You know that cyber security is a serious issue. You probably have anti-virus software and perhaps a firewall. And yet, a worrying paradox persists in the vast majority of SMEs: 58 % of managers consider cybersecurity to be crucial, but 62 % simultaneously believe that their organisation is too small to be targeted. These two beliefs coexist, and this contradiction is precisely what cybercriminals exploit.
This guide introduces you to the HOT method (Human, Organisational, Technical), the only global approach that makes it possible to build a defence that really lasts, with no blind spots.
The paradox that puts your business at risk
43 % of cyber attacks target SMEs, and not by chance
The idea that you are “too small to be of interest to a hacker” is based on a fundamental misunderstanding of how modern attacks work. Cybercriminals don't choose their targets by looking at your turnover: they look for the most vulnerable systems, the most accessible, and the most likely to pay off quickly.
SMEs tick all three boxes. Valuable customer data, often insecure IT, and above all no dedicated team to detect an intrusion before it turns into a disaster. It's this combination that makes SMEs prime targets: not despite their size, but precisely because of it. To find out more, read our analysis of new cyber security threats to businesses.
Why the financial impact far exceeds the technical costs
The average cost of a major incident is €1.2 million for an SME, a figure that always comes as a surprise and deserves to be broken down. Technical remediation (cleaning up systems, restoring data, reinforcing defences) accounts for only a fraction of this. The rest is divided between the operating losses during the interruption, the medium-term commercial impact, any RGPD penalties, and above all the reputational cost: lost customers, contracts not signed, partners who ask questions.
This last item is often the most difficult to quantify, and the most lasting. This explains why 80 % of start-ups that suffer a major attack go bankrupt within six months. Not because the technical remediation was insurmountable, but because trust, once lost, is not easily rebuilt.
The HOT method: thinking safety as a system
A three-legged stool, and why removing just one leg is enough to bring the whole thing down
Effective cyber security is based on three inseparable pillars, often summarised by the HOT method recommended by Cybermalveillance.gouv.fr :
- H (Human) : employees, their reflexes, their vigilance on a daily basis
- O (Organisational) Governance, procedures and crisis strategy
- T (Technical) tools, software, configurations
The image of the stool speaks for itself: a three-legged stool remains stable even on uneven ground. Remove one leg, any leg, and it collapses. Yet the vast majority of SMEs over-invest in the T (antivirus, firewall, cloud solutions) while almost totally neglecting the H and the O. The result is predictable: sophisticated tools circumvented by a simple fraudulent email because no employee had been trained to recognise it.
How the three components feed off each other
The power of the HOT method lies in the interdependence of its three pillars. A clear organisational policy (O) defines the training needs of the teams (H), which are then supported and monitored by the technical tools deployed (T). An EDR that detects abnormal behaviour is only of value if a procedure (O) defines who receives the alert, and if the person who receives it (H) knows how to react.
Working on one pillar while ignoring the other two is like installing an armoured door in a house without walls. The HOT method is not a checklist to be ticked off sequentially: it's a systemic framework to be built coherently.
H is for Human: turning your employees into the first line of defence
Social engineering: attacking emotions rather than systems
Modern attackers have made a pragmatic observation: it is easier to manipulate a human being than to break through a correctly configured firewall. Social engineering specifically refers to all psychological manipulation techniques aimed at inducing a human error (clicking on a link, divulging a password, validating a transfer).
These techniques exploit universal emotional mechanisms: urgency (“your account is about to be suspended”), authority (“message from management”), fear (“security incident detected”), or trust (“your supplier X is contacting you”). No technical tool can block a decision taken voluntarily by an employee who is convinced that he or she is doing the right thing. Only training can create the reflex to pause and check.
Spear phishing and whaling: targeted attacks aimed at your business
Generic phishing (emails in bad French promising a parcel or a refund) is now well known. Targeted attacks are far more dangerous. Spear phishing targets a specific individual, identified through in-depth research on social networks and public sources (the so-called OSINT technique). The email mentions your last trade show, your assistant's first name, a fictitious problem with a real supplier. It's convincing because it's built to be.
Whaling specifically targets executives and high-value profiles: CEOs, CFOs, HR managers. The aim is to obtain validation of urgent transfers, access to critical systems or confidential information. In the age of deepfake audio, these attacks now include telephone calls that perfectly imitate the voice of an associate or banking partner. The simplest tip is still the most effective: before clicking, position the cursor over the link to display the real URL. Just one different character in the domain betrays the pirate site.
Training without complicating matters: practical resources for deployment tomorrow
Cybersecurity training does not require a large budget or elaborate technical sessions. High-quality resources are available immediately and free of charge: Pix enables you to assess and certify your employees' basic digital skills. SensCyber (cybermalveillance.gouv.fr) offers a short e-awareness course, accessible to all with no technical prerequisites, focusing on the most common threats. The ANSSI MOOC is the educational benchmark for those wishing to expand their knowledge.
The aim is not to turn your staff into experts: it's to create the reflex to check before acting. A team that knows how to recognise a suspicious email and isn't afraid to “disturb” by asking a question is your best early detection system.
