Cybersecurity used to be a concern for governments and multinationals. In 2025, the reality has changed: Dutch small and medium-sized enterprises (SMEs, in Dutch: MKB’ers), organizations with 10–250 employees, are squarely in the firing line.

According to ABN Amro, 1 in 5 Dutch companies suffered damage from a cyberattack in 2024. A separate study by Mastercard found that 1 in 4 SMEs has already fallen victim. With roughly 55,000 SMEs in the Netherlands, that translates into 11,000-13,750 SME-targeted incidents each year. These are actual threats – they mean financial loss, disruption, and reputational harm.

So why are SMEs so vulnerable? Large organizations have been investing heavily in cybersecurity for years. SMEs, by contrast, often have limited budgets, smaller teams, and a heavy reliance on external IT providers. As Financieel Management noted, many SMEs underestimate the financial risks of cyberattacks, which leads to late or insufficient action.

Rabobank puts the average cost of an SME incident – including response and recovery – at around €300,000, while ESET estimates €270,000. Research by the Dutch police shows SMEs with cyber insurance are actually preferred targets: insured companies end up paying 2.8 times more in ransom than uninsured peers.

Then there’s also the supply chain effect, which are less evident. SMEs are often part of larger ecosystems, and attackers see them as stepping stones into bigger targets. In this sense, one vulnerable SME can open the door to much larger organizations.

Even when attackers don’t deploy advanced malware or nation-state tools (think: Pegasus), SMEs remain exposed. One of the biggest risks remains in the inbox. According to KPN, the number of phishing attempts against companies increased tenfold in just one year. For attackers, it only takes one employee clicking the wrong link to gain access to sensitive systems or credentials.

The CrowdStrike SME Security Survey confirms the trend: awareness of the risks among SMEs is high, but actual protection is lagging. In other words, business owners know that phishing, ransomware, and credential leaks are serious issues – but haven’t yet organized sufficient defenses.

It’s not all bad, though: we’ve noticed cybersecurity is moving up the agenda. Municipalities and industry associations in the Nederland report on partnerships designed to boost SME resilience, emphasizing that cybersecurity must become “chefsache” – a board-level responsibility, not something delegated to interns or outsourced without oversight.

These groups stress that SMEs need to embed cybersecurity structurally into their operations. That means not only technical fixes, but also governance, training, collaborating with industry peers and continuous visibility into risks

Based on experience, we’ve found that SME’s typically struggle with one or more the following things:

• They are heavily dependent on their IT providers, without clear accountability for security.
• Have poor visibility into external risks such as credential leaks or shadow IT.
• Company policies exist on paper but lack real implementation.
• And limited budgets that push cybersecurity further down the priority list.

These challenges explain why SMEs often remain exposed, even when they are aware of the risks and want to get secure.

Improving resilience doesn’t require setting up an expensive Security Operations Center (SOC). Pragmatic measures can already reduce a large share of risk:

• Take stock of systems and data – cybersecurity starts with knowing what you have to protect.
• Enable multi-factor authentication (MFA) wherever possible.
• Use a password manager to prevent reuse.
• Create and test backups regularly – an untested backup is no backup.
• Train staff continuously with short, practical sessions and phishing simulations.
• Monitor your digital footprint to detect leaks, phishing domains, and vulnerabilities of exposed systems.

Each of those measures may seem small by themselves, but together they create a solid foundation. However, some reframing on a strategic level seems to be necessary.

Many SMEs still see cybersecurity as purely cost. In reality, it’s becoming a condition for doing business. Larger clients demand proof of resilience across their supply chains. Insurers are tightening requirements, refusing coverage without MFA or backups. And customers increasingly prefer suppliers who can show they take security seriously.

That means cybersecurity is also a competitive advantage. SMEs that can demonstrate resilience not only reduce their risks but also strengthen their position in the market.

The message is clear: Dutch SMEs are under pressure from rising cyber threats. The figures from ABN Amro, Mastercard, Rabobank, KPN and others prove the risks are real, the costs are high, and the urgency is now.

At Skuridat, we help SMEs translate cybersecurity from theory into practice. Through consultancy, we map risks, strengthen governance, and align with relevant regulations. With our software platform, we continuously monitor for vulnerabilities, leaked credentials, shadow assets, and phishing domains – giving SMEs the same outside-in view that attackers have.

The result: not just compliance on paper, but resilience in practice – and ideally even anti-fragility, becoming stronger each time you’re tested.