{"id":1005464,"date":"2026-04-17T18:09:42","date_gmt":"2026-04-17T16:09:42","guid":{"rendered":"https:\/\/www.iterates.be\/?p=1005464"},"modified":"2026-04-04T19:20:23","modified_gmt":"2026-04-04T17:20:23","slug":"smes-targets-of-cyber-attacks-how-to-reverse-the-trend","status":"publish","type":"post","link":"https:\/\/www.iterates.be\/en\/smes-targets-of-cyber-attacks-how-to-reverse-the-trend\/","title":{"rendered":"SMEs: targets of cyber attacks, how to reverse the trend"},"content":{"rendered":"
\n

Many management committees are convinced that we are too small to be of interest to hackers. This certainty is reassuring. It is also false and dangerous. In 2026, SMEs will account for 60 % of cyberattack targets. Not despite their size, but because of it. It's precisely because you think you're being ignored that you're vulnerable.<\/p>\n\n\n\n

The myth of the small fish: size is no longer a shield<\/strong><\/p>\n\n\n\n

For a long time, the logic seemed to hold: hackers went after big companies because that's where the money was. Those days are gone, and the figures confirm it unambiguously.<\/p>\n\n\n\n

A target that has become a priority<\/strong><\/h3>\n\n\n\n

Today, 43 % of cyber attacks specifically target small organisations. This changeover can be explained by a well-honed strategy: the Supply Chain Attack<\/strong>, or supply chain attack. The hacker no longer attacks the big company head-on - he infiltrates the system of a less protected partner and bounces off to the network of a more strategic customer. Your SME becomes the weak link in a chain over which it has no control.<\/p>\n\n\n\n

A cost that goes well beyond the technical bill<\/strong><\/h3>\n\n\n\n

The financial impact of a cyber attack on an SME is rarely properly assessed upstream. The direct cost of technical remediation is estimated at an average of \u20ac25,600. But the overall economic impact - stoppage of production, loss of customers, damage to reputation - can reach \u20ac1.2 million. And according to CESIN and Hiscox, 80 % of young companies attacked go bankrupt within six months of the incident. Cybersecurity is no longer an IT cost. It is a prerequisite for operational survival. Tomorrow, your cyber score will influence your valuation in the same way as your EBITDA.<\/p>\n\n\n\n

2026: the year in which traditional antivirus software became obsolete<\/strong><\/h2>\n\n\n\n

Many managers think they are protected because they have anti-virus software. This is understandable, and was true ten years ago. It is no longer true. Today's threats have evolved far beyond what traditional tools are capable of detecting.<\/p>\n\n\n\n

Attacks designed to fly under the radar<\/strong><\/h3>\n\n\n\n

Traditional antivirus software works by recognising signatures of known threats. It is blind to fileless attacks<\/strong> (fileless), which reside in RAM without leaving a trace on the disk. It does not see lateral movements<\/strong> - the discreet progress of an attacker inside the network after the initial intrusion. It does not detect the hijacking of legitimate remote management tools, used to fly under the radar. And it is powerless against EDR Killers<\/strong>, These are codes specifically designed to neutralise protection solutions before launching the final attack.<\/p>\n\n\n\n

BDU: detection rather than prevention<\/strong><\/h3>\n\n\n\n

L\u2019EDR (Endpoint Detection & Response)<\/strong> is based on a different philosophy. Where antivirus seeks to prevent entry, EDR assumes that intrusion is possible - and focuses on detecting it early. By analysing behaviour on an ongoing basis, it can identify reconnaissance phases and elevations of privilege well before data is actually encrypted. It's the difference between a lock on the door and a surveillance camera inside. To find out more about the threats emerging in 2026, read our article on new cyber security threats<\/a> provides a comprehensive overview of current attack vectors.<\/p>\n\n\n\n

People: the weakest link or the first firewall<\/strong><\/h2>\n\n\n\n

The most sophisticated technology is not enough if it is circumvented by humans. And in 2026, attackers have never been so adept at exploiting our cognitive biases. This is where the most difficult threat to neutralise lies.<\/p>\n\n\n\n

Social engineering boosted by AI<\/strong><\/h3>\n\n\n\n

L\u2019social engineering<\/strong> reaches new heights of realism in 2026 thanks to generative AI and audio deepfakes. The scenario of the CEO fraud - an employee receives a call in which the voice, perfectly imitated, is that of his manager demanding an urgent transfer - is no longer a hypothesis. It's a documented modus operandi that's on the rise. Attackers exploit two particularly effective cognitive biases: urgency and fear, which paralyse critical thinking, and authority, which bypasses control procedures.<\/p>\n\n\n\n

