Cybersecurity for SMBs: the essentials you need

Cybercrime is no longer something that only happens to large corporations. In fact, small and medium-sized businesses (SMBs) are increasingly the target of cyber attacks. The reason is simple: many SMBs have less security in place, which makes them easier prey. Yet the consequences can be just as devastating — downtime, data loss, reputational damage and hefty fines.

In this article we explain why SMBs are targeted, what the most common threats are and which baseline measures you need to protect your organisation. You don't need an enormous budget — you need a structured approach.

Why are SMBs targeted by cybercriminals?

Many business owners think: "We're too small to be interesting." Unfortunately, that's a dangerous misconception. Cybercriminals increasingly use automated attacks that scan the internet for vulnerabilities — they don't distinguish between a ten-person company and a multinational.

Key reasons why SMBs are vulnerable:

• Less investment in security — Smaller budgets mean fewer security tools and specialists
• Less awareness — Employees haven't been trained to recognise threats
• Valuable data — Customer details, financial data and intellectual property are always worth something
• Supply chain access — SMBs often serve as a stepping stone to larger clients
• Outdated systems — Legacy software and unpatched systems create entry points

According to the Dutch Digital Trust Centre, over 60% of cyber incidents in the Netherlands involve SMBs. The average cost of a data breach for a small business runs into tens of thousands of euros — not counting lost revenue and reputational damage.

The 6 most common cyber threats for SMBs

1. Phishing

Phishing remains the number one attack vector. Criminals send emails that look like they come from a bank, supplier or colleague, tricking employees into clicking a malicious link or sharing login credentials. Read our in-depth article on recognising phishing for practical examples.

2. Ransomware

Ransomware encrypts your files and demands payment — often in cryptocurrency — for the decryption key. Even if you pay, there's no guarantee you'll get your data back. Ransomware attacks on SMBs increased by over 150% in recent years.

3. Business Email Compromise (BEC)

Also known as CEO fraud, this is where an attacker impersonates a director or supplier and instructs an employee to transfer funds or share sensitive data. These attacks are highly targeted and can cost tens of thousands of euros per incident.

4. DDoS attacks

A Distributed Denial of Service attack floods your website or services with traffic, making them unavailable. While your business is offline, customers can't reach you and revenue stops.

5. Malware and spyware

Malicious software can enter your network through downloads, USB drives or compromised websites. Spyware silently monitors your activity and steals credentials.

6. Credential stuffing

When login details from previous data breaches are used to try to access your systems. If employees reuse passwords across services, one breach elsewhere can compromise your company.

Baseline measures: the essential cybersecurity checklist

You don't need a six-figure budget to protect your organisation. The following measures form a solid foundation that stops the vast majority of attacks.

Multi-Factor Authentication (MFA)

MFA is the single most effective measure you can implement. By requiring a second factor — such as a code from an authenticator app — even compromised passwords don't give attackers access.

• All email and Microsoft 365 accounts
• VPN and remote access connections
• Cloud applications and admin portals
• Financial systems and bank accounts

Endpoint protection

Every laptop, desktop and mobile device that connects to your network needs protection. Modern endpoint protection goes beyond traditional antivirus — it uses behavioural analysis and AI to detect threats in real time.

At Virtual Computing, endpoint protection is included in our managed workstation solution. Every device is monitored 24/7.

Firewall and network security

A properly configured firewall is your first line of defence. It controls which traffic enters and leaves your network, blocks known threats and can segment your network to limit the impact of a breach. Read more about network security best practices.

Backup strategy (3-2-1 rule)

A solid backup is your safety net when everything else fails. Follow the 3-2-1 rule:

• 3 copies of your data
• 2 different storage media
• 1 copy offsite (cloud or separate location)

Test your backups regularly. A backup you can't restore is no backup at all. Learn more in our article on creating a disaster recovery plan.

Security awareness training

Technology alone isn't enough. Your employees are both the greatest vulnerability and the strongest defence. Regular awareness training teaches staff to:

• Recognise phishing emails and suspicious links
• Handle sensitive data responsibly
• Report incidents immediately
• Use strong, unique passwords

Patch management

Unpatched software is an open door for attackers. Ensure all operating systems, applications and firmware are updated promptly. Automate where possible and have a process for critical patches.

Access management (least privilege)

Give employees access only to what they need for their role. If someone in marketing doesn't need access to financial systems, they shouldn't have it. This limits the damage if an account is compromised.

