SME cybersecurity: the essential measures checklist (2026)

Cybersecurity is now a boardroom topic as much as an IT one. A ransomware attack that freezes invoicing for four days, a fraudulent wire transfer costing €40,000, a personal data breach reported to the CNIL under pressure: these scenarios are no longer confined to large organisations. SMEs account for a growing share of incidents reported to France's ANSSI and cybermalveillance.gouv.fr, precisely because they are seen as less well protected.

The reassuring reality is that an effective protection baseline requires neither a significant budget nor a dedicated team. It rests on consistent organisational habits applied with discipline. This guide provides a practical checklist for 2026, enriched with the angles business owners most often overlook: financial continuity, internal fraud controls, and the regulatory obligations that are now crystallising.

For an SME, most of the protection comes from five steps promoted by France's ANSSI: enable multi-factor authentication (MFA), set up regularly tested 3-2-1 backups, apply updates and restrict access rights, train teams on phishing, and prepare an incident response plan. These measures block the vast majority of common attacks. The regulatory framework (NIS2, GDPR) builds on these same foundations and adds notification and governance obligations.

A ransomware attack, a fraudulent transfer or a data leak can paralyse an SME for days and cost far more than its prevention. ANSSI has consistently observed that most small and medium-sized businesses remain below a minimum baseline of good practice. Yet this baseline requires neither a big budget nor deep technical expertise: it requires method and consistency.

Three vectors account for most incidents in SMEs. First: compromised accounts through stolen or reused passwords — the most common entry point by far. Second: a click on a malicious link in a phishing message, often well-targeted. Third: an unpatched flaw in an internet-facing tool (VPN, firewall, online accounting software). All three are addressed by the measures below.

Cybersecurity also connects directly with CEO fraud and deepfake scams — where human vigilance is the decisive factor — and with supplier bank-detail fraud, which hits cash directly.

A password alone is no longer sufficient. MFA adds a second proof of identity (mobile app, physical key, SMS code) at sign-in. It is the most effective barrier against account hijacking, even when a password has leaked on a forum or been captured by phishing.

In order of priority, enable MFA on: business email (email is the master key — it can reset all other passwords), remote access tools (VPN, remote desktop), IT administration consoles, accounting software and online banking. An authenticator app (TOTP-based) is more secure than SMS, which is itself far better than no second factor at all.

What we see in practice#

Across the SME files where we are notified of an incident, email compromise is the most common starting point — and MFA was not active. Activation takes under an hour per tool and requires no specialist. This is the best effort-to-protection ratio on the entire checklist.

Backup is the last line of defence against ransomware. The 3-2-1 rule is straightforward: three copies of your data, on two different media, with one copy off-site and offline (disconnected from the network). A disconnected backup cannot be encrypted by an attacker who has taken over the internal network.

More importantly — and this is the point SMEs most often miss — a backup is only worth anything if it actually restores. A timed, documented restore test (quarterly, for example) is the only reliable indicator of real recovery capability. Knowing your restore time before an incident means knowing how many days of activity you lose in the worst case and which data is genuinely recoverable.

Worked example. A 12-person trading company stores data on an office NAS (copy 1) and a private encrypted cloud (copy 2, off-site), with a third monthly copy on a disconnected hard drive stored off-premises (copy 3, offline). Each quarter it documents the time needed to restore all files and restart the invoicing software: 3 hours for data, 6 hours for configurations. In the event of a ransomware attack on a Monday morning, activity can resume the same evening. Without this preparation, the outage could run for several weeks.

Many attacks exploit known vulnerabilities for which a patch already exists. A documented update process, applied first to internet-facing systems (VPN, firewall, servers, online accounting tools), closes these doors at zero incremental cost.

The least-privilege principle means granting each user only the rights strictly necessary for their role. A compromised account does far less damage when its permissions are narrow. Two practical rules: administration accounts must never be used for day-to-day tasks, and departing employees' access rights must be revoked on their last day — a step that is routinely missed during offboarding.

