Why SMEs are the new front line of cybersecurity
In today’s digital ecosystem, the perception that small and medium-sized enterprises (SMEs) are “too small to be a target” is a dangerous and obsolete anachronism. The strategic reality is diametrically opposed: SMEs are not only a primary target, but are often regarded by malicious actors as the “weak point” of the entire economic value chain. Their interconnectedness with large corporations, in their role as suppliers of goods and services, turns them into a privileged attack vector. By compromising an SME with less sophisticated defences, an attacker can gain a foothold from which to launch more complex attacks against larger clients, creating a systemic risk that propagates throughout the entire supply chain.
The analysis of security incidents reveals a clear and troubling trend:
• in 2023, 43% of all cyberattacks specifically targeted small businesses;
• organisations with fewer than 1,000 employees suffered a higher number of security incidents than large companies;
• SMEs account for an overwhelming share of ransomware victims, ranging between 77% and 80% of the total;
• even more specifically, 88% of data breaches affecting SMEs involved a ransomware attack.
The vulnerability of SMEs therefore extends beyond the perimeter of the individual firm to become a matter of national economic security. Every unprotected SME represents a potential weak link in the supply chain, an entry point that can be exploited to compromise industrial sectors, critical infrastructures, and government entities. In this context, strengthening the cyber resilience of SMEs through specialised partnerships is not merely a measure to protect individual businesses, but an indirect strategy to defend the entire economic system.
Why are SMEs such an attractive target?
Attackers—particularly cybercrime syndicates—operate according to a return-on-investment logic. Unfortunately, SMEs often represent “low-hanging fruit” for several reasons:
• False sense of security. Many SME owners and managers continue to believe they are not a target, which results in chronic underinvestment and lack of preparedness in cybersecurity;
• Lack of resources. SMEs typically have significantly smaller budgets, staff, and internal expertise dedicated to cybersecurity compared to large corporations;
• Weak link in the supply chain. SMEs are often embedded in the supply chains of larger, better-protected firms. Attackers are well aware of this and exploit SMEs as an entry point to strike their larger partners.
For a large company, a cyberattack can be costly and damaging to reputation, but it is rarely existential. For an SME, the consequences can be catastrophic. The data are stark:
• 60% of small businesses that suffer a significant cyberattack cease operations within six months;
• 75% of SMEs state that they would be unable to continue operating if hit by a ransomware attack that blocked access to critical data.
An analysis of attacks by sector reveals specific targeting patterns, often correlated with the motivations of likely attackers:
• Manufacturing
• Healthcare
• Critical infrastructure (energy, transport, telecommunications)
• Finance and insurance
In the Italian context, data confirm these global trends, with the most affected sectors including digital infrastructure and IT services (14%), energy (12%), and transport (11%). National statistics also show a slight decrease in severe attacks suffered by medium-sized enterprises (50–249 employees), which fell from 22.1% to 19.8%.
The analysis of the victim landscape reveals a fundamental trend that is reshaping the digital battlefield: the convergence of threats. For the first time, data show that the attack patterns used against SMEs are closely aligning with those employed against large enterprises.
[…] This convergence has profound strategic implications. The distinction between “SME threats” and “large enterprise threats” is rapidly disappearing. Every organisation, regardless of size, must now be prepared to face sophisticated tactics. Managers of large enterprises must recognise that their security is intrinsically dependent on that of their smaller suppliers and must therefore extend risk management across the entire supply chain. Likewise, SME managers must abandon any false sense of security and understand that they are now in the sights of adversaries who, until recently, were considered a threat exclusive to large corporations.
The resource dilemma
The root of SME vulnerability lies in a structural gap in resources, skills, and budgets compared to large companies. Kaspersky’s IT Security Economics Report 2024 provides a clear and troubling quantification of this disparity:
• total IT staff (on average): 105 employees in large enterprises versus just 12 in SMEs;
• dedicated cybersecurity specialists (on average): 23 experts in large enterprises versus only 4 in SMEs.
