Small and medium-sized enterprises (SMEs) in the EU are, on average, 15 per cent behind larger organisations in implementing cybersecurity controls, according to a new report by Marsh.
The study, titled ‘Why the Cybersecurity Gap Between SMEs and Large Organisations Matters’, highlights the challenges SMEs face in achieving cyber resilience compared to their larger counterparts.
Marsh’s analysis examined 320 organisations across the EU, categorised by annual revenue — SMEs with less than €51 million; mid-sized businesses with revenue between €51 million; and €250 million; and large organisations exceeding €250 million.
Findings from Marsh’s Cyber Self-Assessment tool revealed that large organisations scored an average of 80 per cent in applying 12 key cybersecurity controls, while SMEs averaged just 65 per cent.
Multi-factor authentication (MFA) was identified as a key differentiator, with 91 per cent of large organisations requiring MFA for remote logins, compared to only 75 per cent of SMEs.
Incident response testing also showed a significant gap, with just 40 per cent of SMEs conducting regular tests, while 61 per cent of large organisations maintained this practice.
The report finds industry disparities as well, with 85 per cent of finance SMEs providing cybersecurity training for employees, compared to just 58 per cent in manufacturing.
Marsh emphasises the need for SMEs to engage with the cyber insurance market, warning that many remain uninsured or underinsured against digital threats.
Despite historical barriers to coverage, the firm notes that new innovations in cyber insurance now offer SMEs a chance to close this protection gap.
