Cybersecurity

Cybersecurity & GDPR audit for SMEs

Published on Updated on By Dr Ir Hüseyin Cakmak
#cybersecurity #gdpr #audit #compliance #dpa #sme #ransomware
Cybersecurity & GDPR audit for SMEs

The Belgian Data Protection Authority (DPA) has significantly increased its enforcement activity in recent years. SMEs are no longer exempt: several recent investigations have targeted companies with fewer than 50 employees, with fines reaching tens of thousands of euros for technical shortcomings deemed avoidable.

The good news: most gaps identified during DPA inspections are detectable — and correctable — before an incident occurs. A structured cybersecurity audit is your first line of defence.

Why your SME is a target

Many business owners assume that cyberattacks only target large enterprises. The Belgian reality is the opposite: SMEs are attacked precisely because they are perceived as less well protected. According to reports from ENISA, the European cybersecurity agency, the majority of recorded incidents affect small and medium-sized organisations.

The two dominant threats for a Belgian SME are:

  • Ransomware: malware encrypts all your files and demands a ransom, often in cryptocurrency. The resulting downtime typically lasts from several days to several weeks, and the total cost (business interruption, restoration, notification) far exceeds the ransom amount itself.
  • Phishing: a fraudulent email pushes an employee to disclose their credentials or run a malicious attachment. It is the most common entry vector — the vast majority of intrusions begin with a single click.

Both threats share a common trait: they exploit the human element as much as the technical one. That is why a serious audit never stops at firewalls and antivirus software.

What the DPA actually inspects

Contrary to a common misconception, the DPA does not focus solely on privacy policies and consent forms. Technical inspections cover areas including:

  • Access management: who can access which data, with what privileges, and is this documented?
  • Encryption: are personal data encrypted at rest and in transit?
  • Traceability: do you maintain logs that allow you to trace who accessed what and when?
  • Subprocessor management: have you signed DPAs (Data Processing Agreements) with all service providers that process data on your behalf?
  • Data breach procedure: are you able to notify the DPA within 72 hours of detecting an incident?

Several of these points depend directly on how your network is designed: clean segmentation, an isolated guest Wi-Fi and documented firewall rules make a considerable difference during an inspection. We detail these foundations in our article on network infrastructure for SMEs.

These requirements are drawn directly from Article 32 of the GDPR, which mandates "appropriate technical and organisational measures" — a deliberately broad formulation that leaves room for interpretation, but relies on recognised standards such as ISO 27001 and CIS Controls.

The five most common gaps in Belgian SMEs

1. Password and authentication management

The majority of SMEs we audit still use shared passwords for critical access points (servers, line-of-business applications, admin email accounts). The absence of MFA (multi-factor authentication) on remote access is the most commonly sanctioned shortcoming.

Priority fix: deploy MFA on Microsoft 365 / Azure AD, VPN, and all RDP or SSH access exposed to the internet.

2. Lack of network segmentation

Do your production servers, user workstations and IoT devices (printers, cameras, access control systems) share the same network segment? A compromised printer can serve as an entry point to your data servers. VLAN segmentation is a baseline measure that remains absent at a large share of the SMEs we assess.

3. Untested backups

Having backups is necessary but insufficient. The DPA and cyber insurers require regular, documented restore tests. We routinely encounter backups that have been silently failing for weeks, discovered only during an actual incident.

4. Non-existent personal data inventory

You cannot protect what you do not know you process. The processing register (Article 30 GDPR) is mandatory for any organisation with more than 250 employees, but strongly recommended for all SMEs. It must cover: what data, for what purpose, with what retention period, which recipients.

5. No incident response procedure

In the event of ransomware or a data breach, who in your organisation is responsible for what? What are the emergency contacts? What is the procedure for notifying the DPA? Without a documented process, reaction time stretches out and communication errors compound the impact.

The 72-hour breach notification obligation

This is one of the most misunderstood GDPR requirements among SMEs. Article 33 requires that, in the event of a personal data breach, the data controller notify the DPA (Data Protection Authority) within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to the individuals concerned.

Three practical points follow from this:

  1. The clock starts at detection, not at the incident. Hence the importance of logs and monitoring capable of detecting a compromise quickly.
  2. Notification can be phased. If you do not have all the information within 72 hours, you may submit an initial partial report and complete it later. But silence is not an option.
  3. The affected individuals must also be informed when the risk to their rights and freedoms is high (stolen credentials, health data, financial data).

In practice, an SME should prepare in advance a notification template, a contact list (management, DPO if any, IT provider, lawyer) and a backup communication channel independent of the systems that may be encrypted. This is exactly what an incident response plan documents.

The penetration test (pentest): what does it actually cover?

A penetration test simulates a real attack in a controlled setting, in order to uncover weaknesses before an attacker does. For an SME, a targeted pentest typically covers:

  • The external surface: internet-exposed services (VPN, RDP, web portals, email), looking for weak configurations and vulnerable passwords.
  • The internal surface: what an attacker — or a workstation compromised through phishing — can reach once inside the network (lateral movement, privilege escalation).
  • Line-of-business web applications, where you run them.

