Safeguarding SMEs: A Six-Year Deep Dive into Cybersecurity Expertise and Evolution

The Growing Cyber Threat to Small and Medium Enterprises

      Small and Medium Enterprises (SMEs) are the backbone of global economies, driving innovation and employment. However, as digitalization accelerates, these businesses find themselves increasingly vulnerable to sophisticated cybersecurity threats. Many SMEs, often constrained by resources, expertise, or time, underestimate their exposure or assume their smaller size makes them unappeattractive to cybercriminals. This perception is dangerously flawed; SMEs are prime targets, and the consequences of a breach can be catastrophic. The threat landscape has evolved dramatically, with AI-driven attacks deploying automated phishing, adaptive malware, advanced reconnaissance tools, and deepfakes, amplifying the scale and sophistication of cyber incidents.

      Studies consistently highlight that a majority of SMEs experience at least one significant cyber incident, with a concerning number failing to recover and ceasing operations within months. While awareness of cybercrime is on the rise, this often doesn't translate into effective preparedness or efficient risk management strategies tailored to the unique constraints of SMEs. This critical gap necessitates practical cybersecurity solutions and expert guidance, a need recognized and supported by major European organizations like ENISA, the European Commission, and ECSO. Globally, various national programs, such as the UK's CyberEssentials and Finland's Cyber Security Certificate, aim to raise awareness and provide essential guidance.

A Dual Approach to Strengthening SME Cybersecurity

      In Belgium, a multi-layered approach has been implemented to bolster the cybersecurity posture of SMEs, as detailed in a six-year analysis of the Keep IT Secure (KIS) initiative (Ponsard et al., 2026). This strategy operates on two levels: regional and national. At the regional (Walloon) level, the Keep IT Secure (KIS) initiative, operational since 2019, focuses on validating and labeling cybersecurity experts. This ensures that SMEs have access to qualified professionals who can assist with awareness campaigns, robust protection measures, thorough auditing, and effective incident response. A funding scheme further supports the intervention of these labeled experts, making professional cybersecurity services more accessible to smaller businesses.

      Complementing this, the national Cyber Fundamentals (CyFun) framework provides a comprehensive certification scheme for companies. Inspired by the NIST Cybersecurity Framework (NIST CSF) and offering a lighter, more accessible standard than ISO27K, CyFun targets businesses of all sizes with different profiles – basic, important, and essential – adapted to varying threat levels. The basic level is particularly suited for standard SMEs, providing a foundational benchmark for their cybersecurity maturity. This dual approach aims to create a robust ecosystem of support, ensuring both expert availability and a clear pathway for companies to achieve recognized cybersecurity standards.

Validating Expertise: The Keep IT Secure Methodology

      The core objective of Keep IT Secure is not just to provide funding, but to ensure the quality and capability of cybersecurity service providers before they engage with SMEs. This is crucial given the sensitive nature of cybersecurity, where ex-post verification can be too late. KIS rigorously checks if an expert possesses a deep understanding of key cybersecurity concepts and reference frameworks, comprehends SME-specific cybersecurity challenges, and can conduct a technical audit using a well-established methodology. Since its inception, KIS has interviewed over 120 professionals from approximately 90 companies, gathering valuable insights into the regional ecosystem.

      The evaluation methodology, established around 2018, avoids imposing a single audit framework. Instead, it assesses the expert's coverage of fundamental practices necessary for sound cybersecurity maturity within an SME context. This is achieved through a dynamic, scenario-based discussion (e.g., auditing a grocery store's IT systems). Experts are evaluated on their ability to identify risks relevant to the SME, propose strategies based on the NIST CSF (covering identification, protection, detection, response, and recovery phases), and apply controls inspired by the Center for Internet Security (CIS) controls. The assessment records spontaneous actions, actions taken after hints, or omitted/incorrect responses, which are then weighted to generate a score. This stable and adaptable methodology has been used consistently, with minor adjustments over the six-year period. ARSA Technology, for instance, offers robust AI Video Analytics and AI Box Series that can integrate seamlessly into an SME's existing security infrastructure, helping address practical protection and detection needs identified by such experts.

