ENISA publish guide for SMEs on how to tackle cybersecurity


    - David Goldstein -

    Small and medium enterprises (SMEs) are often considered the backbone of an economy. Within the European Union it’s estimated there are 25 million SMEs currently active employing over 100 million workers. And like their larger counterparts, they’re also targeted by cybercriminals, with over a third (36%) reporting a cybersecurity incident in the last five years. Around a half believe a cybersecurity issue would put them out of business. Unlike their larger counterparts they’re often unable to employ people to specifically deal with the issues and are often underprepared to cope with the inevitable intrusions by cybercriminals.

    ENISA publishes cybersecurity guide

    To help SMEs better deal with cybersecurity, the European Union Agency for Cybersecurity (ENISA) has published advice and guides on how to successfully cope with cybersecurity challenges, particularly those resulting from the COVID-19 pandemic.

    With the current crisis, traditional businesses had to resort to technologies such as QR codes or contactless payments they had never used before. Although SMEs have turned to such new technologies to maintain their business, they often failed to increase their security in relation to these new systems. Research and real-life experience show that well prepared organisations deal with cyber incidents in a much more efficient way than those failing to plan or lacking the capabilities they need to address cyber threats correctly.

    Challenges faced by SMEs

    In their report, Cybersecurity for SMEs, ENISA found 85% of the SMEs surveyed agree that cybersecurity issues would have a serious detrimental impact on their businesses with over half (57%) saying they would most likely go out of business. Out of almost 250 SMEs surveyed, 36% reported that they had experienced an incident in the last 5 years. Nonetheless, cyberattacks are still not considered as a major risk for a large number of SMEs and a belief remains that cyber incidents are only targeting larger organisations.

    However, the study reveals that phishing attacks are among the most common cyber incidents SMEs are likely to be exposed to, in addition to ransomware attacks, stolen laptops, and Chief Executive Officer (CEO) frauds. For example, with the concerns induced by the pandemic, cybercriminals seek to compromise accounts using phishing emails with Covid-19 as a subject. CEO frauds are other decoys meant to lure an employee into acting upon the instructions of a fraudulent email displayed as if sent from their CEO, and usually requesting a payment to be performed in urgency under business-like circumstances.

    ENISA identified the following challenges SMEs are faced with:

    • Low awareness of cyber threats
    • Inadequate protection for critical and sensitive information
    • Lack of budget to cover costs incurred for implementing cybersecurity measures
    • Availability of ICT cybersecurity expertise and personnel
    • Absence of suitable guidelines tailored to the SMEs sector
    • Moving online
    • Low management support.

    To deal with the problems, ENISA makes recommendations that fell into the following three categories:


    People play an essential role in the cybersecurity ecosystem. The report draws attention to the importance of responsibility, employee buy-in and awareness, cybersecurity training and cybersecurity policies as well as third party management in relation to confidential and/or sensitive information.


    Monitoring internal business processes include performing audits, incident planning and response, passwords, software patches and data protection.


    At the technical level, a number of aspects should be considered in relation to network security, anti-virus, encryption, security monitoring, physical security and the securing of backups.

    To assist SMEs, ENISA has two main publications that are free to download, both in PDF format:

    There is also ENISA’s Cybersecurity for SMEs page with more details and a further list of publications.

    Please feel free to contact the Brandshelter team to learn how you can protect your business from cyberattacks.