SMEs and Mid-Sized Companies: How to Structure a Cybersecurity Policy

Despite limited resources and the absence of tailored frameworks, small and mid-sized enterprises are making cybersecurity a strategic priority. By focusing on key fundamentals—asset mapping, continuous staff training, clear governance, and reasoned resource allocation—these companies can build a pragmatic approach to IT security.

According to a global study by IDC, the main challenge small and medium-sized enterprises face in achieving their business goals is “implementing new technologies securely” (47% of respondents). This shows that while SMEs are investing in technology, they continue to view security as a top concern. Half of all SMEs even cite improving cybersecurity as one of their top technology investment priorities for 2025.

Moreover, 23% of companies employing between 500 and 999 people say that security and compliance are the least affected areas by budget cuts in 2025 (ranked first among 11 possible options), according to IDC’s “Future Enterprise Resiliency and Spending” survey. The rationale is clear: among organizations that have suffered a cyberattack, 62% report operational disruption lasting several days, sometimes up to a week.

Yet despite clear intentions and growing budgets, a large majority of SMEs admit they do not know where to start or how to structure an effective cybersecurity policy. The lack of a framework suited to their size, the shortage of qualified staff, and limited knowledge of best practices all slow down the implementation of truly operational systems. Without a coherent strategy, many companies struggle to translate intent into action, relying instead on ad hoc solutions or isolated software purchases with little overall consistency.

Managing cybersecurity through asset awareness

A pragmatic cybersecurity policy starts with a deep understanding of one’s digital environment. Many SMEs and mid-sized companies still underestimate the importance of mapping their assets. A complete inventory of servers, computers, software, connected devices, and network flows is a prerequisite for any coherent defensive strategy.

“The first step is to identify precisely what the company wants to protect. That means having a comprehensive overview of all machines connected to the network. The goal is to carry out a complete inventory of all digital assets—workstations, servers, IoT devices, or industrial systems. In reality, many small and mid-sized companies lack this visibility, either because of limited resources or because these assets have accumulated over time without proper governance,” explains Stéphane Brovadan, French-speaking Team Supervisor at Bitdefender.

This lack of visibility exposes SMEs and mid-sized firms to numerous unidentified vulnerabilities. Weak points may, for instance, arise from an accounting firm that remotely accesses part of the network, from open ports created for data exchanges, or from unlisted connected devices. Assessing all internal and external points of contact is therefore an essential prerequisite for any serious protection strategy.

Building collective vigilance over time

Technology alone cannot guarantee effective cybersecurity. People, often viewed as the weakest link in corporate defenses, are in fact one of their most critical pillars. By raising awareness, training, and engaging employees, companies can anticipate many risks before they ever reach their systems. The goal is to foster a culture of collective vigilance, embedded in daily behavior and shared across the organization.

A study conducted by Clusif at the end of 2024 shows that although French employees are widely aware of cyber risks, they express a strong need for continuous education. Fifty-five percent say they have never received training on cybersecurity issues, while 67% believe such training would be useful. “Cybersecurity is not the responsibility of a single person—it’s everyone’s job. There are dozens, even hundreds of examples where breaches result from human error or lack of knowledge,” recalls Stéphane Brovadan.

This training effort must not be a one-off initiative but part of a long-term approach. An effective cybersecurity policy relies on constant updating. Threats evolve, attack methods change, and technical tools quickly become obsolete. In this context, training employees once and for all leaves them defenseless against future threats. Awareness activities should be regular, tailored to each role, and fully integrated into HR processes. Training modules and simulations—such as phishing tests or crisis exercises—should be renewed annually, and internal communication should consistently promote the right reflexes.

Shared responsibility, targeted investment

Once the asset mapping and training plan are in place, it becomes essential to clarify roles and responsibilities. In SMEs, resources may be limited, but that does not mean cybersecurity policies should remain unstructured. Defining who does what, appointing referents for key areas, and documenting procedures are all measures that prevent chaos when an attack occurs.

“Between general management, the IT or security manager—if one exists—and any external providers, roles must be clearly distributed. Each actor needs to know exactly the scope of their responsibilities. This covers solution selection and deployment, backups, and incident or crisis management,” says Stéphane Brovadan.

Budget allocation is another sensitive issue. For SMEs and mid-sized companies, resources are by nature constrained. Balancing human and technological investments depends on both the company’s risk level and its maturity. “Out of a total cybersecurity budget, at least 50% should go toward staff training. The rest should be dedicated to technological solutions, covering detection, prevention, and backup,” he advises.