Cybersecurity in SMEs: the weak link or the next big revolution?
Marsh’s recent report, entitled “Why the Cybersecurity Gap Between SMEs and Large Organizations Matters”, reveals a worrying disparity in the implementation of cybersecurity controls between small and medium-sized enterprises (SMEs) and large organizations in the European Union (EU). According to the study, SMEs on average have a 15% lower level of cybersecurity controls than large companies. This difference puts SMEs in a more vulnerable position in the face of growing digital threats.
The study analyzed 320 EU companies, segmented by annual revenue: SMEs (less than 51 million euros), medium-sized companies (between 51 million and 250 million euros) and large organizations (more than 250 million euros). The analysis was based on data from Marsh’s Cyber Self-Assessment tool, focusing on the implementation of 12 categories of cybersecurity controls. The results show that large organizations achieve, on average, an implementation rate of 80% in the controls analyzed, while SMEs register only 65%. One of the main examples of this difference is multi-factor authentication for remote access, implemented by 91% of large companies, but only by 75% of SMEs.
Another critical factor is the review of incident response plans: only 40% of SMEs carry out tests and review exercises, in contrast to 61% of large organizations. The study also highlights significant differences between sectors, with 85% of SMEs in the financial sector investing in digital security training for their employees, while in the manufacturing sector this percentage drops to 58%.
Implications for SMEs
SMEs are often seen as the fundamental building blocks of the European economy, contributing significantly to employment and innovation. However, their lower human and financial resource capacity compared to large companies can limit investments in cybersecurity. This gap makes them attractive targets for cybercriminals, who can exploit vulnerabilities resulting from insufficient security controls.
In addition, many SMEs still have no or inadequate cybersecurity insurance, despite the existence of innovative solutions on the market. Faced with this risk, the report stresses the importance of SMEs becoming more actively involved in the rapidly expanding cybersecurity insurance market as a way of mitigating vulnerabilities and strengthening their digital resilience.
Aware of the challenges that SMEs face in the field of cybersecurity, IT service providers such as Eurotux position themselves as strategic partners in the implementation of robust solutions adapted to the specific needs of each organization. In this field, and when choosing service providers, SMEs should take into account basic arguments such as:
– Risk and vulnerability assessment: Carrying out comprehensive diagnostics to identify potential risks and vulnerabilities in companies’ IT infrastructure. This process makes it possible to develop a personalized security plan in line with best practices and international benchmarks.
– Implementing security solutions: Offering a wide range of security solutions to protect clients’ data and systems, including firewalls, intrusion detection systems, anti-virus and anti-malware software, and encryption solutions.
– Monitoring and incident response: Continuous monitoring of the IT infrastructure to detect and respond to security incidents quickly and effectively, minimizing the potential impact of any threats.
– Training and awareness: Promoting cybersecurity training and awareness sessions for company employees, helping them to understand the risks and adopt behaviours that protect the organization’s data and systems.
–Disaster recovery planning : Assistance in creating and implementing disaster recovery plans, ensuring that companies can quickly resume operations after a security incident or other contingency.
In addition to implementing technological solutions, let me emphasize the need to develop a culture of security within organizations. This implies not only the continuous training of employees, but also the clear definition of security policies and standards to guide daily practices. An initial diagnosis helps decision-makers to understand the real situation of their organization in terms of cybersecurity, allowing for the creation of appropriate awareness-raising and training actions.
The disparity in the implementation of cybersecurity controls between SMEs and large companies in the EU is an issue that cannot be ignored. SMEs, despite their limited resources, play a crucial role in the economy and therefore in the global cybersecurity posture. Adopting proactive measures, such as those offered by Eurotux, can help bridge this gap, strengthening SMEs’ resilience to cyber threats and ensuring business continuity in an increasingly digital and interconnected world.
Ricardo Oliveira, CSO at Eurotux
