The seven cybersecurity barriers that SMEs need to overcome

According to recent studies, 74% of SMEs have suffered from a cybersecurity problem
06 Oct 2021
2 Minutes of reading
  • This data is extracted from a study on SMEs and cybersecurity carried out by S2 grupo.
  • The lack of perception of how to implement security measures will add value to the company, limited resources or lack of knowledge in this area, are some of the main problems.

October 6, 2021.- S2 Grupo, a company specialized in cybersecurity and critical systems management, has warned that SMEs are the entities that present the most risks in the field of information security.

In this sense, according to a study carried out by their team of experts on SMEs and cybersecurity, it has been highlighted that they currently face mainly seven barriers that they need to overcome to protect their cybersecurity and the continuity of their business.

"Today, not only large companies are highly dependent on ICT. SMEs, which make up more than 99% of the European business fabric, present more than significant risks in this area and these constitute a major threat to their business. In fact, recent studies affirm that 90% of large corporations have suffered a security breach and that this percentage translates into 74% in the case of SMEs”, declared José Rosell, managing partner of S2 Grupo.

SMEs are heavily dependent on ICT when developing their services yet most of them do not have cybersecurity measures in place. This happens because there are multiple barriers that make it difficult to implement these types of standards. Therefore, this is one of the great challenges we will face in the coming years”, stated Miguel A. Juan, managing partner of S2 Grupo.

Barriers to cybersecurity for SMEs

As highlighted by the S2 Grupo team of experts, there are 7 main obstacles that SMEs need to overcome in order to be cyber-protected:

  1. Lack of knowledge about applicable information security standards.- In many cases, especially among those SMEs that do not belong to the ICT sector, there is ignorance about the existing standards. They often lack a single point of reference or query, so that they can ask for advice about which standard is the most suitable for them as the one that best suits their needs, third-party requirements, etc.
  2. Lack of management commitment.- Because SME resources are often more limited and their efforts are focused on being competitive in their business field, it is difficult for management to see clearly how implementing information security standards adds value to their business can provide them with a competitive advantage over the competition.
  3. Misperception about the targets of cyber-attacks.- Among the majority of SME managers and employees, there is a widespread belief that cyberattacks mainly affect large organizations, and not companies of their size, since they do not store and/or process such critical information.
  4. Lack of contribution in the standards development process.- The design of information security standards is driven mainly by large organizations, and these are intended to cover their multiple business processes. As a consequence, the standards assume that all organizations have sufficient resources to implement them, and that they have the necessary understanding about the technical and non-technical requirements that are included in them.
  5. Lack of cybersecurity capabilities.- One of the main actions required when implementing a standard is to assign information security roles and responsibilities to some employees. The security roles that are required to manage these standards are several and with different profiles, and this exceeds the human resources capacity of most SMEs.
  6. Limited budget and resources.- The little budget allocated to information security seems to be one of the major impediments for SMEs when it comes to implementing a standard. It must be taken into account that their implementation of these standards requires investment in specialized consultants to guide them, to comply with the technical requirements of the standards, to acquire software solutions, new ICT infrastructure, etc.
  7. Risk management.- For most SMEs, information security is still an emerging field and they do not apply the same degree of rigor when evaluating information security risks as when evaluating financial, legal, operational risks, etc. However, SMEs are gradually becoming more aware of the potential impact that the interruption of their business processes due to a security incident can have today and of how proper risk management can protect them from threats and vulnerabilities associated with their information assets.


More information: