Cybersecurity: small businesses are not ready. And it will cost them.
Talk to five owners of small businesses and you get the picture: cybersecurity is still a vague, distant, almost abstract idea. As long as no ransomware freezes the screen of Chantal in accounting, everyone carries on as before.

Talk to five owners of small businesses and you get the picture: cybersecurity is still a vague, distant, almost abstract idea. As long as no ransomware freezes the screen of Chantal in accounting, everyone carries on as before.
But "as before" is over.
Attacks today do not target "the big companies." They target the vulnerable. And when you look at the state of the networks, the passwords, the digital habits in some organizations, you don't have to look very far.
Nobody is too small to get wrecked
Let's drop the myth of "nobody cares about us."
It isn't you they attack. It's your exposed surface.
A badly closed RDP port, an Excel file left in a public cloud, a VM that was never patched.
It's like leaving the door open and hoping no thief walks by.
Criminal groups don't do surgical targeting. They automate.
They scan, they test, they get in.
And when they see you have no MFA, no backup, no plan B,
they encrypt everything. Then they wait.
The real problem isn't the technology. It's the denial.
In a lot of small businesses, you're still stuck at Windows 7, Outlook 2013 and password123.
Not out of stupidity. Out of fatigue. Out of lack of time. Out of exhaustion.
Because when you have ten people, and you handle HR, clients, suppliers, the new regulations that only France knows the secret of, the new taxes and the URSSAF reassessment, cybersecurity comes last.
And yet it's the thing that can bring it all to a halt.
The IT person isn't the firefighter
"We have a provider."
Great. And how many clients does he work for? 40? 60?
Do you really think he'll jump on his keyboard at 3 a.m. when everything is frozen?
Security isn't a subscription.
It's a culture. A governance. Something that starts with the owner.
And as long as cybersecurity is pushed to the bottom of the org chart, it protects nothing.
No budget? Not an excuse.
No, you don't have 500k to put into a SOC. We know.
But that's no reason to do nothing.
The problem isn't money. It's inertia.
There are basic things that cost next to nothing:
- A real password policy (and no, not saved in the browser).
- Backups that are offline and tested.
- Two-factor authentication on work accounts.
- A PC that isn't used to visit dodgy sites during the smoke break.
- A simple plan: if we get hit, what do we do?
And where does AI fit into all this?
It's already here. On the attackers' side.
It automates phishing, writes the emails, gets past the filters.
You think a badly written email with "URGENT TRANSFER" is outdated?
Now they write like your clients.
And soon it'll be your voice they imitate.
Or your CEO's.
If you think "AI is a problem for later," you're already behind.
Take a step. Now.
I'm not saying you should turn your small business into a bunker.
I'm saying you have to start. Move. Act.
Not because ANSSI tells you to.
Not because it's trendy.
But because you won't get a second chance.
And above all, because in the world of tomorrow, companies that don't know how to protect themselves will no longer inspire trust.
Not from their clients.
Not from their partners.
Not from insurers.
And least of all from attackers, who are waiting for one thing only: for you to do nothing.
The good news is that you don't need a perfect plan.
You need a first move.
Block off half a day, put your CFO, your "IT person" and a real specialist around the table, make the list of the 10 things to fix first and deal with them one by one. Not in 2030.
This quarter.
After that, you'll breathe easier. And above all, you'll finally send a clear message: here, we don't play with fire anymore.
Questions fréquentes
Why would a small business be the target of a cyberattack?
Because criminal groups don't do surgical targeting: they automate, scan and test. It isn't the company that's targeted but its exposed surface, like a badly closed RDP port or a machine that was never updated.
Is budget the main barrier to cybersecurity in small businesses?
No. The problem isn't money but inertia and denial. Basic measures cost very little: a password policy, offline and tested backups, two-factor authentication, and a simple action plan in case of an incident.
Is having an IT provider enough to stay protected?
No. A provider often manages dozens of clients and can't cover everything. Security is a culture and a governance that must start with the owner, not just a subscription.
How does AI change the threat for small businesses?
AI is already used by attackers to automate phishing, write credible emails and get past filters. Fraudulent messages now mimic the tone of your clients, and even the voice of executives.
Where do you start, concretely?
Block off half a day this quarter, bring together the CFO, the IT person and a real specialist, list the ten points to fix first and deal with them one by one. What matters is making a first move, not having a perfect plan.
Sources & méthodologie

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