Six Years of Evolution and Insights

      The KIS audit process has undergone subtle but significant refinements since 2019. Initially (2019-2021), a questionnaire recorded basic characteristics of answers, converting them into scores with a weighted formula. Questions were also weighted based on their importance (basic 50%, intermediate 35%, advanced 15%). From 2021-2023, the methodology evolved to include a quantitative score (0-5) to better reflect the quality and completeness of answers, even for those given with a hint. Explicit evaluation sheets for soft skills were also introduced, recognizing the importance of communication and advisory capabilities. More recent updates (2024-present) include minor adjustments and the use of radar charts for clearer presentation of results.

      This long-term effort has provided a solid dataset, allowing researchers to track the maturity of the regional cybersecurity expertise ecosystem. The consistent methodology has been crucial in identifying key drivers of improvement and persistent weaknesses. The analysis demonstrates a growing alignment between the KIS lightweight labeling framework and the broader federal Cyber Fundamentals framework, particularly its basic level, which is a recommended baseline for SMEs. This convergence strengthens the overall cybersecurity landscape by providing a clear progression path for companies and ensuring that expert recommendations align with recognized national standards. Insights from this research are vital for policymakers and businesses alike, guiding future initiatives to adapt to evolving threats.

Adapting to Future Cyber Realities and Emerging Needs

      The continuous evolution of cyber threats, particularly those driven by AI, mandates that cybersecurity expertise also evolves. The six-year analysis of the KIS ecosystem highlighted several crucial lessons and areas for future development. Firstly, there's a constant need to address main weaknesses identified among experts, ensuring that the training and evaluation framework remains current. Secondly, the emergence of new skill sets, such as Cyber Threat Intelligence (CTI) and the specific understanding of AI-driven threats, is becoming paramount. Experts must be equipped to analyze and counteract sophisticated, adaptive attacks that leverage AI for enhanced speed and scale.

      Furthermore, the evolving regulatory landscape, including GDPR, NIS2, and the AI Act, significantly impacts cybersecurity requirements for SMEs. Experts must be proficient in guiding businesses through these compliance frameworks, ensuring data sovereignty and privacy-by-design principles are embedded into their security strategies. ARSA Technology, for instance, provides solutions like the AI BOX - Basic Safety Guard which offers on-premise AI processing for safety and compliance monitoring, critical for industries grappling with new regulations and privacy concerns. This commitment to practical, deployable, and compliant solutions underscores the importance of a well-supported and continuously developing ecosystem of cybersecurity experts.

Strengthening the Digital Shield: A Path Forward

      The "Keep IT Secure" initiative in Belgium offers a valuable model for how regions and nations can support their SME sector against an ever-intensifying cyber threat landscape. By systematically validating and nurturing a network of cybersecurity experts, and aligning these efforts with broader national certification frameworks, it creates a robust defense mechanism. For global enterprises and SMEs alike, the core takeaway is the indispensable value of informed, continuously updated cybersecurity expertise. Investing in such expertise, supported by adaptive frameworks and cutting-edge technology, is no longer optional but a strategic imperative for operational resilience and sustained growth. Businesses seeking to enhance their security posture, integrate advanced AI-powered analytics, or explore on-premise solutions for greater control over their data, can find tailored support and innovative products that meet these stringent requirements.

      To explore how ARSA Technology's AI and IoT solutions can fortify your enterprise's digital defenses and navigate complex cybersecurity challenges, we invite you to contact ARSA for a free consultation.

      Source: Ponsard, C., Daune, J-F., Darquennes, D., Bouhou, M., & Point, N. (2026). Evolution and Perspectives of the Keep IT Secure Ecosystem: A Six-Year Analysis of Cybersecurity Experts Supporting Belgian SMEs. arXiv preprint arXiv:2604.02425. Available at: https://arxiv.org/abs/2604.02425