Improving cybersecurity in a fast-changing digital world. (SME Cybersecurity Brochure) by Mo Ka

Foreward.

Two-thirds of European jobs are in small or medium sized businesses and organisations (SMEs). European SMEs are under immense pressure to be globally competitive, serve their customers, win new business and improve their efficiency. They are increasingly turning to algorithms, smart devices, artiﬁcial intelligence, industrial robots, and drones to augment traditional IT.

Unfortunately, this opens up yet new potential vulnerabilities and risks for SMEs too. At Global Digital Foundation we recognise these risks but are ﬁrm believers that with a combination of good tech policy and diligent tech leaders and users, the societal and economic rewards easily outweigh the risks.

But diligent leaders and managers of SMEs need to know where to turn for good advice and reliable information they can trust. This second edition of the SME Cybersecurity Guide is just such a place. It’s comprehensive and up-to-date and at the same time usable and accessible. It should be in every SME leader’s reading list.

John Higgins CBE Chair Global Digital Foundation www.globaldigitalfoundation.org

Global Digital Foundation

Foreward & table of contents

p. 02-03

Purpose of this guide

p. 04-05

p. 06-18

Different cybersecurity attacks EU compliance and regulatory obligations for SMEs

p. 24-33

p. 19-23

Cybersecurity challengesnew technologies

Cybersecurity awareness and training

p. 33-43

p. 44-45

Useful cybersecurity resources / information for SMEs in Europe

PURPOSE OF THIS GUIDE

The primary purpose of this guide is to give practical advice to SMEs on measures that can be taken on how to improve their cybersecurity. According to the World Economic Forum (WEF) Global Cybersecurity Outlook 2025, 35% of SMEs believe that their cybersecurity is inadequate. Enhancing cybersecurity for SMEs is not just a protective measure. It is a necessary requirement because cybersecurity breaches can result in ﬁnancial loss, operational disruption and damage to customer trust. SMEs represent more than 99% of all ﬁrms within the European Union, employing 100 million people.

• This guide explains to SMEs how the landscape for cybersecurity attacks is changing including via the use of AI and the cloud.

• Provides the latest updates and suggestions on how SMEs can recognise and mitigate against different cybersecurity attacks such as phishing, malware, ransomware, vishing, smishing, web-based attacks, compromising business emails, DDoS, ransomware and web application attacks.

• There is a chapter on how SMEs can improve both the cybersecurity skills of employees so as to enhance awareness of possible cyberattacks and on how best to mitigate against them.

• Current compliance and regulatory obligations for SMEs under EU laws such as NIS2, the Cyber Resilience Act (CRA) and EU data protection rules are set out.

• Lists publicly available and helpful information for SMEs from national cybersecurity organisations from EU member states and from international bodies based in Europe on how to reduce cybersecurity risk.

WHY IS IT IMPORTANT THAT SMEs ACHIEVE HIGHER LEVELS OF CYBERSECURITY?

Changing nature of technology and cyberattacks.

According to the ENISA Threat Landscape Report 2024:

Threat actors are targeting the cloud by using trusted sites and legitimate services to avoid detection.

DDoS (Distributed Denial-ofService) attacks where access by legitimate users to services are denied and ransomware were the highest ranked form of cyberattacks.

Malware-as-a-service (MaaS) is a rapidly evolving threat.

More supply chain compromises through social engineering are emerging. Social engineering is an attempt to trick victims into making mistakes by wrongly opening malware infected ﬁles or by clicking on malicious links.

Compromising open-source software within supply chains is a growing concern.

There has been a sharp increase in business email compromise attacks.

DIFFERENT CYBERSECURITY ATTACKS

What should SMEs do to reduce the risk of a cybersecurity attack?

The most common types of attacks on SMEs include malware, phishing, web-based attacks, ransomware and distributed denial of service (DDoS).

• Antivirus installation and maintenance is an essential step in protecting the operating systems and applications of SMEs from a wide range of threats.

Secure data backup

• Back up the essential data for business activities in at least 2 locations outside the corporate network.

management

Strict access control: secure password management

• Poor and weak password practices pose a real risk to cybersecurity.

• Use a strong, unique password with at least 12 characters containing letters, numbers and symbols. It is strongly recommended to use a password manager in order to generate, manage and store passwords in an encrypted form.

• Apply/activate multi-factor authentication (MFA) for the most important applications and systems that SMEs use. MFA acts as a further layer of security protection for SMEs.

Managing vulnerabilities

• According to the Verizon 2024 Data Breach Investigations Report, the exploitation of vulnerabilities as an initial point of entry accounts for 14% of all breaches. There is an increased frequency of attacks that target vulnerabilities on unpatched systems and devices.

• It is incumbent on SMEs to ensure that vulnerabilities within their products are identiﬁed and addressed. Security patches, updates and other mitigating measures for the products/services that they use (as ﬂagged by suppliers or by national authorities) must be applied in a timely manner.

• Use full disk encryption so as to ensure that if a hard disk is lost or stolen, that the data remains safe. Encryption keys should be securely protected. Physical access to devices must be restricted and authenticated as well.

Firewall installation and maintenance

• Install a firewall in order to improve security by isolating trusted networks from untrusted networks. Apply security patches to the firewall as they are made available from suppliers. Use a whitelisting approach (default deny) to only allow for the specific traffic that is required by the services used by the business. Update the firewall software regularly, and wherever possible automate the process.

Wireless

/ Wi-Fi Protected Access (WPA)

• Use WPA3 wherever possible and a strong unique password with Wi-Fi network encryption containing at least 20 characters containing letters, numbers and special characters.

Virtual Private Network (VPN) from outside a corporate network

• A VPN can provide secure remote access for employees to a network and applications.

Maintain an Incident and Disaster Recovery Plan

• Deﬁne, document and maintain an incident and disaster recovery plan to respond to security breaches so that SMEs are able to regain control over their business operations and data.

