- SMEs are prime targets for ransomware, phishing, and supply chain attacks, with risks compounded by attackers' use of AI.
- Threat research and MDR services offer SMEs continuous monitoring, up-to-date intelligence and rapid response without the need for their own SOC.
- Strengthening identity, email, backups and basic processes, along with training and cyber insurance, drastically reduces the real impact of cyberattacks.
SMEs have become one of the favorite targets Cybercriminals have valuable information, are increasingly reliant on technology, and yet often have smaller budgets and less specialized security personnel. This means that many attacks previously limited to large corporations are now being seen in businesses with 10, 40, or 100 employees, from professional firms to light industry.
At the same time, the arrival of the artificial intelligence in the hands of the attackers The landscape is changing: better-written phishing emails, automated campaigns, highly credible impersonations of executives or suppliers, and massive attacks on the supply chain. In this context, the Threat research in SMEs And services like MDR (Managed Detection and Response) cease to be "just for big companies" and become a real lever to survive incidents that could completely paralyze the business.
Why do threats hit SMEs so hard?
In any organization, IT and security teams face increasingly prepared and persistent adversariesBut in SMEs the situation is more complicated because, as a rule, there is no budget to set up their own Security Operations Center (SOC) or to maintain a team of experts 24/7. Even so, attacks don't wait: ransomware, phishing, and access abuses continue to grow, with financial losses that in many cases reach tens of thousands of euros per year.
The truth is that Not having an internal SOC doesn't mean you're doomed.Just as small businesses adopted cloud solutions or outsourced their management systems years ago, today they can "rent" advanced cybersecurity capabilities. That's where the services of Managed detection and response (MDR), which provide an SME with a team of analysts, monitoring tools and mature incident response processes without having to hire everything on staff.
This outsourcing relies on a key pillar: the threat research and intelligenceBehind what a small or medium-sized business (SMB) sees on its security console are global research networks analyzing malware samples, cybercrime group movements, ransomware campaigns, APT (advanced persistent threat) operations, and even the activity of state-linked actors. This information is translated into rules, detections, alerts, and action guidelines that ultimately reach the small business in a digestible form.
In this model, the Threat Research teams of security vendors act as a kind of global radar that feeds MDR servicesThanks to telemetry from millions of endpoints and collaboration with field analysts, they can detect new trends, link seemingly isolated incidents, and adjust defenses very quickly when a new technique or campaign appears.
How threat research works to serve SMEs
A modern threat research team is typically distributed across several regions, with analysts specializing in different malware families, ransomware, and APT groupsSome of their work is publicly available (technical articles, conference presentations, public reports), which helps raise market awareness and share findings with the community. However, another significant portion is information reserved for corporate clients and MDR services.
That private content includes operational details on cybercriminal groupsWhat tools do they use? How do they move laterally within a network? What sectors do they target? What mistakes do they make repeatedly? For an SME, having this intelligence already integrated into its security systems means, in practice, that many threats are silently blocked before the user even notices anything unusual.
On a daily basis, researchers review telemetry data from endpoints and servers across thousands of companies. When an alert suggests something unusual, an in-depth analysis of the sample or suspicious behavior is performed. This process includes classify the severity of the breach, understand the objective of the attack And, if possible, attribute it to a specific group of threats. This attribution is useful because it allows us to anticipate typical next steps by that actor and strengthen defenses where they are most needed.
Collaboration between researchers and MDR teams creates a virtuous cycle: when an MDR analyst encounters a particularly interesting incident in an SME, they can share evidence and context with the Threat Research teamSometimes it's the reappearance of an actor that had been inactive for months, or a malware variant that evades previous signatures. The case is thoroughly investigated, coverage is improved, and that improvement ultimately benefits all companies connected to the service.
Furthermore, the close relationship established with MDR customers provides a much richer visibility than that offered by endpoints aloneA better understanding of the infrastructure, critical workflows, key vendors, and system dependencies is achieved. This facilitates reconstructing an intrusion step by step and reduces the time from detection to effective containment.
