Journal of Cyber Security and Risk Auditing

ISSN: 3079-5354 (Online)

Cybersecurity Challenges in Small and Medium Enterprises: A Scoping Review

by 

Mujtaba Awan ;

Abu Alam ;

Muhammad Kamran

PDF logoPDF

Published: 2025/07/10

Abstract

Small and medium-sized enterprises (SMEs) are one of the most important engines to add to the global economy by providing financial benefits to the human population, in the form of businesses (90%) and employment ships (60%). With the increase in the ratio of cybercrimes, SMEs have been overlooked in terms of cybersecurity measures, leaving them unprepared to deal with the increasing frequency, sophistication, and destructiveness of cyber challenges. This scoping review is designed to address the various cybersecurity threats to SMEs and their possible overcome. In this review, various databases such as Google Scholar, IEEE, Elsevier, Science Direct, and Taylor & Francis online were utilized in exploring the reported literature, and searched under various terminologies, in combinations and separately. Overall, 30 research articles were found to be most relevant to the respective topic, from which 20 unique themes were identified and categorized in novel findings. A framework was proposed for this scoping review by performing data analysis, which led us to find 20 different types of cyber challenges in SMEs. These challenges were further standardized into four classes. In this review, the main challenges to attaining cybersecurity resilience in SMEs are found to be a lack of awareness, unsuitable guidelines for SMEs, limited cybersecurity Knowledge, and constrained financial resources.

Keywords

CybersecurityCybersecurity ThreatSmall and medium enterprisesChallengesBarriers

Doi Link

https://doi.org/10.63180/jcsra.thestap.2025.3.7

How to Cite the Article

Awan, M., Alam, A., & Kamran, M. (2025). Cybersecurity Challenges in Small and Medium Enterprises: A Scoping Review. Journal of Cyber Security and Risk Auditing, 2025(3), 89–102. https://doi.org/10.63180/jcsra.thestap.2025.3.7

Cybersecurity Challenges in Small and Medium Enterprises: A Scoping Review is licensed under CC BY 4.0CCBY

