In late 2025, the communication platform Discord informed its users about a breach in one of its third-party service providers. The provider, 5CA, reviews age-related appeals using government-ID photos submitted by users. Discord reported that information from approximately 70 000 users may have been exposed.
For companies the size of Discord and 5CA, serving millions of customers, cyber threats are an unfortunate reality. Large enterprises operate complex digital infrastructures and handle vast amounts of sensitive data. They also typically have dedicated cybersecurity teams and resources to manage those risks.
Small and medium-sized enterprises (SMEs), however, face a very different reality. Many handle sensitive customer information but cannot afford a dedicated cybersecurity specialist. As cyber threats grow more frequent and sophisticated, how can SMEs protect their data without the resources of large companies?
Do SMEs have small cyber risks?
SMEs represent 99% of all businesses and employ two out of three workers of the whole workforce. They can go from a “two people in a garage” stage to offices in downtown high-rise buildings. As these firms grow, there will be more digital services and assets to protect, more responsibilities towards their customers.
Governments across the OECD have introduced policies to strengthen cybersecurity practices among companies. These measures are informed by national and international frameworks that range from voluntary guidelines to enforceable regulations such as the European Union’s NIS2 Directive and the Cyber Resilience Act. International standards developed by organisations such as ISO/IEC, NIST and ETSI also offer structured approaches to implementing security measures. For an SME, this can mean hundreds of pages to read and apply. Just looking at the volume can overwhelm an SME decision maker.
In Europe, and also in countries such as the United States, Singapore and Australia, some rules now favour a risk-based approach over tick-box compliance. International frameworks such as ISO and NIST can help many kinds of organisations manage and demonstrate cybersecurity.
But for a small business, this can still feel overwhelming. The volume of guidance is huge, and many SMEs do not have dedicated staff or budget to devote to the task.
Why cybersecurity starts on day one?
It is normal for organisations to add positions as they grow. An accountant is one of the first critical roles to be filled to keep track of the money coming in and going out. Caretakers for offices and factories often come next, then it’s time for marketing, human resources, IT support, and so on.
So, at what size should a company start investing into cybersecurity?
The answer is, of course, from day one. It is best and easier prone to include cybersecurity measures already at the design stage.
And what about the many laws, rules and standards surrounding different industries, products and services? Again, these should be considered as early as possible. It is a good idea to start thinking in terms of a risk-based approach at an early stage. It also helps if you understand what parts of your organisation have the biggest value and focus on those first, expanding your scope as the organisation grows.
So when an organisation has five employees, the CEO will most probably also take on the role of the risk manager. As the organisation grows, at thirty-fifty employees, this role moves to the IT lead or a dedicated quality manager, at a hundred employees, it already makes sense to hire an information security officer. However, if the SME works on high-risk systems or its products require compliance, it makes sense to hire a CISO even earlier.
Risk management, in essence, consists of defining the scope, identifying, analysing, evaluating and treating the risk. Often a domain expert is needed to analyse and evaluate the risks. When an organisation is just starting out, AI tools, may help teams draw up an initial list of possible risks. The real judgement, however, still has to come from the people who know the business best.
Deciding which risks apply to your organisation and evaluating their specific likelihood and impact is, of course, up to the people who know the assets and processes, as is the decision on how to treat the list. Standards provide lists of mitigation measures.
Moving to risk-based governance in legislation has shown promise and allows organisations that exist in the ecosystem of several overlapping legal instruments to comply. It might be a slippery slope to offer smaller organisations leniency in complying with the legislation, however, offering them simplified tools for managing their risks can set them on the path to a complete risk management process and maybe even (cybersecurity) certification.
Tools matter
To support companies in implementing the EU NIS2 and Cyber Resilience Act, Germany has developed a range of services. These services include FITNIS2, a navigator which surveys a company’s impact and creates individual action plans and the ELITE 2.0 project, a demonstrator platform which gamifies IT attacks and IT security measures to help employees and decisionmakers become more aware of typical SME cybersecurity scenarios.
Estonia has a national information security standard E-ITS that offers a catalogue of threats and corresponding mitigation measures that help with risk identification and treatment. The standard is aligned with the ISO/IEC 27001 (Information Security Management System) standard series, so an organisation can get started with the simplified national standard and then move to the more complex one once the business grows or becomes international.
What does this mean for SMEs?
As an SME grows, they must also grow their maturity and start using more complex tools that fit the needs of their organisation. But guidance alone is not enough. Lasting change also depends on company culture, leadership and the right tools to take cyber risks seriously.
Find out more about our work on D4SME-2025-Policy-Highlights.pdf and AI adoption by small and medium-sized enterprises. Dive deeper into related topics: Scaling Up Public Financial and Non-Financial Support for SME Sustainability and Local employment and economic development | OECD
Liina Kamm is a senior researcher and principal investigator at Cybernetica (a deep-tech SME in Estonia). Her research focuses on privacy enhancing technologies and their uptake, and the privacy and security of AI systems. She holds a PhD degree in computer science from the University of Tartu. She leads the AI security and privacy research team in the Estonian Centre of Excellence in AI (EXAI) and is the chairman of Technical Committee 4 (Information technology) of the Estonian Centre for Standardisation and Accreditation.