (mandatory)
- Backup check (test restore!)
- Check who has access they shouldn’t
Week 3: Training
- Cybersecurity meeting with the team
- Rules for email, passwords, USBs
- Phishing test plan for next month
Week 4: Long-term plan
- Written security policy
- Incident response plan
- Security measures budget for next year
Frequently asked questions
Do we need to hire a CISO (Chief Information Security Officer)? For SMB - usually no. An external consultant (fractional CISO) who comes monthly or quarterly is enough. Typical cost: €500-€2,000/month.
What when we’re actually attacked - who responds? Have a plan upfront: external incident response team, contacts for legal help, client communication plan. Without a plan - panic.
Do we need cyber insurance? For a company processing sensitive data - yes. Typical cost: €1,000-€5,000/year for SMB. Covers restoration costs, legal help, possible fines.
Can we use EU funds for cybersecurity? Yes, through NPOO and dedicated programs. See our article on EU funds for details.
Need a security audit?
Book a free Discovery call. We review your current security baseline, identify the biggest risks, and propose a phased implementation plan that fits your budget.
Reach out at [email protected] or through the form on our homepage.