Email security

Advanced email filtering catches phishing, malware and spam before it reaches your inbox. Solutions like Microsoft Defender for Office 365 scan links and attachments in real time. Read more about secure cloud working with Microsoft 365.

ISO 27001: a framework for structured security

Implementing security measures ad hoc is a start, but a structured approach is far more effective. ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for:

• Identifying and assessing risks
• Implementing appropriate controls
• Continuously monitoring and improving security
• Demonstrating compliance to clients and regulators

Virtual Computing is ISO 27001 and NEN 7510 certified. NEN 7510 is the Dutch healthcare standard that builds on ISO 27001 with additional requirements for medical data. These certifications mean our processes, data centres and operations meet the highest security standards.

For SMBs, working with an ISO 27001-certified IT partner is often more practical than pursuing certification themselves. You benefit from the framework without the overhead.

Managed security services: expert protection without the headcount

Hiring an in-house cybersecurity specialist is expensive — salaries start at €60,000+ per year, and you need coverage for holidays and illness. For most SMBs, managed IT services offer a better solution.

A managed security service typically includes:

What does it cost?

Managed security as part of a complete IT management package typically costs between €50 and €100 per user per month — a fraction of what an internal team would cost. At Virtual Computing, security is included in every online workstation package.

The NIS2 Directive: new legal requirements

The NIS2 directive introduces stricter cybersecurity requirements for many sectors. Even if your organisation doesn't fall directly under NIS2, your clients may require you to meet certain standards as part of their supply chain security.

Investing in cybersecurity now isn't just smart — it's increasingly becoming a legal obligation.

Cybersecurity checklist for SMBs

Use this checklist to assess your current security posture:

• [ ] MFA enabled on all accounts and admin portals
• [ ] Endpoint protection on every device
• [ ] Firewall properly configured and monitored
• [ ] 3-2-1 backup strategy in place and tested
• [ ] Regular security awareness training for all staff
• [ ] Patch management process established
• [ ] Access based on least-privilege principle
• [ ] Email security with advanced threat protection
• [ ] Incident response plan documented
• [ ] Password policy enforced (minimum 14 characters, unique per service)
• [ ] Network segmented to limit breach impact
• [ ] Admin accounts separated from daily-use accounts
• [ ] Physical security of servers and network equipment
• [ ] Cyber insurance evaluated

Frequently asked questions

How much should an SMB spend on cybersecurity?

A common guideline is 5-10% of your total IT budget. For an SMB with 20 employees, this typically works out to €1,000-€2,000 per month — but outsourcing to an MSP often provides more protection for less money than building internal capability.

Is antivirus software enough?

No. Traditional antivirus only catches known threats. Modern attacks use techniques that bypass signature-based detection. You need a layered approach: endpoint detection, email security, firewalls, access management and user awareness.

Do I need a security officer?

Under GDPR, you may need a Data Protection Officer (DPO) depending on the type of data you process. For cybersecurity specifically, you can outsource this role to a managed service provider who acts as your virtual CISO.

What should I do if we're attacked?

1. Isolate affected systems immediately
2. Contact your IT partner or incident response team
3. Document everything
4. Report to the Dutch Data Protection Authority (AP) within 72 hours if personal data is involved
5. Notify affected individuals if required
6. Learn from the incident and update your security measures

Is cloud computing more secure than on-premise?

Generally yes, when properly configured. Cloud providers invest billions in security infrastructure. The risk usually lies in misconfiguration, not in the platform itself. A secure cloud workplace with proper access management is typically more secure than an on-premise server room.

How often should we test our security?

At minimum annually, but quarterly is recommended. This includes penetration testing, phishing simulations and backup recovery tests. Your managed IT partner should include this in their service.

What is the biggest cybersecurity mistake SMBs make?

Assuming it won't happen to them. The second biggest mistake is implementing security measures without a plan — buying tools without understanding the risks they address.

Does cyber insurance replace security measures?

No. Cyber insurance is an additional safety net, not a replacement for security. In fact, most insurers require you to have baseline security measures in place before they'll provide coverage. Premiums are also lower when your security posture is strong.

Take action today

Cybersecurity doesn't have to be complicated or expensive, but it does require a structured approach. Start with the baseline measures in this article, and consider working with a specialist IT partner who can manage security for you.

At Virtual Computing, we help SMBs across the Netherlands work safely and efficiently from the cloud. With ISO 27001 and NEN 7510 certification, 24/7 monitoring and a team of experienced engineers, we provide the security your business needs.

Get in touch for a free security assessment, or become a client and let us take care of your IT security.