EN | PL | ES | IT | RO


about img

Cyber MSME

Cybersecurity for Micro, Small & Medium Enterprises

Mapping Cyber-Threats for micro-enterprises and SMEs means defining threats, risks, solutions, skills related to cybersecurity apllied at the MSME level.
The consortium will perfom a secondary mapping to examine existing academic/scientific literature, policy papers, analytical reports and diagnostics on the main risks and dangers that arise even from a partial ignorance of these new digital needs.

This will allow the consortium to summarize and identify the elements of success and failure factors in terms of technology dynamics at EU and national level
The partners will carry out a comprehensive assessment of the target group and the dynamics of cybersecurity in its entirety and digital security in the countries involved. They will focus on:

  • Identifying common features of these domains and exploring their similarities,
  • Identifying best practices / case studies for the implementation of highly advanced cybersecurity technologies at the MSME level i micro-enterprises,
  • Examining and systematizing the paths from the status of "ignorance about cybersecurity" to nonpenetrating digital devices in the MSME dimension,
  • Identification of individual examples and successes,
  • Defining cybersecurity and digital security specialization as a business opportunity itself,
  • Identification of gaps in entrepreneurship training related to knowledge of cybersecurity and ICT

You can find and download The mapping report and its summary at the bottom of this page

Executive summary

The European Commission’s SME Strategy for a Sustainable and Digital Europe recognised the vulnerability of SMEs to cyber-threats and identified cybersecurity as one of the key aspects of digital upskilling. At the global level too, cyber-threats emerge among the main short-term global risk (World Economic Forum, 2021) and become a constant threat to most of the enterprises amid the accelerated digital transformation induced by the Covid-19 crisis (OECD, 2021).

This report identifies internet-based incidents, including phishing, malware, and web-based attacks, as the most frequent cyber-threats relevant to the EU MSMEs. In line with ENISA (2020), other important cyber-threats also include spam, denial of service, identity theft, data breaches, insider threat, botnets, physical manipulation and damage, information leakage, cyberespionage, and cryptojacking. At the same time, while internet access and remote work arrangements might increase MSMEs’ exposure to cybersecurity risks, human factor is another important source of digital vulnerability as about 84% of all cyberattacks in the EU rely on social engineering to lure people into divulging sensitive information or clicking on the link that may contain malicious files (ENISA, 2020).

The country analyses presented in this report further underline growing importance of cybersecurity topics at the national levels and confirms relatively low extent of knowledge on cybersecurity among the MSMEs. According to the results of the 2020 Eurobarometer, the share of respondents that reported being ‘not well informed’ about the risks of cybercrime stood at 67% for Romania and Italy, 55% for Spain, and 43% for Poland. Further, at the company level, only 7% of SMEs in Romania made their employees aware of their obligations in ICT security through compulsory trainings. SMEs in Spain, Poland, and Italy, in turn, performed closer and even above the EU average with 20%, 30%, and 34% figures, respectively. When the gap between the SMEs and large enterprises in considered, however, Romania and Italy have one of the smallest gaps EU-wide – only 21 pp and 23 pp, respectively. While Spain has relatively higher gap at 27%, it managed to stay below the 30 pp EU-27 average and the 35 pp gap registered in Poland.

Thus, the EU MSMEs often lag behind large enterprises in terms of awareness of and preparedness to deal with proliferating cyber-threats. More importantly, the greater and the most frequent cyber-threats are also the ones on which the level of awareness in the EU remains the lowest. The lack of awareness and commitment from management, in particular, is the common and most often cited challenge (ENISA, 2021). As a result, only 30% of the EU SMEs resort to more than basic cybersecurity measures and less than 30% of the SMEs in the EU-27 make their employees aware of their ICT security obligations through compulsory training courses – almost twice less compared to large enterprise.

Other structural challenges that undermine greater preparedness of the MSMEs also include low cybersecurity awareness of the personnel, inadequate protection of critical and sensitive information, lack of budget, lack of dedicated IT and cybersecurity specialists, and lack of suitable cybersecurity guidelines specific to SMEs.

A number of EU-level initiatives, including, among others, EU Cybersecurity Strategy, EU Agency of Cybersecurity, as well as SMESEC and Make_SME_Digital frameworks, allow to bridge the skills gaps and bolster collective resilience against cyber-threats. These are further supported by the country-level initiatives – e.g., Polish National Platform for Cybersecurity and PWCyber Cybersecurity Cooperation Program and Italian National Framework for Cybersecurity and National Inter-University Consortium for Information Technology (CINI) – that establish national cybersecurity frameworks and support digital skills development at the local level.
Yet, as discussed in this report and individual country profiles, a more comprehensive policy actions are needed to tackle systemic lack of cybersecurity capabilities among the EU MSMEs. These should focus on strengthening:

(i) cyber awareness among MSMEs by promoting better understanding of cybersecurity at large and tailoring the content and channels of the outreach campaigns to the MSMEs context and sectoral needs.
(ii) cyber resilience of the MSMEs by creating MSMEs focused cybersecurity standards and guidelines, promoting use of cyber risk management frameworks within MSMEs, and making cybersecurity more accessible.
(iii) cyber responsiveness of the MSMEs by promoting voluntary and compulsory trainings among employees and supporting development of simplified security protocols.

Download the Report       Download the Executive summary


team img
team img
team img

team img
team img
team img
The European Commission's support for the production of this publication does not constitute an endorsement of the contents, which reflect the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.
Legal description – Creative Commons licensing:
The materials published on the CyberMSME project website are classified as Open Educational Resources' (OER) and can be freely (without permission of their creators): downloaded, used, reused, copied, adapted, and shared by users, with information about the source of their origin.