From awareness-raising to a culture of vigilance<\/strong><\/h3>\n\n\n\n

Faced with this reality, awareness-raising can no longer be reduced to a list of prohibitions posted in the kitchen. It must become a corporate culture. The aim is to turn every employee into a vigilant sensor, capable of identifying anomalies before they become incidents. Platforms such as Pix or SensCyber help to structure this learning process in a progressive and engaging way.<\/p>\n\n\n\n

The 3-2-1 strategy: your only real life insurance policy<\/strong><\/h2>\n\n\n\n

Faced with a ransomware<\/strong>, But if you don't want to pay the ransom, there's only one thing you can do: have a backup that the attacker hasn't been able to encrypt. It's simple in theory. It is poorly applied in the vast majority of SMEs.<\/p>\n\n\n\n

\"\"
Data backup<\/figcaption><\/figure>\n\n\n\n

Why synchronised cloud backup is not enough<\/strong><\/h3>\n\n\n\n

A common misconception is that a synchronised cloud backup is sufficient protection. If your backup is permanently connected to your network, the ransomware will encrypt it at the same time as the rest of your data. You'll end up with three unusable copies instead of one.<\/p>\n\n\n\n

Rule 3-2-1 applied correctly<\/strong><\/h3>\n\n\n\n

The strategy 3-2-1<\/strong> responds to this problem in a structured way: three copies of your data, on two different media, including an offline or immutable copy. This last point is the most critical. A backup that is physically disconnected from the network - or protected by an immutability technology that makes the data impossible to modify or erase - is your only real guarantee of being able to restore your system without ever giving in to blackmail. Visiton-premise and european cloud solutions<\/a> that we have detailed elsewhere can form a solid basis for structuring this sovereign backup architecture.<\/p>\n\n\n\n

NIS2 and regulatory pressure: the domino effect<\/strong><\/h2>\n\n\n\n

European regulations enter the equation with the Directive NIS2<\/strong>, Its impact extends far beyond the companies directly concerned by the legal thresholds.<\/p>\n\n\n\n

A passport to market access<\/strong><\/h3>\n\n\n\n

The official thresholds - more than 50 employees or \u20ac10 million balance sheet - may seem far removed from many SMEs. But the reality of the market is different. Large companies subject to NIS2 now have an obligation to secure their entire supply chain. In practical terms, your customers will be asking you for proof of cyber maturity. If you can't provide it, you risk being excluded from tenders. NIS2 compliance is thus becoming a passport to market access, well before being a regulatory constraint. To understand how technological dependence exacerbates these risks on a European scale, see our article on the dependence on the US cloud<\/a> provides a useful strategic perspective.<\/p>\n\n\n\n

Towards proactive cyber-resilience<\/strong><\/h2>\n\n\n\n

La cyber resilience<\/strong> is not built by installing yet another tool. It is based on three complementary pillars that must hold together - which the HOT method sums up well: Human, Organisational, Technical.<\/p>\n\n\n\n

A three-legged stool<\/strong><\/h3>\n\n\n\n

The human element: vigilance and ongoing training for your teams. Organisationally, it means clear procedures, access controls with multi-factor authentication<\/strong> and the crisis management plan tested before it's needed. The technical side is the EDR, the 3-2-1 backup strategy and systematic security updates. If one of these legs is missing, the stool collapses. Resilience is not the absence of attacks, it's your ability to absorb the shock without disrupting the continuity of your service.<\/p>\n\n\n\n

The question to ask yourself now<\/strong><\/h3>\n\n\n\n

Could your company survive for 24 hours if, tomorrow morning, your entire information system remained inaccessible? If you don't have an immediate, documented answer to this question, you've found your priority. To assess the state of digital maturity of your organisation in the broadest sense, our article on web and mobile development trends<\/a> offers a complementary framework for thinking about the technical foundations of a resilient business.<\/p>\n\n\n\n

<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

Dans beaucoup de comit\u00e9s de direction, la conviction est tenace : nous sommes trop petits pour int\u00e9resser les hackers. Cette certitude rassure. Elle est aussi fausse et dangereuse. En 2026, les PME repr\u00e9sentent 60 % des cibles des cyberattaques. Non pas malgr\u00e9 leur taille, mais \u00e0 cause d’elle. C’est pr\u00e9cis\u00e9ment parce que vous vous croyez…<\/p>","protected":false},"author":1,"featured_media":1005469,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1226],"tags":[],"class_list":["post-1005464","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tendances"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/posts\/1005464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/comments?post=1005464"}],"version-history":[{"count":1,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/posts\/1005464\/revisions"}],"predecessor-version":[{"id":1005549,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/posts\/1005464\/revisions\/1005549"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/media\/1005469"}],"wp:attachment":[{"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/media?parent=1005464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/categories?post=1005464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.iterates.be\/en\/wp-json\/wp\/v2\/tags?post=1005464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}