Most SME managers believe they are ‘more or less covered’ when it comes to cybersecurity. This is not Oz’n’gO’s opinion, but that of official bodies such as ENISA*. Their surveys and studies show that a majority of European SMEs claim to have implemented cybersecurity measures, but few have a formalised strategy, incident response plans or mature governance mechanisms. As for AI, business leaders approach it more as a ‘gadget’ that they focus on non-strategic uses. They may think that the tool is reserved for large companies, which are adopting the technology much more strongly than SMEs. This reality proves the ignorance of SME leaders about both the power and the risks of AI.
*ENISA – European Union Agency for Cybersecurity
At Oz’n’gO, we have examined the available data to draw up a concrete, quantified assessment of SMEs’ attitudes towards cyber risks and the adoption of AI and its inherent risks.
Below, the three major truths we have been able to draw from this, and the findings are cause for concern.
And THE QUESTIONS to ask yourself.
Cybersecurity for SMEs: tools, but no real preparation
Firewalls, antivirus software, backups. Secure access (passwords, two-factor authentication). Malware control.
These are the most common measures within SMEs. Useful, but largely insufficient.
5 elements are most missing :
– a risk analysis identifying the most sensitive data
– an overview of real crisis scenarios (not checklists) with simulation
– cyber governance (who decides what, when, with what information, based on what criteria and through what processes)
– crisis management preparation with a dedicated team and a solid, tested plan
– an appropriate, tested crisis communication plan
Result: without this foundation, when things get tough, the tools sometimes hold up… but the organisation falls apart.
And with the explosion of AI, human, decision-making and reputational dimensions are becoming just as crucial as technical tools, which do not cover them.
Cybersecurity is not just about tools
AI is used, but without a framework
Managers use AI.
Teams use AI.
Service providers use AI.
Often for peripheral, non-strategic tasks, demonstrating their lack of understanding of the power of AI and its various forms.
Often without:
– rules of use
– control of injected data
– consideration of the reliability of generated content
– anticipation of reputational, legal or strategic risks
– training on AI tools, their risks and best practices
The majority of business leaders plan to make significant investments in AI in 2026 and beyond, but without a vision, governance, and above all, awareness of the risks inherent in AI, which no technical solution alone can address.
The differences between SMEs are enormous.
From one country to another. From one sector to another. From one company size to another. But above all, from one level of preparedness to another.
A small proportion of SMEs have already structured:
- minimal governance
- roles and responsibilities clearly identified
- a genuine ability to make decisions under pressure, with imperfect information
Most of them operate without any real framework, just winging it:
– No clear view of their risks
– No credible scenarios
– No decision-making process in crisis situations
They believe they are sufficiently protected because they operate like everyone else. Wrong.
In cybersecurity, as in AI, the majority is not a refuge.
Just because a large number of companies are unprepared does not mean that the risk disappears.
All companies are targeted, regardless of size or sector.
Like accidents, crises do not only happen to other people.
The real question is not ‘are you protected?’
The real question is:
- Do you know where you really stand?
- Do you know what you’re missing?
- Do you know what you should prioritise now, not in three years’ time?
That is precisely the aim of our document.
Our status report for 2026 on SME preparedness in cybersecurity and AI
13 concise slides.
Clear guidelines.
A few suggestions.
What you need to know, without the jargon.
