In a world where cyber threats continue to grow, Small and Medium Enterprises (SMEs) face challenges similar to those of multinational companies. However, they have financial and human resources that are much more limited to respond to these challenges.
Here are some figures to illustrate these differences:
- 4 to 10% of the IT budget for companies with fewer than 100 employees is allocated to Security.
- 8 to 15% of the IT budget for companies with between 100 and 1,000 employees is allocated to Security.
- 10 to 20% of the IT budget for large companies with more than 1,000 employees is allocated to Security.
Taking a median of the IT budget for companies (4% of revenue): an SME with a revenue of 10 million CHF can allocate approximately 28,000 CHF to cybersecurity, compared to 460,000 CHF for a company with 100 million CHF and 6 million CHF for a billion CHF. These budget discrepancies illustrate the specific challenges that SMEs must face.
With such a budget, SMEs must cover four types of expenses:
Human Resources
- CISO (Chief Information Security Officer): Responsible for developing and implementing an information security strategy that protects an organization’s data and systems.
- CDO (Chief Data Officer): Responsible for defining and implementing an organization’s data strategy, which encompasses understanding the data received, generated, and transmitted by the company, ensuring the quality of this data, creating business value through data analysis and exploitation, as well as implementing proper governance.
- SOC (Security Operations Center): Operational management of security, including detection, analysis, and response to security incidents.
Necessary Services for prevention, operations and incident management
- Training
- SIEM (Security Information & Events Management): Staying informed about the latest threats and risk developments.
- Auditing, penetration testing…
- CERT (Cybersecurity Events Response Team): Calling upon experts for assistance or to manage major incidents.
- Forensics: Discovering, analyzing, and preserving digital evidence following a cyberattack to minimize damage, understand how the attack occurred, and prevent future incidents.
- Certification: Audits, managing certification projects, certification costs…
Systems and Tools:
- Software: Antivirus, Endpoint Management, Access Management…
- Infrastructure: Firewalls, Intrusion Detection Systems…
- Platforms: Security event management, etc.
Physical Security of Locations:
- Access control tailored to the various activities of the business…
- …
Cyber Threats: A well-known issue with constantly increasing pressure…The threat of cyberattacks, whether ransomware, phishing, or intrusions, remains the primary cybersecurity challenge for all businesses. These attacks can compromise sensitive data, disrupt operations, lead to significant financial losses, or even cause a company to go bankrupt. Gartner predicts that cybersecurity spending is expected to increase by 15% in 2025, rising from $183.9 billion to $212 billion.
How can Small and Medium Enterprises effectively protect themselves while adhering to their constraints? What effective and affordable cybersecurity strategy is suitable for an SME?
Compliance and Certifications: A Less Recognized but Crucial Strategic Issue for Competitiveness
A less visible but equally critical issue concerns the growing requirements for compliance and certifications.
These obligations include:
- International standard certifications – increasingly demanded in tenders: ISO 27001, PCI DSS...
- Local regulations for payment services: Rempart in France, AGID in Italy.
- Data protection: GDPR (or LPD in Switzerland).
Why do these requirements matter?
Compliance is not just about avoiding fines. It plays a decisive role in:
- Competitiveness: Certifications like ISO 27001 are becoming an expected standard in many tenders.
- Reputation: A compliant company inspires more trust in its clients and partners.
- Future preparedness: By adopting compliance practices today, companies prepare for future regulations.
What is the nature of the challenge for SMEs?
For SMEs, the requirements for security and compliance represent a considerable challenge in terms of resources, organization, internal skills, infrastructure, and ultimately costs! And this is not just an IT issue; it is a global challenge that affects all functions of the company:
- Organization: Who is in charge, how to acquire and maintain skills, how to manage security and data issues within the company (establishing a "practice," launching projects, creating a dedicated team...), what governance...
- Infrastructure: The back office as well as the business infrastructure are involved. How to update and maintain the company's infrastructure (at what pace, what type of investment...)
- Suppliers (Cloud, SaaS, service providers, component suppliers...): Are they certified, how to manage changes required by my suppliers, what role do they play in certifying my company, what risks can be transferred to them...
