K
CybersecuritySeptember 25, 2025

Cybersecurity and Generative AI: The New Risks for SMEs

How generative AI is creating new vulnerabilities and what you can do to protect your business.

By Gildas Garrec·4 min

Cybersecurity and Generative AI: The New Risks for SMEs

How generative AI is creating new vulnerabilities and what you can do to protect your business.

Table of contents: Cybersecurity is no longer a luxury reserved for large corporations. In 2026, SMEs have become the prime target for cyberattacks — precisely because they are often the least protected. 43% of cyberattacks now target small businesses, and 60% of SMEs that suffer a serious attack shut down within 6 months.

Threats that specifically target SMEs

Ransomware

Ransomware remains the number one threat. Attackers encrypt your data and demand a ransom (typically between €10,000 and €500,000). SMEs are targeted because they pay up more often than large corporations, which have dedicated security teams.

Phishing and social engineering

90% of attacks start with a phishing email. Techniques are becoming increasingly sophisticated, with generative AI enabling the creation of messages that are nearly indistinguishable from legitimate ones.

Data theft

Your SME's customer, supplier, and financial data holds considerable value on the dark web. A data breach triggers legal obligations (notification to the relevant authority within 72 hours), GDPR fines, and a serious loss of trust.

Supply chain attacks

Attackers target your suppliers or service providers as a backdoor into your business. The security of your ecosystem matters just as much as your own.

The 10 essential measures for an SME

  • Automated backups: follow the 3-2-1 rule (3 copies, 2 different media, 1 offsite). Test your restore process regularly.

    • In Nantes and the Pays de la Loire region, SMEs benefit from a dynamic tech ecosystem to support this transformation.

  • Automatic updates: keep operating systems, software, and firmware always up to date. 85% of attacks exploit known vulnerabilities.
  • Multi-factor authentication (MFA): enabled on all critical accounts (email, banking, cloud, CRM). MFA blocks 99% of password-based attacks.
  • Team training: security awareness around phishing, password best practices, and incident reporting. Refresh training every 6 months.
  • Antivirus and EDR: protect endpoints with advanced detection (EDR rather than traditional antivirus).
  • Firewall and network segmentation: isolate critical systems from the rest of your network.
  • Access management: apply the principle of least privilege — each user only accesses what they actually need.
  • Data encryption: cover disks, emails, and file transfers.
  • Business continuity plan: documented procedures to follow in the event of an incident.
  • Cyber insurance: transfer residual risk to an insurer.

    • The cybersecurity budget for an SME

    A good rule of thumb: invest 5 to 10% of your IT budget in cybersecurity.

    For an SME with 10–50 employees:

    • Core solutions (antivirus, firewall, MFA): €200–500/month
    • Cloud backups: €50–200/month
    • Annual training: €1,000–3,000
    • Security audit: €3,000–10,000 (one-time)
    • Cyber insurance: €1,000–5,000/year
    Total: €6,000–15,000/year. That's a fraction of the cost of a cyberattack (average cost for an SME: €130,000).

    AI in the service of SME cybersecurity

    Artificial intelligence is strengthening security on several fronts:

    • Anomaly detection: AI identifies suspicious behavior in real time
    • Anti-phishing: AI-powered email analysis to catch phishing attempts
    • Automated response: automatic isolation of compromised machines
    • Vulnerability analysis: continuous scanning of your attack surface

    GDPR and legal obligations

    As a business, you are required to:

    • Appoint a GDPR point of contact (even part-time)
    • Maintain a data processing register
    • Notify the relevant data protection authority within 72 hours of a data breach
    • Obtain explicit consent for the use of personal data
    • Honor data subject rights (access, correction, deletion)
    GDPR fines can reach up to 4% of annual turnover or €20 million.
    Want to go further? Check out our SME Digital Transformation: The Ultimate 2026 Guide, which covers the full picture.

    Conclusion

    Cybersecurity is an investment, not a cost. SMEs that secure their systems protect their operations, their customers, and their reputation. The solutions are out there, they're financially accessible, and the return on investment is immediate — measured in risks avoided.

    Secure your business: request a security audit.
    Back to blogContact us