What is a DDoS (Distributed denial-of-service) attack?

A DDoS is an attack whereby a server, an application or a network resource is made unavailable to users and this blocks the availability of services temporarily or indeﬁnitely. Servers are overloaded with internet traffic from thousands or even millions of false requests from compromised internet connected devices. This overwhelms the operations of a server or a network that results in making online services unavailable for legitimate users.

The bottom line is that cybersecurity solutions are required so as to guarantee the continued availability of online services. A company needs to implement technical solutions to mitigate against a DDoS attack so as to ensure that they have the capability to effectively handle a DDoS attack were it to happen.

What should SMEs do to mitigate against DDoS attacks?

• Different ﬁltering solutions and web application ﬁrewalls (WAF) can deny illegitimate and malicious requests being made to a server.

• Mitigate against DDoS attacks by limiting the amount of traffic that can reach a server.

• Block communication to and from outdated protocols and applications.

• Encrypt sensitive information.

• Make sure that the company Wi-Fi network is hidden and is protected by using strong passwords and encryption.

• Specialised service providers offer solutions to improve the cybersecurity of a company against DDoS attacks that include the identiﬁcation of DDoS bots that can overload network capacity.

• Always update IoT devices with security patches as they are made available by suppliers. DDoS attacks against IoT devices are on the increase.

How can SMEs recognise phishing attacks?

• A phishing attack is a type of social engineering attack that is targeted at people rather than at system vulnerabilities. They are, in essence, analogous to traditional types of fraud. Usually, phishing is not a complex technical attack. It just requires a convincing reason such as a fraud scenario to make the user click on a malicious link or URL, open a malicious ﬁle or provide conﬁdential information.

• Recognising common types of fraud scenarios can prevent SMEs from falling victim to many phishing attacks. Understanding the different types of phishing attacks will help managers and employees in SMEs to develop an instinct to check email and other messages carefully before they click on links or open attachments.

What should SMEs do in the case of a phishing attack?

Phishing attacks are a reality for SMEs and unfortunately, they are very common. If you are the recipient of a phishing attack, the following actions should be considered:

• Never click on a link or open a ﬁle in the case of a suspected phishing attack.

• Delete the message.

• Inform the company IT department and change passwords and pins for key email, bank, cloud services and related accounts.

• If the phishing attack is successful, systems and data may be compromised and become inaccessible. In that case, a company could receive a ransomware message. There are useful resources containing advice as to how to engage in the case of a ransomware incident via Europol and with national CSIRTs (Computer Security Incident Response Teams). See the ﬁnal pages of this guide for relevant web links.

Questions that people working in SMEs should ask themselves so as to prevent a phishing attack:

Is the message solicited or expected? If not, all the questions below should be answered to help identify a phishing attempt.

Is the sender legitimate? i.e. using the correct corporate email, proﬁle or phone number? If not, this could be a phishing attempt.

Is there a sense of urgency in the message, a scary consequence or a great reward? If yes, this could be a phishing attempt.

Is the request claiming to come from a bank, postal services, tax administration, or from a law enforcement agency? If yes, this could be a phishing attempt. These types of organisations typically use secure communication channels (e.g. apps) and will never ask for passwords or other sensitive information. If in doubt, go directly to the ‘sender’ app/web page and log in to check if any messages appear or call their official contact number directly.

Is the message appearing odd, with typographical errors or is very generic? Then this could be a phishing attempt.

What can SMEs do in the case of a business email compromise attack?

A business email compromise (BEC) is a sophisticated form of phishing that targets specific individuals in an organisation, such as executives or finance personnel, by impersonating trusted contacts. In this form of attack, a criminal attempts to trick a senior executive or a member of the finance department to transfer money, or disclose sensitive data.

The target is usually a speciﬁc individual, most notably those working in the ﬁnance section of a company. Lawyer impersonation, false invoice requests and imitated emails that are purportedly sent from the CEO or from another senior executive of a company to an employee requesting some action like a funds transfer or to change bank account details of a supplier are examples of business email compromises.

• SMEs should train employees, particularly in the ﬁnance department, of the growing threats posed from business email compromise attacks.

• Senior executives who have access to valuable assets or to bank accounts, should review their privacy settings on their social media accounts as a digital footprint can give away information that can enable a BEC attack or make malicious correspondence appear more legitimate.

• Create an environment whereby employees will report possible BEC attacks to management.

• Be really careful when one receives an email from an organisation requesting ﬁnancial payments that an SME does not traditionally deal with in the normal course of business. Further checks need to be carried out to prove the legitimate nature of such an invoicing company.

• Stringent operational internal procedures are required for any requests to change methods of payment.

BEC

How should an SME handle a smishing attack?

Smishing is a scam whereby fraudsters use a mobile phone text message to trick the recipient into opening a malicious attachment or link. It is comparable to phishing but is executed via the use of mobile phone text messages (SMS). For example, the malicious message can supposedly emanate from a reputable and trusted body such as from a mobile phone service provider.

• Employees need to be trained so as to be wary and suspicious of unexpected text messages that purportedly come from a reputable body such as a bank or a government department asking for urgent action that involves the transmitting of personal information such as passwords, pin numbers or bank account details.

• Do not respond to text messages that request that a particular phone number be called or that a speciﬁc website is visited to resolve an issue.

• Veriﬁcation of the sender of the message is required to validate the authenticity of the request in question.

•

• Report the suspected attack to the IT department.

How can an SME identify and deal with a vishing attack?

The term Vishing is short for ‘Voice Phishing’. It involves an attacker that is attempting to defraud people over the phone by enticing them to reveal sensitive information. This can be carried out via a direct phone call or by a pre-recorded message. Invariably, the attacker is maliciously seeking the data of the victim for ﬁnancial gain. The attacker will pretend to be a person in authority representing a trusted body such as a government tax department, the police or a bank.