Main threats: from social engineering to ransomware and the supply chain
In today's ecosystem, SMEs face a wide range of threats, including real cyberattacks and key lessonsUnderstanding them is essential to developing a defense strategy that doesn't rely solely on "more tools," but on Prioritize investment in basic controls.
Phishing and impersonation campaigns continue to be the most common entrance doorWith the help of AI, attackers draft flawless emails, using a tone that mimics the company's style and referencing real suppliers or ongoing projects. It's not uncommon to see frauds targeting the finance team, where an urgent message from the CEO is simulated, requesting a transfer with highly credible excuses. Without MFA and two-factor authentication, human error is rampant.
Ransomware, meanwhile, continues to be one of the threats with greater direct impact on money and continuityThe criminals combine data encryption with exfiltration and blackmail: if the company doesn't pay, they threaten to publish sensitive information. Added to this is the role of "initial access brokers," intermediaries who sell pre-configured access to third parties, further industrializing these types of attacks and lowering the barrier to entry for new groups.
Exploiting vulnerabilities in known software, especially ERP systems, collaboration tools, and cloud services, remains another very common method. Many SMEs do not have a clear inventory of its digital assets or its external dependenciesand they apply patches late or irregularly. This leaves a window of time in which a known and publicly disclosed vulnerability can be massively exploited through automated scans.
Finally, supply chain attacks have become a top-tier risk. Cybercriminals understand that a poorly protected IT or helpdesk service provider It can be the gateway to multiple clients, including large brands. In these scenarios, the SME can be both a direct victim and a "weak link" that facilitates access to a larger organization, with the consequent reputational and contractual risks.
The role of AI: more volume, more credibility, and less cost per attack
Artificial intelligence has not invented new families of threats out of thin air, but it has the cycle of classic attacks made cheaper and fasterToday, a criminal with less technical knowledge than a few years ago can launch very plausible phishing campaigns, automate tests of leaked credentials, or adapt messages to the context of each victim almost in real time.
Reports from organizations such as the NCSC point to a near horizon where we will see more semi-automated operationsThese include targeted email campaigns, scripts that scan for known vulnerabilities en masse, and bots that adjust their approach based on the victims' responses. For SMEs, this translates into more clutter in their inboxes, more remote intrusion attempts, and increased strain on immature internal processes.
However, the same sources emphasize that the Well-executed basic defense measures remain very effective.Reduce exposed surface area (close unnecessary services, segment the network(limiting remote access) and automating tasks such as patching or backup management offers a much greater return than spending the budget on advanced solutions without a process to support them.
Adding to this scenario is the phenomenon of “AI shadow”: employees using intelligent assistants and agents in their daily work without a clear corporate policy. Sending customer data, project information, or credentials to external tools without oversight carries the risk of exposing sensitive data or making unsafe automated decisionsTherefore, in addition to technology, governance is needed: information classification, usage limits, and human review in critical operations.
In parallel, initiatives for standardization and best practices for the secure use of AI agents are emerging, seeking to ensure interoperability and data protection. SMEs can rely on these guidelines to define realistic internal policies that allow them to leverage AI without creating unnecessary cracks in their security posture.
Typical vulnerability factors in SMEs
Beyond the techniques used by the attackers, it is worth looking inward and recognizing the structural weaknesses that tend to recur in small and medium-sized enterprises. Working on them has a huge impact on reducing overall risk.
On one hand, the The human factor remains the Achilles' heelGiving an annual talk isn't enough: experience shows that only hands-on training, with regular phishing simulations, incident response drills, and short but frequent reminders, truly becomes part of employees' routines. Those who have never encountered a well-crafted phishing email tend to underestimate how easy it is to fall for one.
Another critical element is identity and access management. Reused passwords, weak authentication, accounts with more privileges than necessary, and lack of control over who accesses what These are ideal ingredients for a serious breach. The principle of least privilege, mandatory MFA for critical access, and periodic review of permissions are relatively simple measures, but often postponed.
