SMEs in the crosshairs of cybercrime

Cybersecurity at small and medium-sized enterprises is a cause for concern, warns the German BSI. According to the BSI's 2025 status report, around 80 per cent of all reported security incidents occur at these companies. The recent study “it-sa Cyber Security Barometer: Cybersecurity in SMEs” reveals shortcomings and deficits in this area.

From Ukraine to Trump to the Nexperia chip crisis: the trends of recent years have been more strongly influenced by geopolitical changes than ever before. This has unsettled many companies, who are looking ahead to the new year with concern. They are monitoring developments very closely.

While large companies can purchase trend analyses or have them created in-house thanks to their resources, small and medium-sized enterprises (SMEs) are dependent on existing situation reports. In these uncertain times, they are therefore taking a rather cautious approach to their IT strategy. They do, however, consider IT and cyber security to be the biggest and most urgent challenge, far ahead of rising energy prices, global crises or bureaucratic challenges. This was the finding of a study commissioned by the security trade fair it-sa Expo&Congress and conducted by puls Marktforschung. This applies to all European countries surveyed in the study, namely Germany, Spain, Italy, Poland and France.

 

SMEs are at greater risk than large companies

At the same time, small and medium-sized enterprises are a prime target for cybercriminals, who see them as lucrative targets with comparatively weak defences. The German Federal Office for Information Security (BSI) therefore warns: "The risk of SMEs being affected by a cyber incident is significantly higher than for large companies."

Due to smaller budgets and a lack of specialist staff, SMEs often face greater IT security problems than large companies. Outdated software, inadequate access protection and a lack of awareness among employees make them easy targets for attackers. If backups have also been neglected, the damage after a successful attack is often severe. Without professional emergency or business continuity management, insolvency can occur faster than expected. The BSI concludes: "The situation with regard to cyber security is worrying in the vast majority of SMEs." According to the BSI Situation Report 2025, around 80 per cent of all reported security incidents occur in SMEs.

The study shows that respondents are well aware of their situation. Almost two-thirds of them assess their own threat situation as fairly high, and 80 per cent believe that cybersecurity has become more important to them over the past year. They consider human error and technical vulnerabilities to be the greatest risks. The complexity of IT infrastructure also represents a difficult hurdle for many to overcome, as it opens up a wide range of possibilities for misconfigurations, for example.

When it comes to the perception of security threats, phishing and malware are at the top of the list for respondents. This is understandable, as other threats are usually more covert, such as supply chain attacks or zero-day exploits, i.e. attacks on security vulnerabilities for which no patch yet exists. The misuse of stolen access data is also often only noticed belatedly, often only when anomalies in the IT environment are noticed. The theft of the login data used for the intrusion may have taken place a long time ago. Attackers sometimes only use their loot months later. However, this is still not necessarily noticed, as the necessary defence and detection tools are often not used. If intrusion detection systems are not in place and irregularities in network traffic and unusual user behaviour are not monitored, attackers can operate undetected in the corporate network for a long time. It is not uncommon for this to only be noticed once the damage has already been done.

 

Inadequate defence measures

The risk is exacerbated by a lack of organisational precautions. The results of the study reveal a deficit: around a third of those surveyed have only implemented basic measures so far. IT security is often not organised in a structured manner, responsibilities are not defined, and measures are not planned but rather sporadic. Furthermore, IT security is not strategically anchored and there are no regular reviews. Only in a very few cases, around ten per cent, is IT security an integral part of all business processes. Attackers, on the other hand, are constantly upgrading their equipment, using their own AI systems for attacks, working on a highly collaborative basis and purchasing additional expertise as needed. In contrast, according to the survey, the majority of the companies surveyed primarily rely on their internal IT department and colleagues as sources of information.

Small and medium-sized enterprises can protect themselves through regular updates and employee training. A backup strategy is just as essential as emergency plans for serious incidents. Many institutions provide support and information, such as the BSI with special guidelines for SMEs. The German Cybersecurity Transfer Centre for SMEs has compiled numerous resources on its own portal. Depending on the individual case and federal state, subsidies are even available for improving cybersecurity.

The annual it-sa Expo&Congress, which takes place every autumn, and the newsletter from Europe's largest security trade fair are good starting points for quickly and clearly informing yourself about the cybersecurity sector. The vast majority of respondents from several European countries are therefore familiar with or visit the it-sa Expo&Congress and the online events on the it-sa 365 platform.

 

Sources:

pulse study: “it-sa Cyber Security Barometer – Cybersecurity in SMEs: Where Do Europe's Businesses Really Stand?”

BSI: Cybersecurity for SMEs (only in German)

BSI status report 2025 (only in German)

Cybersecurity Transfer Centre for SMEs: Cybersecurity for SMEs (only in German)

National Coordination Centres for Cybersecurity (only in German)