Article

Cybersecurity for SMEs: phishing, ransomware and MFA in practice

Practical cybersecurity measures for SMEs: endpoint protection, multi-factor authentication and backup. With GDPR art. 32/33 and NIS2 obligations explained.

Quick answer
  • The three biggest cyber threats for SMEs are phishing emails (more than 85% of successful cyberattacks start with one), ransomware (file encryption with ransom demands; indicative recovery costs of tens of thousands of euros per incident) and weak or absent multi-factor authentication (MFA). Starting point: updated endpoint security, MFA on all business accounts and automated backup following the 3-2-1 rule (three copies, two media types, one off-site). All prices are indicative; check current rates with the provider.
  • Free starting point: Windows Defender (built into Windows 10/11 Pro) and Microsoft Authenticator (MFA, free with Microsoft 365). Paid upgrade: Bitdefender GravityZone Business Security (indicative €35-50/device/year), Acronis Cyber Protect Cloud (indicative €60-90/device/year) or Veeam Backup (indicative €130-200/licence/year for server backup). Prices are indicative; check current rates with the provider.
  • GDPR art. 32 requires appropriate technical measures (encryption, access control, backup); art. 33 requires notification of a data breach within 72 hours to the supervisory authority. NIS2 (Directive (EU) 2022/2555), implemented in the Netherlands as the Cybersecurity Act (Cbw), requires organisations in designated sectors and their supply chains to implement risk management and incident reporting. Use the NCSC NIS2 self-assessment to check whether NIS2 applies to your business.

Which cyber threats affect SMEs most in 2026?

Phishing, ransomware and weak authentication are the three most common causes of security incidents at SMEs. Phishing emails trick employees into clicking malicious links or entering login credentials; the NCSC (National Cyber Security Centre) states that more than 85% of successful cyberattacks start with phishing. Ransomware encrypts business files and demands a ransom; total recovery costs (data loss, downtime, IT forensic investigation) typically exceed the ransom amount significantly. Weak authentication, such as reused passwords without MFA, makes credential-stuffing attacks effective: automated tools try leaked passwords against business accounts. Microsoft reports that MFA blocks approximately 99% of automated account takeovers. For every SME, three basic measures are the starting point: up-to-date endpoint security, MFA on email and cloud accounts, and automated backup stored offline or in the cloud.

Tool overview

Cybersecurity tools for SMEs: endpoint, MFA and backup 2026

Prices are indicative (excl. VAT). Exact pricing depends on the number of devices, users and modules selected. Check current rates with the provider.

Microsoft Defender + Entra ID MFA

Microsoft Defender for Business (built into Windows 10/11 Pro and included with Microsoft 365 Business Premium) provides endpoint detection and response (EDR), antivirus and firewall management for SME devices. Microsoft Entra ID (formerly Azure AD) delivers MFA via the Microsoft Authenticator app, available free to all Microsoft 365 subscribers. Defender for Business standalone: indicative €3/user/month. For SMEs already using Microsoft 365, this is the most cost-effective starting point for endpoint security and MFA at no additional licence cost. EU AI Act Art. 4 applies to commercial use of Defender AI features for anomaly detection. GDPR DPA available via Microsoft.

Bitdefender GravityZone Business Security

Bitdefender GravityZone Business Security (Bitdefender, Bucharest, Romania; EU-based) provides centralised endpoint protection for workstations and servers via a cloud-based management console. Features: antivirus, anti-ransomware protection layer (automatic file backup before encryption starts), email security and patch management. Price: indicative €35-50/device/year for the Business Security tier; check current rates at bitdefender.com. GravityZone processes metadata on EU servers; GDPR DPA available. EU AI Act Art. 4 applies to commercial use of AI detection mechanisms. Suitable for SMEs with 5 to 250 devices; enterprise-wide management from a single cloud dashboard.

Acronis Cyber Protect Cloud

Acronis Cyber Protect Cloud (Acronis, Schaffhausen, Switzerland; EU data centres available) combines backup, antivirus and cyber protection in an integrated platform. Features: disk-image backup, file-level backup, anti-ransomware protection, vulnerability assessment and patch management. Price: indicative €60-90/device/year for the standard backup+protection bundle; check acronis.com for current rates. Acronis provides a GDPR DPA for EU customers. The 3-2-1 rule (three copies, two media types, one off-site) is easy to configure via cloud replication to Acronis cloud storage. EU AI Act Art. 4 applies to commercial use of AI-driven anomaly detection in backup management.

Veeam Backup & Replication

Veeam Backup & Replication (Veeam Software, part of Insight Partners; EU data centres available) is the most widely used server backup solution for SMEs and mid-market companies. Features: VM backup (VMware vSphere, Hyper-V), physical server backup, cloud backup to Azure Blob, AWS S3 or your own S3-compatible storage, and file-level recovery. Price: indicative €130-200/licence/year for the Veeam Backup Essentials bundle (up to 6 server instances); check veeam.com for current rates. Veeam provides a GDPR DPA. Best suited for SMEs with on-premise or hybrid server infrastructure; consider Acronis if a combined backup+endpoint security bundle is preferred.

