According to Verizon's DBIR report, 43% of cyberattacks target small and medium businesses. Yet fewer than half have an incident response plan in place. The gap between threat level and preparedness is real — and expensive.
The Three Dominant Attack Vectors in 2025
1. Phishing and Social Engineering
Phishing accounts for 36% of all breaches (Verizon DBIR 2024). Attacks have evolved: fraudulent emails are now generated by LLMs — perfectly written, highly personalized. One in five employees still clicks on malicious links during simulations. The attack surface is human before it's technical.
2. Ransomware
Ransomware groups now deliberately target SMEs, precisely because their defenses are less mature. The average cost of a ransomware incident for a European SME exceeded €200,000 in 2024 (ENISA). This figure includes the ransom, system restoration, and business disruption — not reputational damage.
3. Supply Chain Compromise
You're not only exposed through your own systems. If your IT provider, hosting company, or management software is compromised, so are you. SolarWinds, 3CX, MoveIT — supply chain attacks have become the norm, not the exception.
What NIS2 Changes in Practice
The NIS2 directive, transposed into French law in late 2024, broadens the scope of covered entities. If you have more than 50 employees or exceed €10M in revenue in a sector considered "important" (manufacturing, transport, digital, healthcare), you're in scope.
Concrete obligations: documented risk management, incident response plan, mandatory notification to national authorities within 24 hours. Penalties: up to €10M or 2% of global revenue for essential entities.
Three Priority Measures, Without Unreasonable Budget
MFA on All Critical Access Points
Multi-factor authentication blocks 99.9% of credential stuffing attacks (Microsoft Security). This is the absolute first priority: email, VPN, cloud tools, admin access.
Network Segmentation
Isolating critical systems limits lateral movement during an attack. Ransomware that enters through a workstation shouldn't reach your backup server. Even basic network segmentation dramatically reduces the impact of a compromise.
Incident Response Plan
Not a 200-page document. A one-page document: who calls whom, in what order, with what numbers. Who is responsible for what during a crisis. Where are the backups, how to restore them. Test it once a year — you'll be surprised by what you discover.
The Question Is Not "If" But "When"
Valtieri's teams assist organizations in assessing their security posture and implementing resilient architectures. If you'd like an initial assessment, contact us.