• Never respond to a pre-recorded message on your phone that seeks sensitive data or the transfer of money.

• Don’t press any buttons or speak any responses to any automated phone messages.

• Be suspicious when there is a real sense of urgency in the request such as when you are asked to send information in the space of just a few hours. This is a method used to pressurize prospective victims to act quickly and could result in serious negative ﬁ nancial consequences.

• Check and verify phone numbers as attackers regularly pose as representing a trusted organisation such as a bank or a government department.

• Never give out multi-factor authentication (MFA) codes, passwords, login details or similar sensitive data over the phone.

• Report suspected vishing attacks to the IT department in your company.

What can SMEs do to stop malware being inserted into their systems?

Malware is a type of software that is designed to cause disruption to a computer, server or to a computer network. Malware is a real and common threat to SMEs as it can compromise all activities of the IT infrastructure of an SME resulting in operational, reputational and ﬁnancial loss. Malware cybersecurity attacks also target weaknesses in the supply chain of an organisation, such as a software supplier.

• The typical objectives of an attacker using such malicious code include the following:

• Encryption, theft and/or modiﬁcation of sensitive information such as passwords. Malware is regularly used to launch ransomware attacks.

• Monitoring data ﬂows to steal sensitive data such as Intellectual Property or passwords.

• Taking control of a device so as to use that device as a foothold to launch further attacks against an organisation.

• Key measures for SMEs to protect themselves against malware:

• Install and maintain specialised anti-malware software. Such software can be installed on mobile devices, operating systems and in networks. The software scans incoming data for malware and blocks or quarantines suspicious or proven malicious code. There are many different malware solutions available in the marketplace, including solutions for end user devices and equipment, servers and the network.

• Users/Employees should remain alert and refrain from clicking on suspicious links in emails or opening suspicious email attachments. Clicking on such links can result in the downloading of malicious software.

• Data should be backed up as per the advice provided above.

• Always install security patches and updates where they are made available by a supplier.

What is ransomware?

Ransomware is a type of malware that prevents access to the data on a device, usually by encrypting the data with a key known only to the attacker. A ransom is then demanded in exchange for the decryption of the ﬁles. A ransomware attack can have devastating consequences for SMEs in terms of ﬁnancial loss, reputational damage and business operations.

What can companies do to mitigate against ransomware attacks?

Back-up data: Data must be backed up and stored at an external location, thus keeping it separate from the corporate network so that it is isolated and protected in the event of a ransomware attack.

Software protection: Install speciﬁc anti-malware software as per the advice above.

Access control: Each employee should only have access to particular parts of a network so that necessary job functions can be carried out. Access must be strictly controlled.

Whitelisting: Draw up a list of applications and application components that have been approved for use by the company and apply rules on your ﬁrewall to only permit these applications.

Multi-Factor Authentication (MFA): Login via MFA by using strong passwords, a security token or by biometrics.

Consult Public Information: Read up and engage with the local/ national CSIRT (Computer Security Incident Response Team) at CSIRTs Network for advice on how to both mitigate against ransomware attacks and handle such an attack if it were to happen.

Endpoint Security: The devices used by employees must be protected including laptops, cellphones, tablets and other equipment. This is an important matter considering that employees sometimes leave devices unattended to in public places such as at an airport or in a café risking the exposure of sensitive information.

How can ﬁrewalls improve cybersecurity for SMEs?

A firewall improves security by isolating internal systems, applications and data from an untrustworthy network like the internet. A firewall establishes a barrier between a trusted network and an untrusted network and it both closely monitors and controls data flows for a company.

• The rules defining network access should be specific. Company security guidelines can be defined.

• Regular audits of firewalls should be carried out. For example, any unauthorized firewall configuration change should be flagged up.

What is a web application attack?

A web application attack exploits vulnerabilities in web applications or in mobile apps – so as to gain access to IT internal systems or to the data of a company. Such attacks can also compromise the availability of web applications and associated data.

• Apply security solutions to protect APIs (Application Programming Interfaces) that are key elements of web applications.

• Specialised security solutions are available that can both scan web applications for possible vulnerabilities and recommend solutions to address any discovered vulnerabilities.

• Where web applications are running in the cloud, explore what security solutions are available from your cloud service provider.

• Implement secure coding practices at the development stage of web applications. Apply Secure Software Development Lifecycle (SSDL) principles. Good advice is available from the OWASP SAMM open-source project team. ( www.owaspsamm.org).

• Use web application ﬁrewalls. Apply security patches and updates in a timely manner as they are made available from suppliers.

What can SMEs do to avoid a web-based cybersecurity attack?

A web-based attack exploits internet infrastructure security weaknesses in order to carry out a cyberattack against, for example a company website, an e-commerce site, a blog or a search engine. Examples of a web-based attack include the installation of malicious code to extract sensitive information such as a consumer database or a payment detail, a modiﬁcation of data on a website, the deletion of data and the sabotaging of website access.

For protection against web-based attacks, SMEs should consider the following:

• Keep operating systems up to date with the latest security patches. Install security updates in a timely manner.

• Enable security options, such as strong authentication for administrative access, use encryption and back-up data as per the advice above.

• Use security solutions to control and monitor websites so as to quickly detect and prevent vulnerabilities and the insertion of malicious code.

CYBERSECURITY CHALLENGES - NEW TECHNOLOGIES

CLOUD SERVICES

With the advent of cloud services and solutions, there has been a fundamental shift in how SMEs manage their IT infrastructure and data. The cloud-based business applications of SMEs are used extensively for services that relate to email, conferencing and communications, invoicing and ﬁnance, customer management and web portal operations. For a digital SME, the reliance on the cloud is even greater where there is a close dependence on the platform security of a cloud provider.

There are many advantages for companies from using cloud services:

• Business operations can be streamlined and can run more smoothly.

• There is a reduction in hardware and software costs that help to improve productivity. SMEs do not have to manage IT equipment such as servers on their premises.

