A cyberattack on a small business in the energy sector doesn’t just cause temporary disruption — it can wipe out operations completely.
Unlike large corporations with dedicated cybersecurity teams and recovery plans, SMEs often lack the resources to bounce back. Many never do. Worse still, their weak security can open the door for cybercriminals to access larger companies and critical infrastructure.
At EnergyWeek 2025, the seminar “Enhancing Cybersecurity in the Energy Sector for SMEs” highlighted the growing risks that small businesses face in an increasingly digitalized industry. The takeaway? Cybersecurity isn’t just an IT issue, it’s about survival.
SMEs ae entry points for attacks—and many don’t see it
Many small businesses assume they won’t be targeted, but cybercriminals see them differently. Jadranka Lovrić, Senior Project Manager at CROBOHUB++, pointed out that SMEs often underestimate risks, failing to update software or take basic security precautions.
“In Croatia, we see a lack of risk awareness,” she said. “Small businesses assume they’re not a primary target, but that’s exactly what makes them vulnerable.”
Lovrić explained that many SMEs don’t update their software regularly, don’t have structured cybersecurity policies, and lack the expertise to handle digital threats.
“The root cause of many cyber incidents is human error,” she noted. “With a limited budget, cybersecurity is often ignored, and companies don’t realize how critical it is until something happens.”
The root cause of many cyber incidents is human error.
One of the biggest dangers is that SMEs don’t just risk their own operations — they can be used as a stepping stone to breach bigger players. Attackers know that smaller companies often work with larger corporations and government agencies, making them a weak link in the supply chain. Once inside an SME’s system, hackers can move further up the network, causing damage far beyond the initial breach.
Cybersecurity should be part of business strategy
Bahaa Eltahawy, cybersecurity expert at ROBOCOAST, emphasized that many SMEs don’t view cybersecurity as a return on investment. Instead of integrating it into their core business, they see it as an extra expense—until an attack happens.
“Cybersecurity is not rooted in core design or core practices—it’s seen as an add-on,” he said.
The problem, according to Eltahawy, is that cybersecurity is not just about technology, it’s about business continuity.
“Be proactive and don’t lay all your eggs in one basket,” he advised. Network segregation, multi-factor authentication, and strict verification of contractors and suppliers are all key measures.
“Many cyber breaches don’t come from direct hacking but through third-party service providers with weak security practices,” he said. “A company might have good security in-house, but if an external supplier is compromised, the entire system can be at risk.”
Eltahawy estimates that up to 60% of cyberattacks happen because of human error, mostly due to a lack of awareness. Many companies focus on securing their internal systems but fail to demand the same security standards from their suppliers and contractors. “Other contractors or suppliers in the system also need to have their cyber hygiene in order—maybe with a written protocol,” he suggested.
He pointed to the seven-layer security model, explaining that the outermost layer isn’t technical — it’s human security. “It’s not just a technical issue. It’s about business continuity and a cultural shift,” he said.
Security isn’t just about technology
Henrik Madsen, professor at the Technical University of Denmark, focused on the human factor in cybersecurity. Poor system design, bad habits, and lack of awareness create openings for cybercriminals. “We live in an interconnected world. You shouldn’t connect more computers than you need,” he said. “Cybersecurity is a dynamic issue that keeps evolving. If you don’t keep up, you fall behind.”
Madsen also stressed that the energy sector is expanding into all areas of life, making cybersecurity not just a technical necessity, but a political and societal issue as well. “We need to keep an eye on everything and inform politicians,” he said. “Security by design is crucial.”
Another issue is the lack of collaboration among SMEs. Many businesses assume they are facing these challenges alone, when others are dealing with the same issues. “SMEs need to start talking to each other about cybersecurity,” Madsen urged.
A competitive advantage that businesses can’t ignore
For Petra Berg, postdoctoral researcher at the University of Vaasa, cybersecurity isn’t just about preventing attacks—it’s about trust and reputation. Businesses today are deeply connected, whether through B2B partnerships or direct customer relationships. Companies that fail to take cybersecurity seriously risk losing clients and partners who expect secure operations.
Berg sees a major cultural gap in how small businesses approach cybersecurity. Many SMEs don’t fully grasp what it means to operate in a digital world.
“Many of us haven’t lived in this digital age before,” she said. “We need to re-learn.
She also pointed to the challenges and opportunities of cybersecurity in the business ecosystem.
“We have an ecosystem network connected to bigger actors in B2B relationships, where trust and safety are required, and in B2C transactions, where companies must safeguard customer data. Many small businesses aren’t fully on board with what this means.”
Berg also raised concerns about smart meters and data security, questioning how much control businesses and consumers are handing over to digital systems. “Do we really need so much control?” she asked. “Your data is usually guarded—but not always. Privacy is a human right, yet we’re becoming open books.”
She described cybersecurity as a cultural clash, particularly in the Nordics, where personal freedom and trust in institutions have traditionally been strong.
“When you choose your technology, you also choose your spy,” she said, emphasizing the need for businesses to rethink their approach to digital security, adopt a proactive mindset, and develop smarter security habits.
Cybersecurity is a business decision
The discussion at EnergyWeek pinpointed that small businesses can’t afford to treat cybersecurity as an afterthought any longer. As Petra Berg put it: “Awareness is not enough—we need to act.”
For SMEs, cybersecurity needs to be part of everyday business decisions, not something to consider only when a problem arises. Companies that take a proactive approach—investing in secure systems, setting clear security standards for suppliers, and training employees—will be in a stronger position to handle future threats.
