While the biggest headlines often focus on billion-dollar losses at global corporations, it’s frequently small and medium-sized enterprises (SMEs) that suffer the most when cyberattacks occur, says Anders Liland, consulting manager & information manager at Sopra Steria Norway.
Cyberattacks are becoming increasingly sophisticated, and more companies are being affected. Yet, many small and medium-sized businesses lack both basic security measures and a plan for how to respond when an unwanted incident occurs. This makes them unnecessarily vulnerable – and increases the risk of serious consequences when an attack hits.
This is because while the headlines may highlight billion-dollar losses in global companies, it is often SMEs that are the least equipped to handle attacks. They can lack dedicated security resources, have limited procedures in place, and have smaller financial buffers. This makes the consequences more severe – and the road to recovery longer.
SMEs are on the radar
Cybercriminals are targeting more and more businesses, and small and medium-sized companies are no longer flying under the radar. In Sopra Steria’s report “State of Cyber Security 2025”, the threat landscape is described as one where cyberattacks occur more frequently, with greater precision, and often through methods that are hard to detect. Attackers now use automated tools, artificial intelligence, and IT solutions to cover their tracks – demanding stronger defences than ever before.
This is particularly challenging for small and medium-sized businesses. Many in this category lack a structured approach to cybersecurity. This makes them extra vulnerable – not just as direct targets, but also as potential entry points to other organisations through supply chains and partnerships.
What can be done, even with limited resources?
We often meet small and medium-sized businesses who believe cybersecurity is something they can’t afford. But it’s not primarily about extreme costs – it’s about awareness, willingness, and the ability to prioritise security before an attack occurs. Being prepared doesn’t have to be expensive or complicated – much of what provides the best protection costs little when done correctly:
- Establish good routines: Use two-factor authentication, keep passwords updated, and ensure not everyone has access to everything.
- Train your employees: The most important firewall is still the person between the keyboard and the chair. Regular awareness and training make a big difference.
- Back up regularly – and test recovery: Backups should be physically or logically separated from the systems they protect, so they’re not taken down in an attack.
- Prioritise what matters most: Identify which systems, data, and processes are most critical to your business. This gives you a good starting point for prioritising measures, ensuring continuity, and using resources where they’ll have the greatest impact. Understanding what truly needs protection is at the heart of risk-based security work.
- Have a plan for when it happens: Who does what, when – and how? The better you’ve practiced, the faster you can contain the damage.
- Secure your supply chain: Set requirements for your vendors to prevent vulnerabilities in their systems from becoming an entry point to yours – and vice versa.
“It probably won’t happen to us” is not a strategy
Many businesses still hold a “it probably won’t happen to us” mindset when it comes to cyberattacks. But in today’s threat landscape, the question is not if you will be attacked – but when. Security must become a natural and prioritised part of daily operations and business governance – even for small and medium-sized enterprises.
This is not just about technology and expensive investments – it’s about culture, awareness, and accountability. By taking a few simple but targeted steps today, you can be much better prepared when the attack inevitably comes.
Security is not a luxury – it’s a necessity. And it starts with taking responsibility – before someone else takes control.