Insecure cloud configurations and the lack of a clear backup strategy add another layer of risk. Without isolated or immutable backups, a ransomware attack can lead to... total data loss and long business interruptionsAnd without monitoring of cloud service configurations, it's easy for misconfigured storage to leave data exposed to the entire internet without anyone noticing.
Finally, many businesses suffer from a disconnect between cybersecurity and regulatory obligationsRegulations such as the GDPR or the NIS2 Directive (for specific sectors) don't just address fines: they require rapid notification capabilities, response plans, management training, and supply chain controls. Ignoring this framework can exclude a company from certain tenders or commercial agreements, as well as expose it to penalties following an incident.
MDR and cyber insurance: technical and financial policy for SMEs
Faced with this scenario, many SMEs are choosing to combine MDR services with cyber insurance policiesThe MDR acts as "technical insurance": it monitors, detects, investigates, and helps to respond quickly, reducing the likelihood of an attack materializing or causing massive damage. Cyber insurance, on the other hand, offers financial and legal support when, despite everything, an incident occurs.
A well-integrated MDR service that fits the reality of an SME provides Continuous visibility across endpoints, email, network, and in some cases, the cloudIn the event of an active campaign, it allows for the reconstruction of the attacker's chain of actions: how they gained access, which accounts they compromised, what data they were able to access, and how they moved through the network. This traceability is not only key to effectively clean up the incident, but also to fulfilling notification obligations to authorities and clients.
Furthermore, the MDR establishes a direct communication channel between analysts and the person responsible for security or IT within the company. When a serious alert is triggered, there's no need to start from scratch: the context is already in place, the critical systems are known, and the steps that can be taken immediately have been defined beforehand. Reaction speed makes the difference between a manageable scare and an operational standstill that lasts for weeks.
In parallel, collaboration with specialized insurers helps SMEs to analyze their exposure more broadlyThis includes not only direct attacks, but also supply chain disruptions, legal liabilities for data breaches, and service downtime. Many policies cover not only financial losses, but also access to incident response teams, preventative audits, and employee training.
However, cyber insurance does not replace security measures; on the contrary, it usually requires a minimum of implemented controls (MFA, backups, updates, etc.) to offer complete coverage. This combination pushes SMEs to raise its level of maturity and it gives them a safety net if, despite everything, the attack succeeds.
Practical measures: from the fundamentals to the 30/60/90 day plan
With limited resources, the key is not to try to do everything, but set priorities correctlyIn the coming years, many SMEs have a lot at stake in how they structure their investments between identity, email, endpoints, backups, and early detection capabilities.
A practical approach involves working with a 30/60/90 day planIn the first 30 days, focus on the essentials: inventory critical assets and accounts, activate robust MFA on email, VPN and management systems, verify that backups are performed and can be restored, and define a clear anti-fraud protocol for payments and bank account changes.
Between days 30 and 60, the focus should shift to harden endpoints and email: properly configure SPF, DKIM and DMARC, block unauthorized macros and executables, so that a compromised team does not jeopardize the entire company, and carry out an initial training session adapted to roles, with a small incident response simulation.
From day 60 to 90, it is advisable to implement a small risk dashboardPercentage of accounts with MFA, number of systems without critical patches, restore times from backup, etc. It is also the ideal time to close an agreement with an external monitoring or MDR provider and formalize an AI usage policy that defines what can and cannot be shared with assistants.
Alongside this plan, it's very useful to work with a simple operational checklist for management and IT: MFA for administrative accounts, double approval for sensitive payments, an up-to-date inventory of assets and software, basic SLAs with suppliers, monthly backup restoration tests, quarterly training with simulations, and a response plan with clear contacts and phone numbers. Although these may seem like "common sense," The difference between having it in writing and having actually tried it or not is enormous. when a real incident occurs.
Small and medium-sized enterprises cannot afford to pursue perfection in cybersecurity, but they can build, step by step, a solid foundation supported by threat research, MDR services, simple yet well-implemented controls, and an internal culture that stops seeing security as an "extra technical" and embraces it as a natural part of how business is done in today's digital world.