This skills gap is not a marginal issue, but one of the primary direct causes of security breaches. SMEs find themselves at a structural disadvantage in the labour market: they cannot compete with large corporations to attract and retain elite cybersecurity talent, whose profiles are extremely costly and difficult to source. The situation in Italy is particularly critical: analysis shows that in 44% of Italian SMEs there is no formally designated role responsible for cybersecurity and data protection.
This endemic shortage has serious and direct operational consequences. It translates into significantly longer incident response times, drastically reduced threat detection capabilities, and ultimately an inherently fragile and reactive security posture. The standard operating model of an SME—relying on generalist IT staff responsible for a wide range of tasks (from hardware maintenance to user support)—has become structurally incompatible with the demands of modern cybersecurity. This is not merely a matter of insufficient personnel, but of an organisational paradigm that is obsolete in the face of a hyper-specialised and constantly evolving threat landscape. […]
The weight of regulation
Cybersecurity has transcended its purely technical nature to become a business imperative and a regulatory obligation. The entry into force of increasingly stringent European regulations, such as the NIS2 Directive (Network and Information Systems Directive) and the DORA Regulation (Digital Operational Resilience Act), has significantly raised the bar for required security standards. These regulations do not concern only large corporations, but extend to a broad ecosystem of companies operating in sectors deemed critical (energy, transport, healthcare, finance), including a substantial number of SMEs. Although exemptions exist for micro, small, and medium-sized enterprises, it is now unthinkable for a company operating in certain sectors to ignore the cyber dimension.
Non-compliance with these regulations exposes companies to tangible risks, including severe financial penalties and reputational damage that can erode market trust. At the same time, security posture has become a decisive factor in commercial relationships. Large enterprises, increasingly aware of supply chain risks, are integrating cybersecurity maturity into the criteria for selecting and evaluating suppliers. Demonstrating a robust security strategy and well-defined risk management processes is no longer optional, but a fundamental requirement to access new business opportunities and to retain existing contracts. In this scenario, a strong security posture shifts from being a cost centre to a source of competitiveness and a key element in building and maintaining trust with customers and partners.
The SME ally: MSSPs
For an SME, understanding the distinction between a Managed Service Provider (MSP) and a Managed Security Service Provider (MSSP) is the first step toward a mature security strategy. Although both offer outsourced services, their purposes and competencies are fundamentally different.
An MSP focuses on the general management of IT infrastructure, with the primary goal of keeping information systems operational and efficient. Its attention is directed toward operational continuity and day-to-day support.
An MSSP, by contrast, is a strategic partner specialised exclusively in cybersecurity. Its mission is not IT management, but the proactive protection of the company’s digital assets against cyber threats. The beating heart and main differentiator of an MSSP is the Security Operations Center (SOC). The SOC is a centralised facility staffed by teams of security analysts, engineers, and threat hunters, operating continuously—24 hours a day, 7 days a week, 365 days a year. This capability for continuous monitoring, real-time analysis, and immediate incident response is an enterprise-grade resource that no SME can realistically replicate internally in a cost-effective manner.
Collaboration with an MSSP provides SMEs with immediate access to an advanced defence ecosystem, instantly bridging the resource and capability gap. The strategic benefits are tangible and multidimensional:
• 24/7 monitoring and response
• Access to highly specialised personnel
• Advanced technologies within reach
• Global threat intelligence
An MSSP effectively acts as a “translator” of cyber risk into language that is intelligible to the business. It does not merely generate technical alerts, but delivers contextualised reporting, potential impact analysis, and strategic recommendations that enable SME management to make informed decisions. In this way, security services are no longer perceived as a purely technical cost, but as a strategic investment in mitigating operational risk and ensuring business continuity—concepts that a CEO or CFO can understand, value, and justify.
Photo iStock / Jian fan