• There are advantages of scalability and ﬂexibility in the use of IT resources such as computing resources.

• By outsourcing IT management tasks to cloud service providers, SMEs can concentrate on core business activities.

• Provides ways to better store, manage and access data over the internet.

• With cloud services readily available, businesses can experiment with emerging technologies like AI, machine learning and IoT.

A cloud cybersecurity strategy must be drawn up by an SME for different cloud related services that can be deployed such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Such services can help SMEs to both innovate and to compete in an ever-changing digital landscape. According to the Cloud Security Alliance Top Threats to Cloud Computing 2024 report, cyber attackers will continue to develop more sophisticated techniques, including via the use of AI to exploit vulnerabilities in cloud environments. Supply chain vulnerabilities will grow due to the complex nature of the cloud ecosystem.

How best can SMEs improve cloud security?

To enhance cloud security, SMEs should consider the following measures:

• Implement security solutions such as the provision of ﬁrewalls and intrusion detection systems so as to enhance cloud security. The security controls that are put in place must align with the capabilities of the cloud platforms.

• Train employees in key cloud computing skills so that they can grow familiar with cloud concepts, platforms and services. Consider engaging a Managed Security Service Provider (MSSP) that can provide 24/7 monitoring services to secure the cloud environment of a business.

• Implement data encryption for both customer information and business data. An inventory of the software assets that are managed should be maintained and reviewed together with the contact details of the service providers that are being used.

• Access control to sensitive assets must be strictly managed. Tiered permission based on the different roles of employees can be enforced. Rules related to Access Management can determine what a cloud provider can do or cannot do within cloud platforms.

•

• Strong passwords together with multi-factor authentication (e.g. access via ﬁngerprinting or via the mobile device of a user) does provide an extra layer of security.

• Test the recovery process so as to guarantee that data can be restored quickly.

• Make sure that hardware and software versions are up to date and apply security patches in a timely manner as they are made available by suppliers. Applying such updates can stop the majority of cyberattack attempts.

• Select carefully the cloud provider. Use third-party assessments and site visits to assess suppliers. Look beyond the product and examine the approach of a supplier to cybersecurity. Do not rely solely on vendor supplied documentation or information. Verify information.

• Secure assurances that cloud service providers are following the best industry standards and compliance certiﬁcation rules for cybersecurity.

• When planning for the handling of a possible cyber incident, SMEs must fully understand the resources of the cloud service provider and incorporate such resources in an incident response plan. Such a plan should be documented, regularly reviewed and updated.

AI SECURITY

The 2024 McKinsey global survey on AI found that the use of AI by companies had doubled compared to the preceding ten-month period. However, SMEs are only adopting AI at half this rate. The 2024 OECD SME digitalisation report found that bottlenecks for SMEs in deploying AI included a lack of time for training, maintenance costs and ﬁnding the right talent and skill sets. Enterprises are integrating AI apps and systems into business product offerings. Existing trends that relate to AI technology include Machine Learning (ML), Natural Language Processing (NLP), AI powered automation, robotics and the use of AI to improve cybersecurity.

The beneﬁts for SMEs from using AI include the following:

• Enhance business productivity and efficiency.

• Boost customer experience and loyalties.

• Effectively compete in a changing marketplace.

• Boost innovation.

• Data driven decisions can improve business operations.

What measures should SMEs take to mitigate against AI related cyberattacks?

• AI security tools can serve positive functions. They can be deployed to detect future threats, automate security patch management and monitor the security of networks in real-time. This is important noting that the rapid development of AI technology equally enables attackers. AI can help automate vulnerability identiﬁcation. AI can create highly personalised and realistic phishing and related attacks.

• Machine learning platforms can analyse historical data and user behaviour via the use of algorithms to predict potential malware and ransomware attacks.

• Apply a company policy on data. Never share sensitive data on Generative AI chat boxes. For example, FraudGPT is a product sold on the web that works in a similar manner to ChatGPT. But it is a malicious chat box that exploits AI technology so that cyberattacks can accrue.

•

• Consider employee training and awareness in the changing nature of AI generated cybersecurity attacks, for example in areas such as phishing, smishing, vishing and compromising business emails. Deepfake videos using AI technology can maliciously impersonate a senior member of a company giving instructions over a video or using voice instructions to a staff member from the ﬁnance department instructing that person to make particular payments or to change bank account details.

• Regularly review internal company procedures so as to ensure that both effective cybersecurity protection systems and the capability to respond to an AI related cybersecurity attack are in place. Note that the security needs of a company do change as businesses scale in size.

EU COMPLIANCE AND REGULATORY OBLIGATIONS.

NIS2 (2024)

Purpose

The NIS2 (Network and Information Systems) Directive introduces new baseline requirements to improve cybersecurity for entities from a range of different vertical industries. Such sectors include, for example the energy, transport, manufacturing, health and digital infrastructure sectors. Micro and small enterprises do have NIS2 obligations if they fall within the following categories:

• A provider of public electronic communications networks.

• Publicly available electronic communications services.

• Trust service providers.

• Top-level domain name registries.

• System service providers.

• National EU member states can categorise particular SMEs as important and essential entities for the purposes of NIS2.

Single point of contact

The 27 EU member states must provide practical guidance to SMEs outlining how cybersecurity can be improved and assist in addressing the speciﬁc needs of SMEs from a cybersecurity viewpoint. Each EU member state must establish a single point of contact for the purposes of implementing and enforcing NIS2 requirements.

Required cybersecurity measures

Article 21 of NIS2 sets out a series of technical, operational, and organisational cybersecurity measures that should be implemented in a proportionate way by entities that fall under the scope of NIS2:

• Conduct risk analysis.

• Put in place proper incident handling procedures.

• Multi-factor authentication. must from viewpoint. a 21 way

• Devise back-up and crisis management plans that include disaster recovery mechanisms.

• Conduct risk assessments of the security of supply chains.