O for Organisational: governance as an invisible foundation
Why management must be directly involved
All too often, cyber security is still perceived as a purely technical issue, delegated by default to the IT manager. This is a structural error. Security decisions affect the entire organisation: who accesses what data, how we react in the event of an incident, what budget we allocate to protection. These decisions are the responsibility of management, not the technician.
A manager who is not involved in his company's cybersecurity sends a clear signal to his teams: it is not a priority. And employees treat security in exactly the same way as management does - through behaviour, not words. If you're in the process of reviewing your overall IT organisation, our guide to change of IT service provider can help you ask the right questions.
The CISO: role, positioning and mistakes to avoid
For SMEs of a certain size, appointing an Information Systems Security Manager (ISSM) is a crucial step. His or her role is to define the security policy, supervise its implementation and manage the response to incidents. One critical point is often overlooked: to be effective, the CISO must be genuinely independent of the IT department. A CISO who is also the technical manager of the infrastructure he or she is supposed to be assessing is in a permanent conflict of interest. A direct relationship with senior management is not a luxury: it is a prerequisite for effectiveness.
Business continuity planning: preparing to operate in downgraded mode
65 % of SMEs admit that they do not know how to react in the event of a cyber attack. This uncertainty, in the first few hours of an incident, is as costly as the attack itself: bad decisions, loss of evidence, chaotic communication with customers, paralysis of teams.
The Business Continuity Plan (BCP) answers a simple but vital question: if your servers are encrypted tomorrow morning at 8am, how can you continue to deliver to your customers? The BCP documents the procedures for operating in downgraded mode, identifies the critical functions to be maintained as a priority, and defines the decision-making and communication chains. This document must not remain in a drawer: it must be tested, updated and known by all those involved.
NIS2: what the directive actually requires of you
Complying with NIS2 is, in effect, applying good practice that protects your business regardless of any regulatory requirements. Companies that rely on on-premise and european cloud solutions often have a concrete advantage in meeting the data sovereignty requirements imposed by NIS2.
T for Technical: the essentials for 2026
Antivirus vs EDR: why the difference is critical
For an SME, switching from antivirus to EDR is not a technical luxury: it's the difference between detecting an intrusion before or after encryption.
Before deploying these tools, it is often a good idea to carry out a full audit of your IT infrastructure to identify the real vulnerabilities in your system. A technical and IT security audit, for example, can detect critical flaws in your servers, networks and configurations before an attacker can exploit them.
The immutable 3-2-1 rule: your only real insurance against ransomware
In the face of ransomware, backup is your last resort, provided it is unassailable. The 3-2-1 rule sets the minimum standard: 3 copies of your data, on 2 different media (cloud and physical infrastructure), including 1 off-site copy. In 2026, an absolute requirement was added to this rule: this off-site copy must be immutable, either physically disconnected or configured so that no process, including ransomware with administrator rights, can modify or delete it.
An untested backup is one whose true value you do not know. Test the full restore regularly: the day of an attack is not the right time to discover that your backup is corrupt or incomplete, or that the restore procedure takes 72 hours instead of 4.
MFA and access management: the most cost-effective barrier
Theft of credentials is the number one vector of entry into corporate systems. A password, even a complex one, can be compromised by phishing, reuse on a hacked third-party service, or simple automated guessing. Multi-factor authentication (MFA) neutralises this risk: even with your credentials, an attacker cannot access your systems without the second factor.
In many companies today, this access is via cloud platforms, business applications or collaborative tools. That's why security must also apply to internal digital solutions. Companies that want to develop customised business software can rely on modern safety standards built into the design from the outset.
The blind spot of remote management tools (RMM)
One risk that is often overlooked by SMEs that use external IT service providers is the remote management tools (RMM) used by these service providers to maintain your infrastructure. These tools are legitimate and necessary, and by definition they have administrator access to your entire IT estate. If they are poorly secured (shared access, missing MFA, weak passwords), they become the universal key to your system for an attacker, used with apparent legitimacy.
Ask your IT service provider about the security of its own access. A serious service provider should be able to demonstrate that its remote management tools are protected by MFA, that access is tracked and limited to what is strictly necessary, and that a regular review process is in place.
Iterates, your partner in building sustainable cyber security
At Iterates, we support Belgian and European SMEs in building a solid security posture using the HOT method, always starting from your operational reality, not from a catalogue of products for sale.
Our starting point is always a comprehensive security audit: identifying your real vulnerabilities in terms of the three dimensions - human, organisational and technical - prioritising the most impactful actions and building a progressive security plan in line with your budget and internal resources.
This is part of an overall approach to digital transformation, whether it involves securing your infrastructure, improving your business tools or developing new digital solutions. In particular, Iterates helps companies to creation of customised web and mobile applications, designed for performance, scalability and security.
Act now, before the attacker does it for you
Cybersecurity is not a destination that can be reached once and for all: it is a permanent state of vigilance, structured and equipped. The HOT method does not promise invulnerability - no honest approach could. It offers something more valuable: a coherent defence, with no blind spots, that considerably raises the cost and complexity of a successful attack on your business.
The SMEs that resist cyber attacks are not those with the most expensive tools. They are the ones that have built up their defences systemically, trained their teams, documented their procedures, and tested their resilience before they need it. This preparation is your only real competitive advantage in a world where attack is a certainty.
Let's discuss your security posture with Iterates: free audit and personalised action plan based on the HOT method.
