European SMEs overestimate their cybersecurity

Small and medium-sized enterprises are increasingly aware of the centrality of cybersecurity and for the most part relatively confident about their cyber resilience but continue to overestimate the level of preparedness they have reached. This is the main message emerging from the 'Smb Cyber Readiness Index 2026' study conducted by Eset on more than 4,400 organisations in Europe, North America and Japan.

The most interesting fact, therefore, does not concern the (now consolidated) growth of threats, but rather the gap between risk perception and actual measures taken to deal with it. "The cultural component is substantial," explained Michal Jankech, Vice President of Enterprise Smb & Msp of the Bratislava-based company, to Il Sole 24 Ore, "because educational approaches and communication styles are different. And the way people operate on a daily basis is also reflected in the way they approach business and perceive security in the company'.

According to the manager, there is also a direct relationship between the level of economic prosperity and the overall ability of an organisation to prevent and cope with cyber attacks, in relation to the fact that technologies are yes generally accessible, but not always affordable.

Some of the research's indicators concretely illustrate the extent of the above contradiction, in a scenario where 45% of the SMEs surveyed have suffered at least one attack in the last twelve months and 14% claim to have faced more than one. 78% of companies consider cybersecurity to be a strategic priority, 61% claim to have a good understanding of the subject and 75% believe they can respond effectively to incidents; on the other hand, 68% admit that keeping up with the evolution of threats has become very difficult and 55% judge the cybersecurity market (supply side) to be 'confusing and complicated'. As risk awareness increases, in other words, the ability to reduce the area of exposure does not necessarily increase.

A second glaring dichotomy also emerges when it comes to threat assessment: in fact, businesses cite AI-powered malware as the main concern, ahead of ransomware and credential theft, while in reality the dominant attack vector globally still remains phishing. "There are no sophisticated new AI-powered attacks. Attacks,' Jankech emphasises, 'are simply being executed more precisely, faster and on a larger scale, increasing the strength and sophistication of malicious campaigns. The real problem is that companies can focus on theoretical risks instead of fixing real vulnerabilities'. Known as well as real vulnerabilities, which arise from the acceleration of historical weaknesses such as fragile passwords, inadequately updated IT systems, insufficient monitoring and, last but not least, incomplete employee training.