Technology alone is not enough: most intrusions begin with a click or a reply to a deceptive message. Training teams on phishing and its variants (spear-phishing, smishing by SMS, vishing by phone) reduces the risk at source.

Practical exercises — unannounced test phishing campaigns — measure click rates and embed lasting reflexes. The goal is pedagogical: reward good behaviour rather than punish mistakes. A colleague who flags a suspicious message without fear of blame is a security asset.

CEO fraud deserves a separate note: it specifically targets people with payment authority (accountant, CFO, managing director). It uses impersonation of the executive or a supplier to trigger an unauthorised transfer. It constitutes fraud under Article 313-1 of the French Penal Code. The defence is a systematic dual-validation protocol for any wire transfer outside the normal procedure, regardless of amount.

The question is not whether an incident will occur, but when. A response plan — even two pages — saves precious time by reducing panic and impulsive decisions.

The plan should answer four questions: who to call first (IT provider, management, bank, insurer)? How to isolate affected systems without destroying evidence? Where are the backups and what are the access credentials? How to communicate with clients and partners during the crisis? It should be accessible outside the IT systems — a printed version in the CEO's office remains the most resilient option.

The European NIS2 directive (2022/2555) significantly widens the range of entities subject to formal cybersecurity obligations. In France, transposition is expected via a dedicated bill — it had not been definitively enacted into French law at the date this article was published. Public estimates suggest approximately 15,000 to 18,000 entities will be in scope, split between "essential entities" (EE) and "important entities" (EI) depending on size and sector.

ANSSI published the ReCyF reference framework in March 2026 as a guidance tool. The MonEspaceNIS2 portal allows entities to assess their scope and track their obligations. Sanctions will be defined by the French transposition law — no confirmed figures can be provided at this stage.

The key point for an SME: even if you are not directly in the NIS2 perimeter, major customers or principals may impose equivalent security requirements in their contracts. The checklist above constitutes the expected baseline in all cases. For a detailed analysis of the regulatory perimeter, see our article on the NIS2 directive and SME obligations.

A cyber incident is first and foremost a financial event. Invoicing frozen, payroll software unavailable, orders that cannot be fulfilled: each day of interruption carries a direct cost. A customer data leak may trigger liability claims. A GDPR breach exposes the company to CNIL sanctions.

Cyber insurance for SMEs addresses this financial exposure. It does not replace technical measures — insurers generally require a minimum security level to cover a claim — but it caps the impact of a residual incident: remediation costs, business interruption, notification to affected individuals, legal assistance. The premium is deductible as an ordinary operating expense.

Business continuity is also planned through a business continuity plan (BCP), which integrates cyber risk among the scenarios to prepare for. Even a basic BCP identifies critical processes, minimum resources and acceptable recovery timeframes.

In the event of a suspected attack or data leak, the first hours are decisive. Four immediate steps: isolate affected machines from the network (unplug the cable or disable Wi-Fi) without switching them off or reformatting, since digital evidence is valuable for remediation and any criminal complaint. Contact your emergency IT provider. Alert management and your insurer. Do not pay a ransom without prior advice.

The cybermalveillance.gouv.fr platform points to referenced remediation providers and complaint-filing procedures. If personal data is involved, notification to the CNIL must occur within 72 hours of becoming aware of the breach (GDPR Art. 33). Your GDPR records of processing document these obligations and support a demonstration of compliance.

For companies using AI agents and back-office automation, the access rights granted to AI tools must follow the same least-privilege principle as for human users.

Cybersecurity is often seen as an IT cost with no visible return. Our view is different: it is a question of operational resilience and commercial credibility. A business owner who can demonstrate to a major customer that they apply security basics (MFA, backups, awareness training) strengthens their commercial position and simplifies supplier qualification audits. A business owner who can resume operations within six hours of an incident protects cash flow and contractual commitments.

Updated 2026-06-14. This article is for information purposes and does not replace personalised advice. For your specific situation, consult a registered expert-comptable or specialist legal counsel.