A pentest differs from a simple vulnerability scan, which merely inventories known flaws. The pentest actually attempts to exploit them to measure the real impact. The two are complementary: the scan running continuously, the pentest once or twice a year and after any major change.

The fundamentals: MFA, SSO and access management

The vast majority of intrusions exploit stolen or weak credentials. Three measures reduce this risk dramatically:

  • MFA (multi-factor authentication): even if a password is stolen, the attacker is blocked without the second factor. To be deployed first on email, VPN and administrator access.
  • SSO (single sign-on): centralising logins through an identity provider (Microsoft Entra ID, for example) reduces the number of passwords, simplifies the immediate revocation of access for a departing employee, and makes auditing easier.
  • Principle of least privilege: each user should have only the rights strictly necessary for their role. Permanent administrator accounts should be avoided in favour of temporary, traced access.

These fundamentals rest on a healthy network infrastructure; to keep them current over time, an IT support and maintenance contract ensures that patches, backups and access rights stay up to date month after month.

The human factor: train your teams

No technology compensates for a poorly informed employee. Since phishing remains the primary attack vector, employee awareness is one of the most cost-effective investments you can make:

  • Short, regular training sessions rather than an annual course forgotten the next day.
  • Simulated phishing campaigns to measure your teams' real-world reflexes and target follow-up reminders.
  • A clear reporting procedure: an employee who thinks they clicked a suspicious link must know who to alert immediately, without fear of blame.

How to structure your internal audit

An SME cybersecurity audit follows three phases:

Phase 1: Inventory (1 to 2 days)

Map all IT assets (servers, workstations, applications, cloud services), identify personal data being processed, list subprocessors with data access.

Phase 2: Risk assessment (2 to 3 days)

For each critical asset, assess the likelihood and impact of a compromise. Use a simple risk matrix (likelihood x impact) to prioritise corrective actions.

Phase 3: Prioritised remediation plan

A list of corrective actions ranked by priority (critical / high / medium), with effort and cost estimates for each measure. This document becomes your cybersecurity roadmap for the next 12 months.

The right prioritisation criterion is not "the most severe flaw" but the best risk × effort ratio. You start with high-impact, low-cost measures — enabling MFA, fixing exposed services, testing a backup restore — before taking on heavier projects such as redesigning network segmentation. This logic avoids paralysing an SME with an unrealistic plan.

Minimum technical measures

Regardless of your audit results, certain measures must be in place at any SME that processes personal data:

  • MFA enabled on all Microsoft 365 accounts and remote access
  • Full-disk encryption on all workstations (BitLocker / FileVault)
  • 3-2-1 backup policy: 3 copies, on 2 different media, with 1 offsite
  • Security patches applied within 30 days of publication
  • Antivirus/EDR deployed and centrally managed across all endpoints
  • Login logs retained for a minimum of 6 months

These measures do not guarantee full GDPR compliance, but they constitute the baseline that any auditor or insurer will consider the expected minimum.

ITOPS.be: your partner for audit and remediation

We conduct GDPR cybersecurity audits for Belgian SMEs of 20 to 250 employees. Our approach combines technical assessment (vulnerability scanning, targeted penetration testing, configuration analysis) and organisational assessment (policies, procedures, team training).

Following the audit, you receive a clear report with prioritised, costed recommendations — not an incomprehensible 200-page document, but a realistic action plan tailored to the size and resources of your organisation.

Also explore our full range of cybersecurity services for SMEs and the Benelux.

Contact us to discuss your situation and receive a quote for an audit tailored to your sector and scope.

Frequently asked questions

Is my SME really a target for cyberattacks?

Yes. Attackers do not target a name — they target vulnerabilities at scale, largely through automation. SMEs are in fact especially exposed because they rarely have a dedicated security team. The size of your company does not protect you: it is your technical measures and your teams' vigilance that make the difference.

What does a security audit involve?

An audit combines a technical assessment (vulnerability scan, targeted penetration test, analysis of configurations and access) and an organisational assessment (policies, procedures, GDPR register, awareness). It runs in three phases — inventory, risk assessment, remediation plan — and produces a clear report with prioritised, costed recommendations.

What are our obligations in a data breach (72 hours)?

In the event of a breach likely to result in a risk, you must notify the DPA within 72 hours of detection. The clock starts when you become aware of the incident, the notification may be phased, and the affected individuals must also be informed when the risk to their rights is high. Having a documented response plan is essential to meet this deadline.

How much does a security audit cost?

The cost depends on scope: the number of sites, users, servers and applications to cover, and whether a penetration test is included. For an SME of 20 to 250 employees, a targeted audit remains a modest investment compared with the cost of a single ransomware incident (downtime, restoration, notification, loss of trust). We provide a tailored quote after an initial conversation about your context.