Back to blogCybersecurity

The 10 most common cybersecurity weaknesses in SMEs

NRNicolas Renard·July 31, 2026· 8 min read

Most security incidents affecting SMEs don't result from sophisticated attacks exploiting unknown flaws. Reports published by Cybermalveillance.gouv.fr, the French public body that supports victims of cyberattacks, show year after year that a small number of recurring weaknesses, often identified but never fixed, account for most compromises. Here are ten of them, in roughly descending order of observed frequency.

Lack of multi factor authentication

A password alone, however complex, no longer protects much against increasingly common credential theft techniques: phishing, reuse of passwords already compromised on other services. ANSSI recommends multi factor authentication on all privileged accounts and remote access, starting with email and administration tools. Yet it remains one of the least applied measures in SMEs, more often out of unfamiliarity than deliberate choice.

Backups that are never tested

Having backups is not enough: you also need to know they actually work. Many companies discover, right when they need them after a ransomware attack, that their backups are incomplete, corrupted, or reachable from the same network as the encrypted data, and therefore affected too. A successful, documented restore test is worth more than any backup policy that has never been verified.

Loose access management

Accounts shared between several employees, access rights granted by default rather than actual need, former employees' accounts never disabled: individually minor, these practices collectively create an attack surface that is hard to map. In the event of an incident, the lack of individual access traceability also considerably complicates the investigation.

No incident response plan

Who decides in the event of an attack? Who contacts the insurer, the authorities, potentially affected clients? Without prepared answers to these questions, the first hours of an incident, the most critical for limiting its impact, are lost to improvisation. An incident response plan does not need to be sophisticated: above all, it needs to exist and be known to the right people.

Security patches applied inconsistently

The most exploited vulnerabilities are not always the most recent ones: many attacks succeed by targeting flaws patched months earlier, on systems that were never updated. Patch management remains one of the most cost effective cybersecurity measures, and one of the most neglected for lack of a formalized process to run it.

Unmanaged use of cloud tools and generative AI

Employees who share sensitive documents on personal cloud tools, or paste confidential data into a consumer conversational assistant, often fly entirely under the radar of the IT department. This shadow IT is not necessarily malicious: it mostly reflects the absence of internal solutions as convenient as consumer tools, and the absence of clear rules on what can or cannot be shared there.

Cybersecurity Diagnostic·See a diagnostic preview

Insufficient employee awareness

The human factor remains involved in most initial incidents, most often through a phishing email. One off awareness training, delivered once when an employee joins and never repeated, quickly loses its effect. The most resilient organizations build in regular reminders, including simulations, rather than a single isolated training session.

Neglected remote work security

Personal devices used to access work tools, unsecured home networks, no VPN or disk encryption: remote work has considerably widened the perimeter to protect, without security practices always keeping pace. Many SMEs still apply security policies designed for a perimeter entirely confined to the office.

Unmanaged dependency on vendors

An IT service provider, a business application hosted by a third party, a subcontractor with access to the information system: each of these links can become an entry point, as shown by several major incidents that spread through the supply chain rather than through a direct attack. Few SMEs assess the security posture of their vendors before granting them access to their systems.

Near absent monitoring and detection

Without logging or monitoring, an intrusion can remain invisible for weeks while the attacker explores the system before triggering its final action (data exfiltration, encryption). Early detection does not necessarily require a dedicated monitoring center: basic alerts on unusual logins or repeated authentication failures are often enough to drastically cut detection time.

Recap checklist

  1. Multi factor authentication enabled on privileged accounts and remote access
  2. Backups tested through an actual, documented restore
  3. Access rights granted by actual need, reviewed regularly, revoked when an employee leaves
  4. A formalized incident response plan known to the people concerned
  5. Security patches applied on a defined schedule
  6. Clear rules on the use of cloud tools and generative AI
  7. Employee awareness renewed regularly, not just when they join
  8. Remote work security aligned with office security (VPN, encryption, managed devices)
  9. Security posture assessment for vendors with access to the information system
  10. Minimal monitoring in place to detect abnormal behavior

None of these ten weaknesses are exotic: they have been documented for years by ANSSI and by the organizations that support cyberattack victims. What they have in common is not the technical complexity of fixing them, but the absence of a structured assessment that would allow prioritizing them, rather than discovering them one by one, incident after incident.

Ready to assess your organization?

Try for free