Small and Medium-Sized Enterprises (SMEs) in the European Union lag behind larger companies in terms of cybersecurity controls, according to an analysis by Marsh, a global leader in insurance broking and risk advisory. The average level of security for SMEs is 15% lower, which may increase their vulnerability to cyber threats.
The report, Why the Cybersecurity Gap Between SMEs and Large Organizations Matters, highlights that SMEs face significant challenges in achieving cyber resilience compared to larger organizations. The publication’s authors analyzed the cybersecurity gap among 320 SMEs, mid-sized companies, and large organizations across the EU (classified based on annual revenues into three categories: below €51 million, between €51 million and €250 million, and above €250 million). They used data from Marsh’s cybersecurity self-assessment tool, focusing on 12 cybersecurity control indicators.
The report indicates that large organizations implement cybersecurity control mechanisms more effectively than SMEs. Larger companies scored 80% across the 12 cybersecurity control categories, whereas SMEs averaged 65%. Notably, 91% of large organizations require multi-factor authentication for remote logins, compared to 75% of SMEs. The report also emphasizes the critical need for improving incident response plan testing, with only 40% of SMEs conducting such tests, compared to 61% of large organizations. Despite improvements in incident response capabilities, SMEs and mid-sized companies continue to lag. Additionally, there are significant industry disparities: 85% of SMEs in the financial sector require employees to complete cybersecurity training, while only 58% of industrial firms do the same.
The report’s authors stress the need for SMEs to engage with the rapidly growing cyber insurance market, as many are currently uninsured or underinsured, leading to a substantial protection gap. Although historical barriers have limited access to suitable insurance coverage, recent innovative market solutions offer SMEs the opportunity to close this insurance gap.
“SMEs are critical to national infrastructure, and their vulnerability to cyber threats can lead to financial losses and data breaches, jeopardizing economic stability and public trust. As an integral part of the supply chain, they can also pose risks to larger firms. It is essential to strengthen collaboration to bridge the cybersecurity gap for SMEs and develop tailored solutions in the insurance market,” comments Gamze Konyar, Head of Cyber at Marsh Europe.
“As cyber threats continue to evolve, the report underscores the urgent need for all organizations, especially SMEs, to enhance their cybersecurity measures to ensure resilience. It calls for increased awareness, education, and support for robust cybersecurity practices, urging key stakeholders—governments, industry associations, and larger organizations—to provide resources and collaboration opportunities to strengthen SME cyber resilience,” adds Typhaine Beaupérin, Chief Executive Officer of the Federation of European Risk Management Associations (FERMA).
Anna Pluta, Head of Cyber Practice at Marsh Poland, adds: “Small and medium-sized enterprises (SMEs) across Europe face numerous cybersecurity challenges. Limited budgets may hinder investments in advanced security technologies and hiring cybersecurity specialists. Additionally, the increasing complexity of cybersecurity regulations can make interpretation and compliance difficult, leading to security gaps and heightened vulnerability to threats.”
