It is a persistent misconception: cybercriminals only target large companies. The reality is precisely the opposite. Small and medium-sized enterprises are the favourite target of cybercriminals — precisely because smaller organisations often have fewer security measures in place and the impact of an attack is relatively greater.
According to the Dutch Digital Trust Center of the Ministry of Economic Affairs, one in five Dutch SMEs was affected by a cyber incident in 2025. The average damage? More than €50,000. For a company with ten employees, that can mean the difference between survival and bankruptcy.
Why SMEs are a favoured target
The logic of cybercriminals is simple: maximum return with minimum effort. Large organisations have security operations centres, dedicated CISOs and multi-million euro cybersecurity budgets. SMEs do not.
Many SMEs work with outdated systems, have no formal patch policy and rely on a single IT employee or external supplier for their entire digital infrastructure. Multi-factor authentication is not standard, backups are not tested and no incident response plan exists.
Moreover, SMEs are increasingly a stepping stone to larger targets. Through the supply chain — as a supplier or service provider to a large company — a compromised SME provides access to the systems and data of the larger organisation.
NIS2 and supply chain responsibility
The NIS2 directive introduces the concept of supply chain responsibility. Organisations that fall under NIS2 — and there are more than many think — must not only have their own cybersecurity in order but also impose requirements on their suppliers.
For SMEs, this means concretely: if you supply to an organisation that falls under NIS2, you may be confronted with cybersecurity requirements that previously only applied to large companies. Contractual obligations around security standards, incident reporting duties and periodic audits are becoming the norm.
This is not only a threat but also an opportunity. SMEs that proactively get their cybersecurity in order distinguish themselves from competitors who do not. In procurement processes and supplier selections, cybersecurity is increasingly becoming a decisive factor.
Affordable measures that actually work
Good cybersecurity need not cost a fortune. Most successful cyber attacks on SMEs exploit basic vulnerabilities that can be remedied with relatively simple measures:
- Multi-factor authentication (MFA) — The single most important measure you can take. MFA blocks more than 99% of automated account attacks. Most cloud services offer it for free.
- Patch management — Keep software up to date. Most ransomware attacks exploit vulnerabilities for which patches have been available for months. Automatic updates are your best friend.
- Backup strategy — The 3-2-1 rule: three copies, on two different media, one of which is offsite. Test your backups regularly — a backup that does not work is not a backup.
- Security awareness — Train your employees regularly. Not with boring presentations but with realistic simulations. The human element is the greatest vulnerability and the best defence.
- Network segmentation — Separate your network into zones. If an attacker compromises one system, it does not have to mean everything is lost.
The cost of doing nothing
The question is not if your organisation will be attacked, but when. The average cost of a ransomware attack for an SME in 2025 is more than €150,000 — including ransom, downtime, recovery costs and reputational damage.
Then there is the time factor. An average SME needs 23 days after a ransomware attack to be fully operational. Almost a month during which you generate no or limited revenue, cannot serve customers and your reputation suffers.
Compare that with the cost of prevention. Basic cybersecurity measures cost an SME between €2,000 and €10,000 per year, depending on size and complexity. That is a fraction of the cost of a single incident.
Where to begin?
The first step is always insight. Where are your crown jewels — the data and systems that are essential to your business operations? Who has access to them? What happens when they become unreachable?
A cybersecurity quick scan gives you a clear picture of your current situation and the most important areas for improvement within days. No thick reports full of jargon, but concrete, prioritised action points that you can implement immediately.
Nexus-7 understands that SMEs have different needs than large enterprises. Our approach is pragmatic and proportionate: we help you implement the measures that have the greatest effect within your budget and capacity. No overkill, but protection where it counts.