• Establish systems to manage vulnerability handling.

• Procedures to assess the effectiveness of cybersecurity risk management measures.

• Promote basic cyber hygiene practices (e.g. cyber awareness and training initiatives).

• Use cryptography and encryption.

• Measures to address human resource security.

Article 23 of the NIS2 Directive sets out the reporting obligations for entities that fall under the scope of NIS2:

• An entity affected by a cybersecurity incident is one that has a signiﬁcant impact in terms of operational disruption or ﬁnancial loss. The entity impacted must provide to the national CSIRT (Computer Security Incident Response Team) or to the dedicated NIS2 national competent authority an early warning within 24 hours outlining whether the cybersecurity incident is as a result of a malicious act or could have a cross-border impact.

• Within 72 hours, an assessment must be given of both the severity and impact of the incident to the respective national CSIRT or to the dedicated NIS2 national competent authority.

• After one month of the initial notiﬁcation, a comprehensive report must be provided that gives a detailed analysis of the incident, the type of threat involved, the root cause of the incident, how the incident was handled and if there was a cross-border dimension to the incident or not.

• For further information about NIS2 obligations and requirements, please consult the ﬁnal pages of this guide that lists out some key contact points of national cybersecurity agencies from across the different EU27 member states and EEA/EFTA countries.

CYBER RESILIENCE ACT (2024)

Purpose

If you are an SME that manufactures products with digital elements such products can only be placed onto the EU market if they comply with mandatory cybersecurity requirements. This will ensure a greater level of security across the EU by requiring that both wired and wireless products meet predeﬁned security baselines before market placement.

CRA Products

A wide range of hardware and software products are covered by the CRA including operating systems (e.g. for computers and smartphones), internet connected devices (e.g. smart toys, smart speakers) and applications (e.g. health monitoring apps).

Conformity

A variety of different conformity assessments must be carried out for products with digital elements depending on the risk categorization and the proﬁle of the product in question.

Standards

Manufacturers must ensure that such products accord to strong cybersecurity standards during the life cycle of the product. The support period is ﬁve years, unless the expected use time will be less.

Consumer information

Consumers need to be informed about the nature of the cybersecurity of the product that they buy.

Reporting obligations

Actively exploited vulnerabilities must be reported to the respective national CSIRT (Computer Security Incident Response Team) and to ENISA in a predetermined time frames as follows:

24 hours: Early warning notiﬁcation on becoming aware of an actively exploited vulnerability.

Timeline

72 hours: Outline the general nature of the exploit and the vulnerability concerned and state the mitigating measures taken. about

1 month: Include information about any malicious actors that are exploiting the vulnerability. State the severity, the impact of the incident, the type of threat involved and the root cause.

The CRA will apply from December 2027, except that there are obligations for manufacturers to report actively exploited vulnerabilities and cybersecurity incidents from September 2026 onwards.

Guidance

The European Commission will provide SME tailored guidance and resources so that CRA compliance costs for SMEs are reduced.

Sandboxes: Regulatory sandboxes will allow businesses to experiment, develop, design, validate and test new innovative products with digital elements.

Cooperation with ECCC

SMEs will be supported with testing and conformity assessment activities in co-operation with the European Cybersecurity Competence Centre (ECCC).

Simpliﬁcation

SMEs will be able to provide technical information in a declaration of CRA conformity that will be in a simpliﬁed format and the CRA requires that fees will be reduced.

CYBERSECURITY CERTIFICATION –EUCC (COMMON CRITERIA) 2024

ENISA

An enhanced role has been given to ENISA (EU Cybersecurity Agency) in developing EU wide cybersecurity certiﬁcation schemes.

Purpose

In 2024, the European Commission has approved the new EU Common Criteria cybersecurity certification scheme (EUCC). This EUCC scheme provides a mechanism of assurance for manufacturers to certify the cybersecurity properties of ICT hardware and software products. ENISA has provided state of the art (SoA) documents that outline the evaluation process and security requirements that must be fulfilled by such companies so that EUCC certification can be obtained.

Conformity

Guidelines are provided to conformity assessment bodies that oversee the evaluation and conformity arrangements.

Certiﬁcation

This Common Criteria scheme certiﬁes the ICT security attributes of products and this may in turn be used by SMEs as part of their product and service offerings.

Beneﬁts

Certification facilitates cross-border trade and promotes beneficial competition within the EU marketplace. Market entry barriers for SMEs are reduced as SMEs only have to certify a product once. SMEs that obtain a cybersecurity certification assurance for ICT products do have a competitive advantage. It also gives consumers a greater understanding of the security features of different products.

Further schemes

The EU Cloud cybersecurity certification scheme (EUCS) and the EU 5G cybersecurity certification scheme are the two next cybersecurity certification schemes under development in an EU context.

EU supply chain

Cybersecurity attacks are on the increase within the EU supply chain and SMEs are being targeted. So, it is important for SMEs to check if compliance with different national or international certiﬁcation frameworks is required.

Why is data protection so important for SMEs?

Compliance with the EU General Data Protection Regulation (GDPR) increases data security, builds customer conﬁdence and reduces the risk of data breaches. This helps to strengthen the reputation of a brand, it streamlines the management of data and it increases operational efficiency.

Application

GDPR application is not dependent on the size of the company, but on the nature of the business carried out – speciﬁcally whether the personal data of EU citizens is being processed or not. Small companies processing the personal data of their employees, customers or business partners must therefore also respect the GDPR principles.

Build trust

Observing GDPR provides potential and existing customers with the conﬁdence that an SME is operating legally and taking the necessary steps to protect personal data. This clearly helps to build a relationship of trust and this is particularly important. This is because many companies provide online services that process and store large amounts of data (often containing ‘sensitive’ personal information) that may become the target of cyber-hackers. Personal data, such as social security numbers, driver licences, passport numbers, email addresses, bank account details are often the ﬁrst target for attackers. So, the loss of such information can have negative consequences for both a company and respective customers.

