Why French SMEs are still stuck in 1980 (and why that's partly their own fault)
Let me be blunt: you can't ask cybersecurity to move forward if some companies refuse to leave the minitel behind. And that's exactly what we still see today in most French SMEs. Yes, threats are evolving.

Let me be blunt: you can't ask cybersecurity to move forward if some companies refuse to leave the minitel behind.
And that's exactly what we still see today in most French SMEs.
Yes, threats are evolving. Yes, AI is reshuffling the whole deck. Yes, attacks are becoming more complex, faster, more systemic. But what's the point of having this conversation if, on the other side, no one really understands what we're talking about?
"Cyber what?", The cultural divide
In many SMEs, the word "cyber" still triggers three kinds of reaction:
- "That's the IT guy's job, isn't it?"
- "We're not a bank, why would anyone target us?"
- "I installed an antivirus and a firewall, we're fine."
You can't build a security strategy on willful ignorance.
Leaders who won't take five minutes to understand digital risks expose their company to something far worse than a data breach: they put their business at risk.
And no, the blame doesn't lie solely with politicians or the evil Russian hackers.
The blame also lies in this chronic inability to question oneself, to learn, to adapt.

AI? Not understood, so not touched
Let's talk about artificial intelligence.
We now have tools capable of analyzing logs, detecting suspicious behavior, anticipating incidents, correlating weak signals in real time. In short: superpowers for teams that are often understaffed.
But in SMEs, we still have leaders who think ChatGPT is a gadget for the comms interns.
Meanwhile, the cybercriminals aren't burdened with skepticism: they're using AI at full throttle. Generating phishing, targeted attacks, automating intrusions... And it works.
The heart of the problem? The regulatory vise
Let's be clear: most SMEs don't refuse cybersecurity out of bad faith.
They refuse because they can't do everything.
When you impose on them:
- ever more complex compliance obligations,
- endless regulatory audits,
- deadlines that are impossible to meet without resources,
- and compliance costs that explode...
Then no, the real problem isn't that Chantal clicked on a booby-trapped link.
The real problem is that Chantal doesn't even know whether her salary will land at the end of the month.
And that's where the State, the software vendors, the experts need to stop talking into the void.
You don't build a culture of cybersecurity with PowerPoint slides and overpriced platforms.
You build it by starting from the reality on the ground. And that reality is that SMEs are drowning.
So what do we do?
**1. Train the leaders, not just the technicians
**As long as a CEO doesn't understand what an attack surface, an intrusion vector, or a continuity plan is, they won't steer anything. They'll be at the mercy of events.
2. Simplify, automate, pool
Cybersecurity must not be a luxury. We need tools designed for small and medium businesses: simple to deploy, manageable with few resources, and above all affordable. SaaS isn't enough if no one understands the dashboard.
**3. Build local cyber-solidarity networks
**What if local authorities funded "shared SOCs" among companies in the same economic area? Pooling costs, sharing intelligence, collective responses.
4. Rethink public funding
Subsidizing 30k audits for recommendations that end up in a drawer serves no purpose. Better to fund training, concrete tools, ongoing awareness.
In conclusion
SMEs are the heart of the French economy.
But that heart still beats to a pre-digital rhythm.
So yes, cyberthreats are exploding.
Yes, AI changes everything.
But no, that's no reason to keep burying your head in the sand.
Things need to move, and fast.
Cybersecurity must no longer be seen as a luxury or a burden, but as a lever for survival, resilience, and competitiveness.
And if you run an SME and you still think "cyber isn't for you"...
Then you probably need it even more than the rest.
Discover the journey of Christophe Mazzola here
Questions fréquentes
Why do we say French SMEs are "stuck in 1980"?
Because they often cling to pre-digital reflexes: the word "cyber" triggers denial or delegation to the IT guy, whereas the threats themselves have changed radically.
Is an SME really a target for cyberattacks?
Yes. The "we're not a bank, why would anyone target us?" reflex is dangerous: attackers automate and target broadly, and a poorly prepared SME puts its business at risk, not just its data.
Is AI an asset or a threat for SME cybersecurity?
Both. It gives "superpowers" to understaffed teams (log analysis, detection of suspicious behavior), but cybercriminals are already exploiting it to generate phishing and automate their intrusions.
Does regulation help or penalize SMEs?
As applied, it often penalizes: complex compliance obligations, endless audits, unworkable deadlines and skyrocketing costs. SMEs don't refuse security, they simply don't have the resources to absorb it all.
What can actually be done to move things forward?
Train leaders, not just technicians, simplify and pool tools, fund shared SOCs among companies in the same area, and redirect public funding toward training and concrete tools rather than costly audits with no follow-up.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
