IBR

Cyber threat increases, preparedness falls short: a wake-up call for SMEs

Cyberdreiging groeit
The cyber resilience of Dutch businesses is under pressure. The most recent figures from the International Business Report (IBR) show that the number of significant cyber incidents in SMEs and the mid-market is rising sharply. Businesses must continuously steer towards cyber resilience.
Contents

Incidents are becoming more serious and more visible 

In the second quarter of 2025, 24 per cent of 4083 surveyed Dutch entrepreneurs and executives in the SME and mid-market segment stated that their organisation had experienced a cyberattack with significant impact. In Q3, this rose to over 30 per cent. In addition to the 30 per cent of companies that have experienced a significant cyberattack, a further 39 per cent reported being affected by attacks with limited impact. This means that nearly 70 per cent of Dutch companies have experienced cyberattacks—a clear sign that the danger is not hypothetical, but real and demonstrating that it truly can happen to any organisation.

Strikingly, the proportion of companies indicating they “do not know” whether they have been attacked remains stable at around 20 per cent. This suggests a lack of monitoring and oversight. Smaller organisations in particular appear vulnerable: they are more often targeted due to limited security capacity, while not always being aware of the severity of the threat. 

Threat is recognised, but action is lacking 

While in Q2 only 20 per cent of companies expected an increase in cyber threats, this rose to over 31 per cent in Q3. Despite these experiences, 55 per cent of companies believe the threat level will remain roughly the same over the next 12 months. At the same time, the number of organisations that believe the risk will remain unchanged is declining. Perception is shifting, but the translation into action is still missing. External factors such as AI-driven attacks and geopolitical tensions play a role. Hybrid working models also increase the attack surface, especially for SMEs that have not adapted their security to this new reality. Yet the SASI report shows that more than 60 per cent of SME user accounts still do not have Multi-Factor Authentication (MFA) activated. Guest users are often not monitored, which creates additional risks. 

Preparedness declines despite increasing threat 

In Q2, 64 per cent of companies reported having a comprehensive cybersecurity policy with regular updates and tests. In Q3, this dropped to 54 per cent. The research also shows that 28 per cent of companies rely on basic measures and 25 per cent respond mainly ad hoc to incidents. In 13 per cent of organisations, there is little to no attention paid to cyber resilience. The number of companies that respond ad hoc or have few measures in place is rising slightly. This points to a gap between risk perception and actual resilience. Many SMEs struggle to maintain structured policies due to limited capacity. There appears to be ‘compliance fatigue’ or an underestimation of the necessity. Reactive policy is no longer sufficient: those who wait until something happens are already behind. External analyses show that many SMEs only take action after an incident, leading to higher costs and greater damage. 

NIS2: awareness grows, but remains insufficient 

The NIS2 directive is receiving increasing attention. In Q3, 35 per cent of respondents were very familiar with the directive and working towards compliance, compared to 24 per cent in Q2. Yet nearly one in five respondents (19 per cent) are barely or not at all familiar. Particularly in sectors without direct supply chain responsibility, the urgency does not yet seem to have fully landed. There is confusion about applicability and obligations, especially for companies indirectly affected by compliance requirements from their clients.  

In addition to NIS2, various other regulations require organisations to strengthen their digital compliance. These range from operational resilience in the financial sector (DORA) to stricter rules for AI applications and data sharing (AI Act and Data Act). It is essential for businesses to stay informed about these developments and take timely action to meet the new requirements. Non-compliance may result in fines and reputational damage

What does this mean for you as an entrepreneur? 

The figures show that awareness is growing, but structural action is lagging behind. That is a risk. Cybersecurity is not an IT issue, but a strategic theme. Especially in SMEs and the mid-market, where the impact of an attack is immediately felt, proactive policy is essential. 

Would you like to know where your organisation stands?  

Contact us for a concrete audit or advisory meeting. Together, we’ll ensure you are resilient against tomorrow’s threats. 

Contact us