What

measures should SMEs take to show compliance with GDPR?

GDPR obligations

Some of the obligations of the GDPR may not apply to all SMEs. For instance, SMEs do not always need to keep records of processing activities or appoint a Data Protection Officer (DPO). It is important to note that if a small company is subject to one of the GDPR exemptions, but cooperates with a larger company that carries out large-scale processing, then even a small company may be subject to stricter GDPR requirements (e.g. will be required to appoint a DPO).

Risk-based Approach

The adoption of a ‘risk-based’ approach is required so as to ensure the security of the personal data processed and to demonstrate the GDPR compliance by all organisations, irrespective of their size.

Data Processing

Identify the personal data that is held, where it comes from, with whom it is shared and what is being done with it. An SME may have to maintain a record of data processing activities if it falls within the criteria of article 30 of the GDPR if an SME processes data that is likely to result in a risk to the rights and freedoms of data subjects.

Lawfulness

Know the legal basis relied upon (consent / contract / legitimate interest / legal obligation) to justify the processing of personal data. If consent as the legal basis is relied upon, make sure to obtain informed consent, and keep detailed records of received consents.

Compliance with GDPR principles

Make sure that data is processed according to GDPR principles (e.g. transparency, storage limitation, data minimization, accuracy and conﬁdentiality).

Data minimization

Ensure that the minimum amount of personal data necessary to conduct the business of an SME is collected. The data must be accurate and kept no longer than is needed for the purpose for which the data maintained was collected.

Transparency

Be transparent with individuals whose data you intend to process about the reasons for collecting such data and the speciﬁc uses of this data, and for how long you need to keep their data on ﬁle.

Data Protection Officer

Decide whether a Data Protection Officer (DPO) needs to be appointed.

Risk assessment

A risk assessment of both the personal data that is being held and operational data processing activities must be conducted.

Technical measures

Appropriate technical and organisational measures to ensure data is stored securely (whether on digital and paper ﬁles) must be carried out. The security measures implemented will depend on the type of personal data that is held by a company and by the risk exposure to both customers and employees if security measures are maliciously compromised.

Rights of individuals

Be able to facilitate requests from individuals that may wish to exercise their rights under the GDPR, including rights of access, rectiﬁcation, erasure, withdrawal of consent, data portability and the right to object to automated processing.

Data breach

Effective processes to identify, report, manage and resolve any possible personal data breach must be put in place.

Third parties

Manage personal data sharing to third parties (vendors, suppliers, customers). Data processing or sharing agreements should specify how data processing is secured, with appropriate data transfer mechanisms to non-EU/EEA companies.

Internal Procedures

Have up-to-date policy documents and/or internal procedures.

Employee Awareness

Provide data protection awareness trainings for all employees.

CYBERSECURITY AWARENESS AND TRAINING

Data breaches that involve a human element

According to the 2024 Verizon Data Breaches Investigations Report, 66% of data breaches involve a human element. This is linked to the lack of cybersecurity awareness of some employees and users. It is challenging to address this underlying problem – human behaviour and habits. Securing sensitive data and protecting it from theft should be an essential element of employee cyber skills training.

The 2025 World Economic Forum Global Cybersecurity

Outlook report found that 36% of respondents believe that the skills gap is the main challenge to achieving higher levels of cybersecurity. The 2024 ISC2 Global Cybersecurity Workforce study estimates that Europe lacks more than 400,000 cybersecurity specialists.

Skills.

According to the 2024 Eurobarometer survey on cyber skills:

Respondents that believe the skill gap is the problem

More than half of the companies surveyed had problems in recruiting cybersecurity staff over the preceding 12-month period. 45% of these companies faced problems in ﬁnding qualiﬁed candidates, a further 44% had a lack of applicants for cybersecurity job vacancies and 16% of companies had budgetary constraints.

Only 25% of companies had carried out cybersecurity and awareness training within the preceding 12-month period.

76% of employees in cybersecurity related roles had not received any formal cybersecurity qualiﬁcation or certiﬁed training.

Employee cybersecurity training.

• Highlight the importance of vigilance and awareness of possible cybersecurity attacks. Such examples relate to phishing, malware, DDoS, ransomware, compromise business emails, smishing, vishing and web-based attacks.

• Emphasise the signiﬁcance of strong passwords, the need to back-up data, multi-factor authentication and mobile device security.

• Employees must fully understand the internal company processes that relate to cybersecurity and this includes reporting obligations.

• Regular training is required due to the fact that both technology is changing as are the nature of cybersecurity attacks too.

• Understand EU data protection rules and other regulatory obligations.

European Cybersecurity Skills Framework.

• The European Cybersecurity Skills Framework is a reference point for deﬁning the required skills, knowledge and competencies for different cybersecurity professional roles in the workplace. Examples of such positions would relate to the chief information security officer (CISO), a cybersecurity compliance officer, a researcher, a risk manager or a digital forensics investigator.

• This is a positive and helpful initiative that can support the recruitment of new cybersecurity professionals in a company.

• This framework supports the design of cybersecurity related training programmes.

EU Cyber Skills Academy.

• The objective of the EU Cyber Skills Academy is to improve the coordination of existing initiatives across the EU that promote cybersecurity skills.

• Seeks to establish a common EU approach to cybersecurity training. Over time, it will deliver a higher level of visibility to stakeholders of EU funding opportunities in the area of cyber skills.

• It will analyse the changing nature of the cybersecurity market in the EU so that new methodologies and metrics can be drawn up to enhance cybersecurity employment.

• A key goal is to secure higher levels of participation from industry and academia in addressing the cyber skills gap, including the important issue of gender imbalance within national cybersecurity strategies.

