There's one truth that many SME managers discover too late: it's not a question of if you'll be attacked, but when. Between 43 % and 60 % of cyber attacks directly target small and medium-sized businesses because they are perceived as easier, less protected gateways to critical data. According to the Belgian Cybersecurity Centre, the average cost of an incident is €1.2 million, and 80 % of unprepared businesses go bankrupt within six months. This guide is not about abstract prevention. It's about what you actually do when it happens.
First pillar: immediate reflexes
When an anomaly occurs - encrypted files, unexplained slowdowns, suspicious network behaviour - every second counts. Most mistakes made in the first few minutes worsen the final outcome. Knowing the right reflexes before you need them is often the difference between a controlled incident and a disaster.
Insulate without switching off
The first action is to’isolate infected systems Unplug Ethernet cables and turn off Wi-Fi. But don't switch off your machines. Random Access Memory (RAM) contains traces that are essential to forensic experts, and they disappear for good when you switch them off. Preserve the logs without manipulating the systems: this evidence is vital for filing a complaint and activating your cyber insurance.
Do not pay, check identity
Faced with a ransomware, Paying never guarantees data recovery. This makes you a paying target and increases the risk of recidivism. In 2026, you should also be wary of deepfakes audio capable of imitating your manager's voice to obtain an urgent transfer. If you receive a call of this type, systematically confirm it using a second, usual channel. Urgency and authority are the two levers that attackers exploit first, and slowing down is often the best reflex. Our article on new cyber security threats The attack vectors that will be most active in 2026 are detailed below.
Second pillar: crisis management
Once the first steps have been taken, crisis management enters the coordination phase. This is where most organisations find themselves at a loss, not because of a lack of technology, but because of a lack of documented procedures and clearly defined roles upstream.
The HOT method and legal obligations
A crisis unit must be activated immediately, focusing on three areas: the’Human (internal communications), the’Organisational (procedures, decision-making chain) and Technical (tools, forensics). If one of these pillars is missing, the response collapses. Filing a complaint is an essential legal act for the investigation and insurance. Notification to the CNIL is mandatory within 72 hours in the event of a personal data breach, in accordance with the French Data Protection Act. RGPD. If your SME has more than 50 employees or a balance sheet of more than €10 million, the NIS2 can also apply with personal liability for directors in the event of documented negligence.
Equipping yourself with more than just traditional anti-virus software
A traditional antivirus in 2026 only detects known threats. It is blind to fileless attacks, lateral movements and hijacked legitimate tools. L’EDR (Endpoint Detection & Response) analyses behaviour continuously and can detect an intrusion long before data is encrypted. Complete this arsenal with a password management solution and the’multi-factor authentication these two measures alone will block the majority of unauthorised accesses.
Third pillar: secure reconstruction
Restarting after a cyber attack is not just a technical reboot. It's a secure process that requires method and patience. Moving too quickly means running the risk of reintroducing the threat into a system that you think has been cleaned up.
BCP and DRP: two complementary plans
Le Business Continuity Plan (BCP) allows you to operate in degraded mode while systems are compromised, plan a return to paper for your critical processes. The Disaster Recovery Plan (DRP) is the technical restoration of your systems. These two plans must exist on paper, stored offline. If your screens are black, they must remain legible.
The 3-2-1 rule: your only real guarantee
The PRA is based on rule 3-2-1 Three copies of your data, on two different media, one of which is disconnected from the network or immutable. The latter is the critical point - a permanently connected backup will be encrypted at the same time as your production data. The offline copy is your only guarantee of never having to pay. To structure this architecture on a sovereign infrastructure, our analyses onon-premise and european cloud solutions offer some concrete ideas.
Towards cyber-resilience: three commandments
La cyber resilience is not a destination. It's a muscle that has to be worked continuously. The companies that survive attacks are not those that have the most expensive tools, they are those that have tested their procedures before needing them.
Testing, training and documentation
Three imperatives sum up this philosophy. Test the restoration and not just the backup - a backup that has never been tested is an illusion of security. Training to make people the strongest link: awareness-raising programmes enable your employees to detect and respond to threats. phishing and deepfakes before the fatal click. Document and store offline: your BCP and DRP must remain accessible even if your entire infrastructure is compromised.
Official resources exist to support you: Cybermalveillance.gouv.fr with its SensCyber programme and the “Mon ExpertCyber” label, ANSSI with its Guide to IT hygiene, and Safeonweb.be to test your teams' reflexes. To understand how technological sovereignty fits in with resilience, our analysis of the dependence on the US cloud and the European ERPs take on the American giants are a useful addition to this discussion.
Turn crisis into strategic advantage with Iterates
The difference between an SME that suffers a cyber attack and one that manages to bounce back is rarely based on technology alone, but on the level of preparation and quality of support. That's where Iterates comes in, helping businesses to build up genuine cyber resilience. In practical terms, Iterates helps you to put in place crisis management plans that can actually be activated, deploy advanced detection solutions, formalise clear procedures for your teams and comply with regulatory requirements such as the RGPD or NIS2. The aim is not simply to limit the risks, but to transform your information system into a strategic asset capable of absorbing a shock and getting back up and running quickly. An attack is not an abstract eventuality, it's a likely scenario that requires a prepared response.
