VSEs/SMEs: Why are they targeted by cyber attacks?

The need for cybersecurity in business has become a reality regardless of the size of the company. Ransomware, phishing, BEC attacks, DDOS attacks can affect anyone. No organization is safe from an attack. Neither are smaller organizations, and they are particularly targeted by cyber attacks as well.

The number of cyber attacks tends to increase for SMBs, their security systems being often less elaborate due to a lack of means and information or to the application of inadequate measures to prevent cyber threats. Managers must be aware of the risk and the stakes by adopting an adapted solution while facing costly investments, and by training their teams.

No matter your size, no matter your activity, no matter your sector, you can be the target of cyber attacks

Why are VSEs / SMEs targeted by cyber attacks?

Faced with these attacks, are SMEs well prepared? equipped? protected?

Looking at the figures below, we can see the key facts and can already answer some of these questions. There is still a lack of knowledge about cyber issues and a lack of maturity in terms of security, even if this subject tends to evolve.

The lack of skills within the technical teams, which for the most part prefer large groups, and finally the tight budget dedicated to cyber security are added to the list of areas for improvement.

Some numbers:

  1. 95% of business leaders say they feel they have a good understanding of cybersecurity.*
  2. 1/3 of VSEs/SMEs say they have an IT specialist in charge of cybersecurity in their company.*
  3. 60% of small businesses close their doors within 6 months of suffering a data breach or cyberattack***.
  4. Only 1 in 2 business owners use a VPN**.

*IFOP Survery 2021

**Survey revealed by Europe 1 in 2021

***Cybercrime magazine

Risk minimization

Small and medium-sized businesses do not always give priority to preventing attacks. Ransomware, reputation damage, denial of service or sabotage, all these risks are sometimes not or hardly considered by small structures. They think that attackers prefer to attack large entities.

54% of SMEs think they are safe from a cyber attack because they are not big enough.


The French Senate’s information report No. 678, however, states that in 2020, “43% of SMEs have experienced a cybersecurity incident.” The French national agency for information systems security (ANSSI) notes, in March 2020, a 400% increase in phishing attempts. Forrester Consulting states that “between November 2020 and January 2021, the share of SMBs/SMBs with fewer than 250 employees affected by cyberattacks was 33% over the past 12 months.”

These figures prove that large organizations as well as smaller ones can be targeted by cyber attackers. Everyone should be concerned. Yet, according to Source IT in 2021, “among the 47% of SMBs that do not make cybersecurity a priority, 40% report having suffered an attack that resulted in lost revenue for 50% of them and a production interruption for 23%.” This idea of the importance of cybersecurity in corporate strategy is still underestimated.

As an example, the lingerie group Lise Charmel fell victim to a ransomware attack in 2019. The group’s 1,150 employees were affected and the company was placed in receivership. [1]

Finally, let’s quote these latest figures in terms of tooling, “97% use an antivirus, 88% use a firewall, 79% implement a data backup managed internally by their teams “1. The fact that they only have one antivirus leads some of them to think that the risk is covered or that the equipment is protected, forgetting about updates and the fact that antiviruses only detect on the basis of already known attacks. This lack of digital literacy makes them take a big risk.

However, we can moderate these remarks since the pandemic and the advent of telecommuting. Companies have equipped themselves and are taking cyber risks into consideration more and more.

Cyber security maturity

60% of European technology SMEs have insufficient resources to guarantee their cyber protection.

Oliver Wyman – European Digital Sovereignity

The other aspect that we address here is the weakness of the security maturity observed in SMEs.

The observation is that few SME managers are sufficiently supported in the choice of their security solutions. In the case where IT referents exist, they are not necessarily cyber specialists.

Another issue raised. When these medium-sized structures are equipped, half of the functionalities are not activated and the tools are not well configured due to a lack of knowledge, giving attackers free rein. So there is a real lack of protection.

Moreover, not all small companies have in-house services, and in addition, employees are not always trained in cyber security. However, maturity in terms of security also depends on the awareness of its staff. There are still gaps or weaknesses in this area.

It is essential to remind people regularly and in an educational way that clicking on a hacked link is dangerous, that changing passwords regularly is important, that having a strong password is essential, that multi-factor authentication is essential, that the use of one’s phone should not be done in the professional context. These fundamentals must be reminded.

Shortage of skills

As we mentioned earlier, one of the major problems facing small and medium-sized businesses is the lack of staff dedicated to cybersecurity within their structure. According to the French Senate report, “human resources are becoming virtually inaccessible”. According to the Wavestone report[2], more than 15,000 positions are available but not covered. Skills are becoming increasingly scarce given the needs and this shortage particularly affects small organizations that are hardly able to compete with the offers of large groups and attract talent. According to the Ifop survey, “1 out of 5 SMEs has no one in charge of IT security” and “one third of companies with 20 to 249 employees have a dedicated IT security employee”. It is therefore the head of the company himself who is required to manage security problems. These companies do not always have the reflex to rely on experts.

Budgetary issues

“For six out of ten French companies, the budget allocated to cybersecurity does not exceed 1,000 euros per year”

Europe 1 Study

Smaller organizations are increasingly aware of the efforts they must make for cyber security. The recent events in Ukraine and the global pandemic, which have favored attacks, have raised awareness. However, the allocated budgets are not yet sufficient. The complexity of the attacks requires the use of several tools that involve costs. “Out of the global IT budget of companies, 6.1% is dedicated to security.[3]

SMEs often use free products and feel secure. They don’t understand why they must pay to be protected when they think they can be protected without straining their budget. The problem is that unknown threats do not enter the signature base of an antivirus. That’s why you need a hyper-automated, hyper-industrialized solution. There is therefore a real need for support for this audience. There is an urgent need to raise awareness, to advise, to support and to establish cybersecurity systems in these companies. Most SMEs do not yet have “products adapted” to their budget.

TEHTRIS EDR is a solution provided in SaaS mode, via the cloud, with the ability to predict, prevent, detect and react to cybersecurity. TEHTRIS EDR is sovereign, hyper-automated and automatically neutralizes known and unknown threats in real time without human action.

We have seen that medium-sized companies are often limited in financial, technological and human resources. This is why TEHTRIS recommends its TEHTRIS XDR Platform, which is modular in the sense that each organization can add additional modules as needed. The TEHTRIS XDR Platform protects desktops, servers, mobiles and tablets, networks and workflows from attacks and neutralizes threats. This offer is particularly adapted to the problems of small and medium-sized companies from 100 workstations.

Our solution allows :

  • Adapt detection rules thanks to cyberthreat intelligence.
  • Operational efficiency thanks to hyper-automated neutralization.
  • Easy integration.

The strengths of our solution are, among others, to propose a customized, easy to deploy, hyper automated, flexible offer. This solution is aimed at large groups, governments, local authorities and SMEs.

The smallest structures must not be passive targets of attacks, they must react and anticipate. Their survival depends on it. TEHTRIS has foreseen this. Our TEHTRIS Store offer allows you to equip Windows computers with the appropriate TEHTRIS EDR technology, configured for companies aware of the risk of ransomware.

For more information, see our article on IT security issues and solutions.

[1] Tribune de Lyon, March 3, 2020

[2] European Digital Sovereignity – Oliver Wyman – october 2020

[3] IFOP, Les dirigeants d’ETI face à la menace cyber-point de situation, 2018

[4] Wavestone Report. Cybersecurity: where are the major French organizations? March 2022