ServizioContenuto basato su fatti, osservati e verificati dal reporter in modo diretto o riportati da fonti verificate e attendibili.Scopri di più
Computer security

Cyber risk, one in four SMEs attacked in 2025

Presented the Cyber Index PMI 2025, the report by Confindustria and Generali. Dossier on 1,500 companies: 70% of SMEs remain in the intermediate levels and risk is growing faster than defence capacity. One in three does not even know how to manage ordinary IT security activities

by Ivan Cimmarusti

3' min read

Translated by AI

For feedback, please contact
english@ilsole24ore.com

Versione italiana

Key points

3' min read

Translated by AI

For feedback, please contact
english@ilsole24ore.com

Versione italiana

One in four SMEs stated that they had received a cyber-attack. While one in three does not have adequate digital skills to handle even routine cybersecurity activities.

These are the hardest data of the Cyber Index PMI 2025, the annual report - now in its third edition - drawn up by Confindustria and Generali on a sample of 1,500 enterprises: not the lack of budget, not the scarcity of tools, but a structural knowledge deficit that makes the entire defensive perimeter of Italian SMEs fragile - even when the overall index rises.

Loading...

Cyber Index PMI 2025: index rises, attacks grow faster

And up it goes, indeed. The SME Cyber Index reaches 55 out of 100, up from 52 in 2024 and 51 in 2023. Enterprises classified as 'mature' rise to 16% and overtake for the first time those classified as 'beginners', down six points to 14% since the first survey. But 70% remain stuck in the intermediate levels - 38% 'informed', 32% 'aware' - and the improvement is not enough to speak of a solid system.

The risk, meanwhile, is growing faster than the defence capability: in the first half of 2025, there were 1,549 cyber events recorded, an increase of 53 per cent compared to the same period in 2024; in the second half, there were 1,253, an increase of 30 per cent.

SMEs and cyber attacks: almost one in four already affected

The problem is not only technical. Among novice companies, one third still believe that cyber attacks do not pose a real risk. Among informed ones, 39 per cent instead show an overconfidence in their own defences. Two opposite pathologies, same effect: underestimation of real exposure. An exposure that has meanwhile become concrete: almost one in four SMEs claims to have suffered at least one attack in the last three years, a figure three times higher than the previous survey. 2.5 per cent have experienced operational or financial consequences; 6 per cent have had to take significant response actions.

Loading...

Cybersecurity budgets in SMEs: insufficient growth

Investments are growing, but remain low. The IT budget increases by 3.3% in small companies and 5.2% in medium-sized ones; on average, 11% of that budget is allocated to cybersecurity.

The strategic approach index rises to 62 points, six more than in 2024. The area of identification also progresses to 48 points: the IT asset inventory rises from 48 per cent in 2024 to 70 per cent in 2025, and auditing activities increase by three points to 44 per cent. Real, but partial improvements: the implementation index remains static at 57 points, and only 29% of companies use external partners for security management, compared to 25% in 2024.

Multi-factor authentication, encryption, detection: where defences remain uncovered

Concrete measures remain weak. One in two SMEs has introduced multi-factor authentication, but only 11 per cent have implemented systematic vulnerability identification and remediation processes, and only 30 per cent adopt data encryption and network segmentation. On the detection and business continuity front, the picture is even more fragile: only one in four companies has solutions in place that can at least partially detect an intrusion in a timely manner, and 36% have not even considered the possibility of a business interruption - and have no recovery plan in place.

Government funding for cybersecurity: 39% of SMEs do not know about it

Public funding also remains a missed opportunity: only 12% of SMEs have accessed it, yet of those that have, 42% have reached the 'mature' profile. 39% of companies, on the other hand, do not know about or do not take advantage of these opportunities. This indicator is not just about cybersecurity, but measures something deeper: the capacity of the small business system to absorb resources and transform them into resilience. On this, the 55 index points do not tell the whole story.

Copyright reserved ©

  • Ivan Cimmarustigiornalista

    Luogo: Roma

    Lingue parlate: Italiano, inglese

    Argomenti: Sicurezza, giudiziaria, inchieste, giustizia tributaria

    Premi: Nel 2011 tra i vincitori del Premio Internazionale Antimafia Livatino-Saetta

Loading...

Brand connect

Loading...

I prossimi eventi

Tutti gli eventi

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti