Cybersecurity

IT security for SMEs: where to start?

Published on By Dr Ir Hüseyin Cakmak
#it security for smes #cybersecurity sme #two-factor authentication #3-2-1 backup #data protection
IT security for SMEs: where to start?

Effective IT security for an SME starts with the basics that remove the most risk: two-factor authentication, automatic updates, tested backups and an aware workforce. These four measures cover the most frequent attacks, even before investing in costly tools.

Where to start concretely today?

The biggest mistake is waiting for a big project or an expensive package. The figures show the basics are often missing: 96.1% of Belgian companies apply at least one security measure, but only 40.3% have documented procedures [1]. That gap between "doing something" and "working in a structured way" is exactly where an SME makes the difference.

So do not start from technology, but from risk. Which data could you not afford to lose? Which access would be most valuable to an attacker? Once that question is settled, the order of the measures becomes obvious: you protect what is most valuable first, and the rest afterwards.

IT security for a Belgian SME, an employee enabling two-factor authentication

At ITOPS.be, we begin this kind of work with a short scoping phase (Blueprint) before any rollout (Build). That order avoids buying tools that do not cover your real weakness.

When does IT security become urgent for your SME?

Not every SME needs a full programme by tomorrow, but some signals make delay expensive. Treat the following situations as a threshold to act now:

  • A real incident or an attempt: a suspicious email someone clicked, a locked file, an unexplained login. Do not wait for the next time.
  • Sensitive data: you process personal data of customers, patients or staff. Legal obligations then apply, and a leak weighs heavily.
  • A growing or dispersed team: remote work, new hires and more devices widen the attack surface faster than most owners expect.
  • An audit or a client demanding guarantees: more and more principals require proof of a minimal security posture before signing a contract.

In each of these cases, the cost of preparation is small compared with the cost of downtime. A structured approach often starts with an audit of your IT security and GDPR compliance, which objectifies the priorities before any investment.

The first five steps, one by one

These five measures offer the highest return for the lowest effort. They rely on discipline, not on a large budget, and together cover the most common attacks against an SME [3].

  1. Two-factor authentication (MFA) everywhere: enable it on email, accounting, cloud storage and administrator access. A stolen password alone is then no longer enough for an attacker.
  2. Automatic updates: let operating systems, browsers and applications update themselves. Most intrusions exploit known, already-patched flaws.
  3. Tested backups following the 3-2-1 rule: three copies, two media, one off-site or offline. Test at least once a quarter that a restore actually works, because an untested backup is not a backup.
  4. Staff awareness: short, repeated training on phishing and suspicious requests. The employee is often the first target, and therefore the first line of defence.
  5. Access management: give each person only the rights their job requires, and revoke access when someone leaves. This limits the damage if an account is compromised.

This list is not an end point but a starting point. Once it is in place, you can choose the next steps more precisely: monitoring, a higher-grade firewall, or an external partner for continuous follow-up.

GDPR and NIS2: what obligations apply to you?

In Belgium, IT security is not only good practice: it is partly a legal duty. As soon as you process personal data, the GDPR imposes obligations: a legal basis, data minimisation, appropriate security and, in the event of a serious breach, notification to the Data Protection Authority. The official guidelines for companies are on the Data Protection Authority website, and you should not minimise them.

The NIS2 directive goes further, but mainly targets essential and important entities in certain sectors, not every small company. Check your situation on the sources of the European Commission and the Centre for Cybersecurity Belgium before drawing conclusions about your obligations [4]. Do not present any aid or subsidy as automatically granted: always verify the current conditions and amounts with the official source.

The common thread stays the same: start small, but start in a structured way. The base you lay today determines how well your SME withstands a real attack.

Frequently asked questions

What should an SME start with regarding IT security?

With the four measures that remove the most risk: two-factor authentication on every important access, automatic updates, tested backups following the 3-2-1 rule, and staff awareness. This base blocks the most common attacks before any costly investment [3].

How many Belgian companies are actually hit by a security incident?

In 2023, 22.3% of Belgian companies suffered the consequences of a security incident, such as service interruptions or data loss. Yet only 40.3% have documented security procedures, showing the basics are often missing [1].

Is my SME concerned by the NIS2 directive?

NIS2 mainly targets essential and important entities in certain sectors, not every small company. Check your situation on the official sources of the European Commission and the CCB, since national transposition determines your exact obligations [4].

Is IT security expensive for a small business?

The first and most effective layer costs little: two-factor authentication, updates, backups and training rely on time and discipline, not on heavy investment. You only weigh targeted tools or an external partner afterwards, against your real risk [3].

Sources and references

  1. Statbel: One enterprise in five suffers a security incident
  2. FPS Economy: Cybersecurity within Belgian SMEs
  3. ENISA: Cybersecurity guide for SMEs
  4. European Commission: The NIS2 directive
  5. Data Protection Authority: Information for professionals