Skip to content
cyber-security.eu
DEEN

Cybersecurity for SMEs

SMEs do not need enterprise security architecture, but they do need the right basics. This page shows which measures deliver the most impact on a limited budget and which common mistakes are easy to avoid.

Who this page is for

This page is for owners, managing directors and IT leads at small and medium-sized companies, as well as for their IT service providers.

Starting point

Many SMEs are deeply digital but rarely have dedicated security roles. Attackers know this and operate mostly automated campaigns aimed at known vulnerabilities, missing MFA or weak backups. The right reaction is not panic, but disciplined work on the basics.

Ten essential measures

1. MFA everywhere - especially mail, cloud and remote access.
2. Current systems and automated patching.
3. Backups with tested restore; at least one offline or immutable.
4. EDR instead of basic antivirus.
5. Clean accounts: no shared logins, clear permissions.
6. Training and easy reporting paths for phishing.
7. Secure email with DMARC, SPF and DKIM.
8. Emergency contacts and a simple incident plan.
9. Written agreements with IT service providers.
10. Clear separation of personal and business devices.

What to do first

If you cannot tackle everything at once, this order works well:

1. MFA for mail and cloud
2. Backups with restore test
3. Automated patching
4. EDR
5. Awareness and reporting path

Logging, incident plan and supplier topics follow.

Common mistakes

Frequently seen:

- No MFA on Microsoft 365 or Google Workspace
- Backups exist but are never tested
- Admin accounts used as regular mailboxes
- No clear ownership between owner, IT provider and departments
- No documented emergency contact for weekends
- Long-running VPN or remote-access paths without hardening

Working with IT providers

Many SMEs rely on external IT providers. What matters is what is contractually agreed about security: patching, backup, mandatory MFA, incident response, logging and handovers.

Managed security providers can run detection, patching and first response. Clear deliverables, defined escalation paths and realistic response times are essential.

Practical scenario

A 25-person trades business rolls out MFA on all mail accounts, documents its backup strategy and tests a restore. Six weeks later a phishing attempt fails on MFA. Without MFA the same attempt would likely have led to CEO fraud.

Checklist

  • MFA everywhere, especially mail and cloud
  • Current systems and automated patching
  • Backups, at least one offline or immutable
  • Restore tested at least once
  • EDR instead of classic antivirus
  • Written security agreement with the IT provider
  • Documented emergency contacts and escalation
  • Awareness, phishing simulation, clear reporting culture

Frequently asked questions

+Do we need our own SIEM?

Rarely. A managed detection service combined with clean endpoint telemetry is usually enough.

+Is cyber insurance worth it?

It can help but does not replace controls. Insurers now actively ask about MFA, backups and patch posture.

+We are small - are we really a target?

Yes. Most attacks are automated and hit organisations regardless of size. What matters is not the brand but a weakly secured attack surface.

Related topics

Cybersecurity for business

Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.

What is cyber security?

Cyber security protects digital assets from attack, manipulation and outage. This page explains in plain language what it covers, how it differs from IT and information security and which measures are part of today's standard.

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.

Security awareness

Awareness works when it is continuous, relevant and fairly measurable. A yearly mandatory training is not enough. This page shows what good organisational awareness looks like.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.

Multi-factor authentication

MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.

Backup

Backups are a core defence against data loss and ransomware. This page explains the 3-2-1 rule, offline and immutable backups, restore tests and common mistakes.

Microsoft 365 security

Microsoft 365 is the central workspace and identity ecosystem for many organisations. This page outlines the key security building blocks without admin step-by-step instructions.