CybersecuritySMEIT Security

Cybersecurity for SMEs: the 3 most common risks (and how to fix them)

Published on · by Damien Flasse

There’s a persistent belief that cyberattacks mainly target large organisations. It’s wrong. SMEs are frequently targeted precisely because they have fewer resources to defend themselves and are less likely to detect a breach quickly. Here are the 3 most common attack vectors, and the accessible measures to protect against them.

Risk 1: phishing and spear-phishing

Phishing remains the most common entry point in cyberattacks. A convincing email, a fake invoice, a link to a login page mimicking your bank or ERP — and a colleague clicks. Spear-phishing is a targeted variant where attackers personalise the message using publicly available information (LinkedIn, company website).

What we observe: SMEs whose Microsoft 365 or Google Workspace accounts are compromised because someone entered their credentials on a fake login page.

What to do:

  • Enable multi-factor authentication (MFA) on all critical accounts — this is the single most effective measure relative to the effort involved.
  • Run an annual awareness session for staff (1 hour is enough to have a meaningful impact).
  • Activate anti-phishing filtering at the email gateway level (built into Microsoft 365 and Google Workspace).

Risk 2: weak and shared passwords

In many SMEs, passwords are shared between colleagues for practical reasons: shared cash register access, a shared tool account, a system used by several people. This practice creates a significant attack surface — impossible to trace who accessed what, and a single leak compromises everyone.

What we observe: IT audits that uncover passwords like “Company2023” on administrator accounts, or VPN credentials shared between 5 employees.

What to do:

  • Deploy a business password manager (Bitwarden Teams, 1Password Business — under €5/user/month).
  • Enforce a password policy (minimum length, no reuse).
  • Replace shared generic accounts with individual named accounts.

Risk 3: backups that are incomplete or untested

Ransomware — malware that encrypts your data and demands payment for the decryption key — has grown sharply in recent years. The only reliable defence against ransomware is a recent, complete backup that has actually been tested.

Many SMEs believe they have working backups. In practice, they have a backup tool that runs but whose restores have never been verified. An untested backup is effectively no backup at all.

What to do:

  • Apply the 3-2-1 rule: 3 copies of data, on 2 different media, with 1 stored off-site (cloud or a physically separate location).
  • Test a full data restore at least once a year.
  • Ensure backups are disconnected from the main network — ransomware that reaches your online backups encrypts those too.

Where to start from scratch

An IT security review doesn’t require expensive tools. In a consulting engagement, we typically cover in half a day: the state of access controls and passwords, the backup policy, email gateway configuration and software update status. That’s enough to identify the priorities and build a concrete action plan.

Cybersecurity for SMEs isn’t a question of budget — it’s a question of method and good habits applied consistently.

Want a quick assessment of your current security posture? Contact us — we’ll give you an initial diagnostic with no commitment required.