European Cybersecurity Skills Framework (ECSF) | ENISA

Cyber Skills Academy | Digital Skills and Jobs Platform

According to the 2024 Eurobarometer cyber skills survey, 56% of respondents said that their enterprises did not employ any women working within their respective cybersecurity teams. This imbalance needs to be rectiﬁed for a number of reasons:

• There is universal agreement of the need to address the cybersecurity skills gap in Europe. The EU Digital Decade 2030 targets seeks to ensure that Europe will have 20 million ICT specialists by 2030.

• There is an EU wide effort to improve team dynamics through employee diversity.

• There is a clear need to enhance problem solving through diverse viewpoints and experiences.

• Inclusivity and equal opportunities for career growth must be promoted.

Initiatives under the EU Digital Skills and Jobs Platform.

• The Women4Cyber Registry of Experts. This initiative of the European Commission serves as a reference point for women cybersecurity professionals by providing a database of female experts that work in the ﬁeld of cybersecurity. It raises the visibility of women working in the ﬁeld of cybersecurity.

• This database of female experts provides a strong platform for women cybersecurity professionals to become more active in the ﬁeld of cybersecurity and aims to boost business opportunities.

• Collaboration, co-operation, continued learning, higher levels of networking are all beneﬁts that accrue from this Women4Cyber Network.

Enterprises do not employ women in cybersecurity team

Registry of experts - Women4Cyber

EU Digital Skills and Jobs Platform:

This initiative supports the EU co-funded Cyberagent initiative that upskills SME employees, particularly by encouraging women to drive positive change in SME cybersecurity. As part of the activities of the EU Digital Skills and Jobs Platform, the Women4Cyber Mari Kert–Saint Aubyn Foundation supports a number of initiatives that promote higher levels of participation of women in the ﬁeld of cybersecurity. This is highly important noting that Women4Cyber has stated that the number of women working in cybersecurity in Europe is below 20%. ( www.women4cyber.eu/)

Mentoring

The Women4Cyber organisation also manages annual cybersecurity mentoring programmes that help to improve cybersecurity skills and provide career development guidance to mentees at all levels. This mentoring initiative is conducted together with the active participation of industry.

National chapters

Women4Cyber now has a very extensive network of national chapters across Europe. This expanding list of country members includes Albania, Austria, Bosnia and Herzegovina, Belgium, Bulgaria, Cyprus, Czechia, Denmark, Finland, France, Germany, Greece, Hungary, Italy, Latvia, Kosovo, Lithuania, Luxembourg, Montenegro, North Macedonia, Netherlands, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden and Ukraine. As of October 2024, Women4Cyber had 70,000 followers from across Europe.

Percentage of women working in cybersecurity

Youth ambassador programme

Some of the different Women4Cyber national chapters lead on this important initiative. It affords young women to be the voice of their peers on cybersecurity. It encourages and motivates young women on the importance and excitement of cybersecurity as a career.

Jobs corner

This offers regular newsletters for cybersecurity members on job vacancies. Women are being encouraged to work in cybersecurity from both stem and non-stem backgrounds.

Education initiatives

The Road2Cyber online platform provides a one stop shop for different education, training, certiﬁcation, and mentoring courses that are available on cybersecurity across Europe.

Networking/Information

Conferences, workshops and webinars on cybersecurity topics are organised to support women taking up technical, operational, managerial and leadership positions.

HORIZON EUROPE / DIGITAL EUROPE

• On the investment side, the EU supports cybersecurity collaborative actions under the Horizon Europe research, innovation and science programme 2021-2027.

• Funds are available from the Digital Europe programme for SMEs to promote higher levels of cybersecurity in Europe. This initiative affords SMEs more opportunities to expand their footprint in Europe in the development of new cybersecurity related products.

Horizon Europe the EU’s funding programme for research and innovation

INVESTEU / EU RECOVERY AND RESILIENCE FACILITY

- European Union

Recovery and Resilience FacilityEuropean Commission

• Cybersecurity is also a part of InvestEU, a ﬁnancial instrument that will support stronger cybersecurity value chains in Europe.

• Under the EU Recovery and Resilience Facility (RRF) many EU countries are adopting plans that contain a number of additional investments in cybersecurity.

How can the European Cybersecurity Competence Centre (ECCC) deliver higher standards of cybersecurity for SMEs?

A key role of the European Cybersecurity Competence Centre (ECCC) is to support both innovation and European industrial policy in cybersecurity. The ECCC works closely with the public and private sectors from the EU27 member states in the building of a stronger cybersecurity eco-system in Europe.

• The annual cybersecurity work priorities of the ECCC can give further strong support to SMEs to take part in both the Horizon Europe and Digital Europe initiatives.

• This collaboration can expand into different SME cybersecurity support programmes in individual EU member states and across the EU.

• Support capacity building and an exchange of best practices in the European Union so as to promote higher standards of cybersecurity.

European Cybersecurity Competence Centre (ECCC)

The Digital Europe programme for SMEs

InvestEU

How does Huawei support SMEs in Europe?

Product support

Huawei is committed to working with SMEs to provide tailor-made and easyto-deploy products and solutions that can help to accelerate and simplify their digital transformation. Together, business growth can be unlocked, cyber resilience reinforced, energy efficiency delivered and entrepreneurial potential maximised. Huawei can support companies to scale-up by offering mentoring, technical support, technological resources and access to international insights and markets.

Huawei runs many dedicated programmes to support SMEs across Europe including in Finland, France, Germany, Greece, Ireland, Italy, Poland and in Spain.

Research and Development centres in Europe

R&D

Huawei has 29 Research and Development (R&D) centres in Europe and collaborates with SMEs on a range of different research disciplines, including cybersecurity.

Partnerships with research Institutes

universities

Partnerships

Huawei works with many SMEs through the structure of the +230 partnerships that Huawei has with research institutes in Europe and +140 European universities.

