There is a dangerous myth circulating among SME owners: "My company is too small to be a target for hackers." The reality is exactly the opposite. According to Verizon data, 43% of cyberattacks target small and medium-sized enterprises -- precisely because attackers know these companies have fewer protections. And the figures in Portugal are alarming: the National Cybersecurity Centre recorded a 26% increase in reported incidents in 2025, with SMEs as the primary target. The average cost of an attack for a Portuguese company of this size? Between €25,000 and €120,000 -- an amount that, for many, represents the difference between survival and closing down.
The Most Common Attacks Against SMEs in Portugal
Cybercriminals targeting SMEs do not, as a rule, use sophisticated techniques. They do not need to. Most companies have vulnerabilities so basic that exploiting the path of least resistance suffices. The most frequent attacks we observe in the Portuguese market are:
Phishing and Spear Phishing. By far the most common attack vector. An email that appears to come from CTT, the Tax Authority, the bank or a known supplier. The employee clicks the link, enters credentials or downloads a file -- and the attacker gains access to the network. Phishing is responsible for over 80% of security breaches in SMEs. In Portugal, phishing campaigns are particularly sophisticated because they use local references -- fake Social Security emails, GNR fine notifications, invoices from Portuguese telecoms operators. This makes identification far more difficult for employees without security training.
Ransomware. The attacker encrypts all the company's files and demands a ransom -- typically between โฌ5,000 and โฌ50,000 in cryptocurrency -- to restore access. Even if the ransom is paid, there is no guarantee of recovery. And even if data is recovered, the cost of downtime can be devastating. An SME with 20 employees that goes down for 5 days loses, on average, between โฌ15,000 and โฌ40,000 in productivity, in addition to reputational damage.
Business Email Compromise (BEC). The attacker compromises or spoofs the email account of a manager or CFO and sends instructions for bank transfers to authorised employees. This type of attack is particularly insidious because it does not depend on technology -- it depends on social engineering and hierarchical trust within the company. In Portugal, BEC cases have been recorded with losses exceeding โฌ100,000 in a single transaction.
Supply Chain Attacks. The attacker does not target your company directly -- they target a software or service provider your company uses. When the supplier is compromised, every company using their services is exposed. This type of attack is growing sharply and is particularly difficult to prevent.
The 5 Essential Protections Every SME Needs
The good news is that the majority of attacks can be prevented with relatively simple and affordable measures. A multinational-sized budget is not necessary to maintain a robust security posture. These are the five protections we consider absolutely essential:
1. Multi-Factor Authentication (MFA) on Everything
If we could choose only one security measure to implement in an SME, this would be it. Multi-factor authentication adds a second layer of verification -- usually a code on a mobile device or a physical key -- beyond the password. According to Microsoft, MFA blocks 99.9% of account compromise attacks. It is free on most services (Google Workspace, Microsoft 365, social networks, online banking) and takes less than 10 minutes to configure per user. There is no excuse for not having it active.
2. Automatic Backups with the 3-2-1 Rule
The 3-2-1 rule is simple: 3 copies of your data, on 2 different types of storage, with 1 copy offsite. Backups must be automatic -- never dependent on someone remembering to do them -- and must be tested regularly. There is no point having backups if, at the moment of disaster, you discover they are corrupted or incomplete. We recommend quarterly restore tests, at a minimum.
3. Continuous Team Training
Technology alone does not solve the problem. The human factor is the weakest link in any security chain. Investing in regular training -- not a single annual 2-hour session, but monthly micro-trainings with phishing simulations -- dramatically reduces the likelihood of an employee clicking the wrong link. The most effective programs include simulated phishing tests, where fake emails are sent to the team to measure click rates and identify who needs additional training.
Is your company protected?
We carry out a free security assessment that identifies your most critical vulnerabilities and action priorities.
Discover our Cybersecurity services โ4. Automatic Updates and Patches
It sounds basic -- and it is. But the number of SMEs operating with outdated operating systems, WordPress plugins that have not been updated in 3 years, and management software on versions with known vulnerabilities is alarming. Every uninstalled update is an open door for attackers. The largest ransomware attacks in history -- WannaCry, NotPetya -- exploited vulnerabilities for which patches were already available. The affected companies simply had not installed them.
The solution: configure automatic updates on all devices and systems, and implement a patch management policy that ensures no critical software remains unpatched for more than 48 hours.