GDPR + NIS2

Cybersecurity obligations: GDPR art. 32/33 and NIS2 for SMEs

GDPR art. 32 requires every organisation processing personal data to implement appropriate technical and organisational measures: encryption of data at rest and in transit, access control based on the need-to-know principle, and a tested backup plan. Conclude a Data Processing Agreement (GDPR art. 28) with every cybersecurity provider that processes personal data. In the event of a data breach, you are required to notify your supervisory authority within 72 hours (GDPR art. 33; the AP in the Netherlands); if the breach poses a high risk to individuals, you must also notify them (art. 34). The AP can impose fines of up to €20 million or 4% of global turnover. NIS2 (Directive (EU) 2022/2555), implemented in the Netherlands as the Cybersecurity Act (Cbw), requires organisations in designated sectors including energy, water, transport, digital infrastructure and healthcare to carry out risk assessments, secure their supply chains, report incidents and conduct periodic security audits. Many SMEs fall within NIS2 scope as a supplier to a designated entity. Use the NCSC NIS2 self-assessment (available at ncsc.nl) to determine whether NIS2 applies to your organisation. EU AI Act Art. 4 applies to commercial use of AI-driven security solutions such as anomaly detection or AI firewall.

Frequently asked questions

Frequently asked questions about cybersecurity for SMEs

What are the biggest cyber threats for SMEs in 2026?
The three biggest cyber threats for SMEs are phishing emails (more than 85% of successful attacks start with phishing), ransomware (file encryption with ransom demands) and weak or absent multi-factor authentication (MFA). Additional threats include business email compromise (BEC: fraudulent invoices or payment requests), credential stuffing (automated use of leaked passwords) and vulnerabilities in unpatched software. Basic protection: keep endpoint security up to date, enable MFA on all business accounts and regularly test your backups.
Is MFA mandatory for SMEs?
MFA is not explicitly required by law for every SME, but GDPR art. 32 requires appropriate technical measures. The Dutch data protection authority (AP) and the Authority for the Financial Markets (AFM) treat MFA as an appropriate measure for accessing systems containing personal data. For SMEs in NIS2 sectors, MFA is an expected minimum measure within NIS2 risk management. Practical advice: enable MFA on business email (Microsoft 365, Google Workspace), cloud storage and accounting software. Setup typically takes less than 30 minutes per account.
How does the 3-2-1 backup rule work?
The 3-2-1 rule is a backup strategy that recommends three copies of data on two different media types, with one copy stored off-site. In practice: primary data at your workplace (disk 1), a local backup on a NAS or external drive (disk 2, different media type) and a cloud backup with Acronis, Veeam, Azure Backup or Backblaze B2 (off-site). The off-site copy is critical for ransomware, theft or fire scenarios. Test your backup recovery at least quarterly, as an untested backup provides no guarantee. Use backup software with automatic verification (Acronis Cyber Protect, Veeam) to proactively detect recovery failures.
When must I report a data breach to the supervisory authority?
You are required to report a data breach within 72 hours to your supervisory authority (the AP in the Netherlands) if the breach is likely to result in a risk to the rights and freedoms of individuals (GDPR art. 33). You must also notify the individuals concerned if the breach poses a high risk (art. 34). Examples requiring notification: unencrypted customer data exposed in a ransomware attack, subscriber email addresses disclosed, or employee login credentials compromised. Not notifiable: an internally deleted file with no third-party breach. Keep an internal log of all data breaches, including non-notifiable ones (AP obligation under art. 33(5)). Report via autoriteitpersoonsgegevens.nl.
What is the difference between NIS2 and the GDPR for cybersecurity?
The GDPR focuses on protecting personal data and requires appropriate technical measures (art. 32) and breach notification (art. 33). NIS2 (Directive (EU) 2022/2555, Netherlands: Cybersecurity Act) focuses on the resilience of network and information systems in critical sectors: energy, water, transport, digital infrastructure and healthcare. NIS2 requires risk assessment, supply chain security, incident reporting and security audits. The overlap: both require technical security measures and incident reporting, but NIS2 has a broader scope (also sectoral operational continuity) and higher penalties (up to €10 million or 2% of global turnover for essential entities). Check via ncsc.nl whether your business or supply chain falls under NIS2.

Cybersecurity audit or implementation for your business?

We assess your current security posture, implement endpoint protection, MFA and backup solutions, and set up Data Processing Agreements in line with GDPR art. 28.

Book my free call →

Free · reply within one working day · fixed price, no surprises