Huawei cybersecurity centres

cybersecurity

Huawei has three cybersecurity transparency centres in Europe based in Brussels, Rome and in Bonn that can explain and engage with SME groupings on cybersecurity and share our experience and knowledge. Huawei works with our customers and industry partners in an open and transparent manner to tackle cybersecurity challenges. It is of crucial importance for Huawei to build and fully implement an end-to-end cybersecurity assurance system. Huawei operates the ABC principle when it comes to rolling out our cybersecurity strategies:- Assume Nothing, Believe Nobody and Check Everything.

Cloud

Our advanced cloud services, APIs and tools for developers enable SMEs and small startups to have equal access to the same robust, stable, secure, agile and cost-efficient digital infrastructure as larger enterprises. SMEs can use Huawei cloud services to develop and test products and processes in the areas of AI, computing and machine learning. The Huawei Cloud Start-Up programme enables SMEs to deploy cloud services at a very low cost. SMEs can beneﬁt from a range of digital tools to strengthen and transform their growth.

enterprises. range

Joint Innovation

Huawei already supplies knowledge and materials for ICT skills online. For example, through our Paris Innovation Centre we have created an interactive space where we bring together our top experts from different sectors to encourage more in-person exchanges with SMEs and industry partners. Joint innovation will be helped by open platforms and the sharing of industry know-how. Huawei is bringing together test validation cases and experiences that cover a wide product range from 15 different industries.

USEFUL CYBERSECURITY RESOURCES / INFORMATION FOR SMES IN EUROPE

Examples of publicly available information for SMEs on cybersecurity in Europe.

Austria

National Cybersecurity Co-ordination Centre (NCC)

www.ncc.gv.at/

Belgium

Centre for Cybersecurity Belgium (CCB) www.ccb.belgium.be/en

Bulgaria

CERT Bulgaria. www.govcert.bg

Croatia

Security and Intelligence Agency (SOA) www.soa.hr/hr/

Cyprus

Digital Security Authority (DSA) https://dsa.cy

Czech Republic

National Cyber and Information Security Agency (NÚKIB) www.nukib.gov.cz

Denmark

Centre for Cybersecurity (CFCS) www.cfcs.dk/en/about-us/

Estonia

Estonian Information System Authority (RIA) www.ria.ee

Finland

National Cybersecurity Centre (NCSC-FI) www.kyberturvallisuuskeskus.ﬁ

France

French Cybersecurity Agency (ANSSI) www.cyber.gouv.fr

Germany

Federal Office for Information Security (BSI)

www.bsi.bund.de

Greece

National Cybersecurity Authority (NCSA) www.mindigital.gr

Hungary

National Cybersecurity Centre of Hungary (NBSZ-NKI) https://nki.gov.hu

Iceland

Eyvör - National Cybersecurity Coordination Centre (NCC-IS) www.government.is/topics/telecommunications/ncc-is/

Ireland

National Cybersecurity Centre (NCSC) www.ncsc.gov.ie/

Italy

National Cybersecurity Agency (ACN) www.acn.gov.it

Latvia

Cyber Incident Response Institution www.cert.lv/

Liechtenstein

National Cybersecurity Unit www.llv.li

Lithuania

National Cybersecurity Centre (NCSC) www.nksc.lt

Luxembourg

Luxembourg House of Cybersecurity (LHC) www.lhc.lu/

CYBERSECURITY

Malta

International Organisations

FOR

National Cybersecurity Coordination Centre (MITA) www.mita.gov.mt/ncsc/

Netherlands

National Cybersecurity Centre (NCSC) www.ncsc.nl

Norway

National Cybersecurity Centre (NCSC) www.nsm.no

Poland

Cybersecurity College www.gov.pl/web/cyfryzacja/ powstaje-kolegium-ds-cyberbezpieczenstwa

Portugal

National Cybersecurity Centre (CNCS) www.cncs.gov.pt

Romania

National Cybersecurity Directorate (DNSC) www.dnsc.ro

Slovakia

ENISA (European Union Agency for Cybersecurity) www.enisa.europa.eu/topics/ awareness-and-cyber-hygiene/smes-cybersecurity Europol

www.europol.europa.eu/operations-services-and-innovation/ public-awareness-and-prevention-guides

International Telecommunications Union (ITU) www.itu.int/en/ITU-D/Cybersecurity/Documents/ GCIv5/2401416_1b_Global-Cybersecurity-Index-E.pdf OECD

www.oecd.org/content/dam/oecd/en/publications/ reports/2024/06/new-perspectives-on-measuring-cybersecurity_6069c1b9/b1e31997-en.pdf

World Economic Forum (WEF) www.weforum.org/publications/ global-cybersecurity-outlook-2025/

European Data Protection Office www.edpb.europa.eu/sme-data-protection-guide/home_en

National Security Authority (NBÚ) www.nbu.gov.sk

Slovenia

European Cybersecurity Organisation (ECSO) www.ecs-org.eu/ Women4Cyber www.women4cyber.eu/

Government Information Security Office www.gov.si

EU Digital Skills and Jobs Platform/ Cyber Skills Academy https://digital-skills-jobs.europe.eu

Spain

European Digital SME Alliance www.digitalsme.eu/

Spanish National Cybersecurity Institute (INCIBE)

Spanish National Cybersecurity Institute (INCIBE) www.incibe.es/

Sweden

European Cybersecurity Competence Centre (ECCC) https://cybersecurity-centre.europa.eu

Civil Contingencies Agency (MSB)

Civil Contingencies Agency (MSB) www.msb.se

Switzerland

Eurobarometer Cyberskills Survey 2024 www.europa.eu/eurobarometer/surveys/detail/3176

National Cybersecurity Centre (NCSC) www.ncsc.admin.ch

National Cybersecurity Centre (NCSC)

CSIRT (Computer Security Incident Response Teams) across Europe www.csirtsnetwork.eu/

United Kingdom

National Cybersecurity Centre www.ncsc.gov.uk/

Cybersecurity

The information in this document may contain predictive statements including, without limitation, statements regarding the future ﬁnancial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.