Italian SMEs consider themselves cyber-resilient. But AI is a cause for concern for seven in ten companies
Cybersecurity is seeking to move beyond the confines of IT once and for all and become an integral part of SME governance. The impetus provided by regulatory pressure, the spread of artificial intelligence and the never-ending rise in cyber threats are, in fact, prompting even small and medium-sized organisations to view digital security as a key factor in ensuring business continuity, the protection of information assets (with critical data at the forefront) and competitiveness. This is the picture that emerges from the Italian data in ESET’s Cyber Readiness Index 2026, based on a sample of 500 companies with between 25 and 1,000 endpoints, which *Il Sole 24 Ore* was able to analyse in advance. The study paints a picture of businesses that are, on the whole, more mature than in the recent past and – at least in terms of their intentions and the statements made during the survey – more aware of the risks and their own capacity to respond. All this is underpinned by investment that now appears to be well established. So, does the ESET report paint a truly encouraging picture? Only to a certain extent, as some critical issues remain unresolved, particularly regarding skills and the management of artificial intelligence. A critical analysis of the research findings also comes from Fabio Buccigrossi, Vice President of South West Europe Sales at ESET, who states that “the key point is to ensure security goes beyond the technological aspect and regulatory compliance. Italian SMEs generally believe they are protected, but in many cases they are not, and they forget that all cybercriminals are perfectly capable of identifying any sensitive target”.
Greater focus on risk and adequate budgets
The level of attention with which Italian small and medium-sized enterprises view the threat landscape suggests a greater level of maturity when it comes to cyber risk. In fact, three out of four companies believe it is likely they will suffer a cyber attack in the next twelve months, a figure significantly higher than the global average, which stands at 61 per cent. Conversely, only 35 per cent of the companies surveyed report having suffered at least one incident in the last year, which is ten percentage points lower than the international average (45 per cent). Reading these figures, one gets the impression that organisations’ level of preparedness is on the rise, and this interpretation is also confirmed by the assessment of their response capabilities. 76 per cent of Italian SMEs consider themselves resilient to cyber threats, whilst as many as 92 per cent regard their cybersecurity budget as adequate (internationally, this figure drops to 80 per cent). Given these circumstances, the fact that only 29 per cent of businesses expect a further increase in investment over the coming year should not be a cause for great concern, but are we truly entering a new phase of cybersecurity for SMEs? Have we actually moved beyond the stage of building basic defences and begun to consolidate and refine them? According to the ESET manager, the data on the adequacy of investment nevertheless warrants careful consideration, because “there is often a significant gap between actual spending budgets and real protection needs, not to mention that the availability of dedicated resources and expertise remains an issue. Often, the IT manager at an SME is reluctant to knock on the door of the procurement department or senior management.”
The human factor remains the weak point
Whilst technological protection appears to be gradually improving, the main source of vulnerability continues to be people and the organisation. This is a well-known problem, but it certainly must not be dismissed as ‘business as usual’ that a lack of staff training and awareness is cited as the top concern by 27 per cent of companies – more so than the overload on IT and cybersecurity teams (26 per cent) and the difficulties associated with introducing new technologies. In other words, the much-vaunted cyber resilience is also achieved thanks to the organisation’s ability to develop widespread skills and appropriate behaviours; otherwise, it remains little more than a utopian ideal. “We must start from the premise,” Buccigrossi points out, “that antivirus software is no longer enough – and hasn’t been for some time: the landscape has changed drastically, and there has been a lack of systematic efforts to foster a security culture and provide training. How many SMEs still do not have round-the-clock protection and do not rely on a security provider capable of guaranteeing protection against remote attacks?” According to the data, the main areas of investment planned for the next twelve months, as confirmed by Italian SMEs, relate to staff training and cloud security, both cited by 32 per cent of businesses, whilst 86 per cent of respondents consider awareness-raising activities to be a key factor in preventing attacks.
The biggest challenge, however, has only just begun and is reflected in the gradual penetration of artificial intelligence: in 60 per cent of cases, it has already been integrated into business processes, but 71 per cent of companies (the global average stands at 73 per cent) believe that its use could widen the attack surface and create new vulnerabilities. And only just under half (49 per cent) have already established an internal policy to regulate its use. There is therefore a clear gap in the response to the potential impact of the uncontrolled adoption of AI, and this gap opens the door to the proliferation of so-called ‘shadow AI’ and the risks associated with the use of generative tools outside company procedures. For Buccigrossi, however, another aspect that has become a priority for those defending organisations must also be considered: “Today, cyber security cannot do without this tool if it is not to fall behind the capabilities of attackers.”
Security becomes a strategic choice
Finally, the evolution of SMEs’ digital maturity also appears to be reflected in the criteria used to select cybersecurity providers, with 79 per cent of companies prioritising data sovereignty and considering it important to know where their business information is stored, and 71 per cent taking the vendor’s country of origin into account (64 per cent, all other things being equal, state that they prefer security solutions developed by European providers). For the ESET manager, the choice of technology partner will become increasingly crucial and answers a specific question: “Which path should we take? Rely on a trustworthy security vendor and make the company’s staff the key players in data protection”. There is no doubt that the way in which SMEs are tackling the issue of cybersecurity is changing; however, the extent to which it has already become a truly strategic element of corporate governance – involving investment, organisation and expertise – remains an open question. Furthermore, as Buccigrossi suggests, the regulatory framework also raises questions that remain unresolved. “The NIS2 Directive,” the Italian manager concluded, “requires recorded attack attempts to be reported in accordance with certain requirements, but no one is asking how these reports are handled. Is the Postal Police equipped to adequately handle the volume of reports it receives?’ A question that once again centres on the available resources and expertise – the arena where the most important battle is being fought to navigate the new transformation brought about by artificial intelligence without paying too high a price in terms of tariffs.