- Products: Development of compliant versions of products, migration of the installed base, how to respond to specific customer requests.
- Data: Inventorying the data managed by the company, defining management and retention policies compliant with regulations, and then implementing them.
Solutions: A Structured, Innovative, and Pragmatic Approach to Address Challenges
No company can be perfectly protected: The Importance of Maturity Level
It is essential for SMEs (like all companies) to understand that perfection and zero risk do not exist. The key lies in defining an appropriate maturity level to achieve that aligns with market constraints (particularly competitiveness), financial, strategic, and organizational factors. A level that is too low is a very risky gamble. Conversely, a level that is too high will impact the company's competitiveness (delayed product launches, lack of flexibility to adapt to customer needs) as well as its financial balance (excessive costs).
Organizing to Achieve the Right Level of Maturity and Protection and Manage Risks
Five simple steps to do this:minimiser l’impact des cyberattaques.
- Understand the current situation: Map out risks, assess the strengths and weaknesses of existing systems.
- Define a target maturity level: Balance cost constraints, regulatory requirements, and strategic objectives.
- Reach the targeted level in the short, medium, and long term: Implement priority actions that are strategic from technical, organizational, process, and skills perspectives.
- Maintain the achieved maturity level: This requires foundational work (technical updates, upgrades, training, incident reviews, audits…).
- Prepare for incidents: The question is not IF but WHEN, so it is necessary to develop crisis management plans (including communication) and prepare teams (training, simulations…) to minimize the impact of cyberattacks
Achieving Objectives with Limited Resources
Qualified and competent resources are rare and expensive. Depending on the size of your company, it is often not justified (and financially sustainable) to create full-time CISO, CDO... positions for an SME. Additionally, attracting talent in these areas can prove to be an impossible mission for an SME.
In contrast, service offerings and security outsourcing options are increasingly available in the market. But how to make the right choice and not put all your eggs in one supplier's basket?
Tools Suitable for SMEs Exist:
- Engage a reputable consulting firm to 1. Understand the situation and 2. Define the target maturity level and help to 3. Achieve it.
- Share a CISO or CDO between two or three SMEs to 3. Reach the targeted maturity level and 4. Maintain it through Fractional Management (different from Transition/Interim Management as this involves a long-term commitment to an established function).
- Outsource to suitable service providers the activities where economies of scale are significant: infrastructure management, SIEM...
- Regularly train and prepare for crises: including through attack simulations, data loss (how to continue operating?).
- Engage experts (Strategic Consulting, Support...) in the implementation of this transformation and to take stock at regular intervals (review goals, analyze the market to ensure that the targeted maturity level remains appropriate).
Key Factors for Success
To successfully meet the challenges of cybersecurity and compliance/certification while managing associated costs and staying in control, four key factors are essential:
- Involve the organization at all levels: awareness, training, communication.
- Place these issues under the direct supervision of the CEO/Management.
- Manage external resources (particularly Fractional CISO) as if they were internal resources: the approach is not to outsource security (“outsource problem-solving”) but to pool resources, remain in control, and monitor the situation.
- Choose the right service providers (less suppliers than partners):
- Companies of comparable size or those experienced in serving clients similar to yours.
- Implement long-term partnerships: the aim is not just a good deal but a durable and solid commitment (with guarantees).
- Ensure that references are solid, talk to other clients, and understand the strengths and weaknesses of the partner.
- Seek a proven methodology and a replicable model: do not rely solely on individual experience.
Conclusion: Facing the Challenges of Large Enterprises, SMEs Can Manage Their Risks and Remain Competitive
SMEs face the same challenges as large companies in terms of cybersecurity and compliance, but with more limited resources. To remain competitive, they must ask themselves the right questions: What is my current situation? What is the appropriate maturity level to achieve? What tools (Fractional or Interim Management) and partners will help me reach these goals?
By answering these questions with a pragmatic approach and implementing tailored solutions (specific tools, shared resources, partnerships), SMEs can not only protect themselves effectively with the resources they have but also turn these challenges into a competitive advantage