5. Network Segmentation and the Principle of Least Privilege
Not every employee needs access to every system. The principle of least privilege dictates that each person should have only the minimum access necessary to perform their role. If the marketing intern does not need access to the accounting system, they should not have it. If the accountant does not need administrator permissions on the server, they should not have them. Network segmentation complements this approach -- if an attacker compromises a device in the marketing department, they should not be able to access the financial systems.
GDPR: Cybersecurity Is a Legal Obligation
Since 2018, the General Data Protection Regulation (GDPR) requires companies to protect the personal data they process. This is not a recommendation -- it is a legal obligation with serious consequences. Fines can reach 4% of annual turnover or โฌ20 million, whichever is greater.
For a Portuguese SME, the most relevant aspects of GDPR regarding cybersecurity include:
โข Obligation to notify data breaches. If a security breach affecting personal data occurs, the company has 72 hours to notify the CNPD (National Data Protection Commission). Failure to comply with this obligation alone can result in significant fines.
โข Appropriate technical and organisational measures. The GDPR requires companies to implement security measures proportional to the risk. For an SME processing health, financial or children's data, the level of protection required is particularly high.
โข Impact assessments. For high-risk data processing, a Data Protection Impact Assessment (DPIA) is mandatory, which must include a security risk analysis and the mitigation measures implemented.
โข Demonstrable accountability. It is not enough to be secure -- you must be able to demonstrate it. Documentation of security policies, training records, access logs and audit reports are essential to prove compliance in the event of an inspection.
How to Build an Incident Response Plan
The question is not whether your company will suffer a security incident -- it is when. And the difference between a minor incident and a catastrophe almost always lies in prior preparation. An Incident Response Plan (IRP) is a document that defines exactly what to do when something goes wrong. It should include:
Response team and contacts. Who does what? Who makes decisions? Who contacts the authorities? Who communicates with customers? Having these responsibilities defined before an incident avoids the chaos and paralysis that typically accompany a crisis.
Containment procedures. The first minutes after detecting an incident are critical. The plan must include clear procedures for isolating compromised systems, preserving evidence and preventing the attack from spreading. This may include disconnecting devices from the network, blocking compromised accounts and activating failover mechanisms.
Internal and external communication. Communication during an incident must be coordinated and controlled. Internal communications to the team, notification of affected customers, communication with the CNPD (where applicable) and, if necessary, media communication should follow pre-approved templates.
Recovery and lessons learnt. After containing the incident, the focus shifts to recovery -- restoring systems, verifying data integrity and resuming normal operations. Equally important is the post-incident analysis: what happened, why, how it was handled and what can be improved for the future.
The Cost of NOT Protecting Your Business
Many business owners view cybersecurity as a cost. In reality, it is an investment -- and the cost of not making it is brutally higher. Consider the following scenarios:
โข Direct cost of a ransomware attack: Ransom (if paid) + recovery costs + lost productivity during downtime. For an SME with 15 employees, we estimate between โฌ30,000 and โฌ80,000.
โข GDPR fines: A data breach with late or absent notification can result in fines of tens of thousands of euros, even for an SME.
โข Customer loss: Studies indicate that 60% of consumers would stop doing business with a company that suffered a data breach. For B2B businesses, the loss of trust can mean cancelled contracts that took years to build.
โข Reputational damage: In the age of social media, a data breach becomes news rapidly. Reputation recovery can take years and cost far more than the incident itself.
Compare these figures with the investment in protection: a robust cybersecurity strategy for an SME with 10 to 50 employees typically costs between โฌ200 and โฌ800 per month -- including monitoring, training, backups and support. It is, quite literally, a fraction of the cost of a single incident.
Conclusion: Security Is Not Optional
Cybersecurity has ceased to be a topic exclusive to large enterprises with dedicated IT departments. Today, it is a fundamental necessity for any business operating in the digital environment -- that is, for virtually every company. Portuguese SMEs are particularly exposed because they combine two risk factors: growing digital dependency with a level of protection that, in most cases, is insufficient.
The good news is that an astronomical investment is not required to drastically improve your company's security posture. The five measures we described -- MFA, backups, training, updates and segmentation -- cover the vast majority of attack vectors and can be implemented in weeks, not months. The first step is to recognise that the risk exists and that your company, regardless of its size, is a target. The second step is to act before it is too late.