References

  1. Vives, A. (2014). Social and environmental responsibility in small and medium enterprises in Latin America. Journal of Corporate Citizenship, 2006(21), 39–50. https://doi.org/10.9774/gleaf.4700.2006.sp.00006
  2. European Commission. (n.d.). What is an SME? Retrieved from http://ec.europa.eu/enterprise/policies/sme/factsfigures.analysis/sme-definition/index_en.htm
  3. European Union. (2003). Recommendation 361 concerning the definition of micro, small and medium-sized enterprises. Poslední aktualizace 6.5.
  4. Renaud, K., & Weir, G. R. S. (2016). Cybersecurity and the unbearability of uncertainty. In Proceedings of the 2016 Cybersecurity and Cyberforensics Conference (CCC) (pp. 137–143). IEEE. https://doi.org/10.1109/CCC.2016.29
  5. IEEE Industrial Electronics Society & IEEE. (2016). 2016 International Symposium on Small-scale Intelligent Manufacturing Systems (SIMS), 21–24 June 2016.
  6. Onwubiko, C., & Lenaghan, A. P. (n.d.). Managing security threats and vulnerabilities for small to medium enterprises.
  7. Ponemon, L. (2019). What’s new in the 2019 cost of a data breach report. Security Intelligence.
  8. Ahmed, N. N., & Nanath, K. (2021). Exploring cybersecurity ecosystem in the Middle East: Towards an SME recommender system. Journal of Cyber Security and Mobility, 10(3), 511–536. https://doi.org/10.13052/jcsm2245-1439.1032
  9. Alahmari, A., & Duncan, B. (n.d.). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence.
  10. Kabanda, S., Tanner, M., & Kent, C. (2018). Exploring SME cybersecurity practices in developing countries. Journal of Organizational Computing and Electronic Commerce, 28(3), 269–282. https://doi.org/10.1080/10919392.2018.1484598
  11. Verizon Communications Inc. (2022). Small business cyber security and data breaches. https://www.verizon.com/business/en-gb/resources/reports/dbir/
  12. Dickson, M. (2019). Small firms suffer close to 10,000 cyber-attacks daily. FSB, The Federation of Small Businesses. https://www.fsb.org.uk/resources-page/small-firms-suffer-close-to-10-000-cyber-attacks-daily.html
  13. Mansfield-Devine, S. (2022). Cyber Security Breaches Survey 2022.
  14. Ključnikov, A., Mura, L., & Sklenár, D. (2019). Information security management in SMEs: Factors of success. Entrepreneurship and Sustainability Issues, 6(4), 2081–2094. https://doi.org/10.9770/jesi.2019.6.4(37)
  15. Raineri, E. M., & Resig, J. (2020). Evaluating self-efficacy pertaining to cybersecurity for small businesses. Journal of Applied Business & Economics, 22(12).
  16. Suryotrisongko, H., & Musashi, Y. (2019). Review of cybersecurity research topics, taxonomy and challenges: Interdisciplinary perspective. In Proceedings of the 2019 IEEE 12th Conference on Service-Oriented Computing and Applications (SOCA) (pp. 162–167). IEEE. https://doi.org/10.1109/SOCA.2019.00031
  17. Tam, T., Rao, A., & Hall, J. (2021). The good, the bad and the missing: A narrative review of cybersecurity implications for Australian small businesses. Computers & Security, 109, 102385. https://doi.org/10.1016/j.cose.2021.102385
  18. Chidukwani, A., Zander, S., & Koutsakis, P. (2022). A survey on the cybersecurity of small-to-medium businesses: Challenges, research focus and recommendations. IEEE Access, 10, 85701–85719. https://doi.org/10.1109/ACCESS.2022.3197899
  19. Arksey, H., & O’Malley, L. (2005). Scoping studies: Towards a methodological framework. International Journal of Social Research Methodology, 8(1), 19–32. https://doi.org/10.1080/1364557032000119616
  20. Levac, D., Colquhoun, H., & O’Brien, K. K. (2010). Scoping studies: Advancing the methodology. Implementation Science, 5(1), 69. https://doi.org/10.1186/1748-5908-5-69
  21. Paré, G., Trudel, M.-C., Jaana, M., & Kitsiou, S. (2015). Synthesizing information systems knowledge: A typology of literature reviews. Information & Management, 52(2), 183–199. https://doi.org/10.1016/j.im.2014.08.008
  22. Falch, M., Olesen, H., Skouby, K. E., Tadayoni, R., & Williams, I. (2023). Cybersecurity strategies for SMEs in the Nordic Baltic region. Journal of Cyber Security and Mobility. https://doi.org/10.13052/jcsm2245-1439.1161
  23. Anderson, S., Allen, P., Peckham, S., & Goodwin, N. (2008). Asking the right questions: Scoping studies in the commissioning of research on the organization and delivery of health services. Health Research Policy and Systems, 6(1), 7. https://doi.org/10.1186/1478-4505-6-7
  24. Salvato, C., & Corbetta, G. (2013). Transitional leadership of advisors as a facilitator of successors’ leadership construction. Family Business Review, 26(3), 235–255. https://doi.org/10.1177/0894486513490796
  25. Liu, X., et al. (2022). Cyber security threats: A never-ending challenge for e-commerce. Frontiers in Psychology, 13. https://doi.org/10.3389/fpsyg.2022.927398
  26. Sukumar, A., Mahdiraji, H. A., & Jafari‐Sadeghi, V. (2023). Cyber risk assessment in small and medium‐sized enterprises: A multilevel decision‐making approach for small e‐tailors. Risk Analysis, 43(10), 2082–2098. https://doi.org/10.1111/risa.14092
  27. Galvin, J. (2021). Percent of small businesses fold within 6 months of a cyber-attack. Here’s how to protect yourself. Inc.com.
  28. Williams, P. A. H., Manheke, R. J., & Manhcke, R. J. (n.d.). Small business – A cyber resilience vulnerability. Retrieved from http://ro.ecu.edu.au/icr/14
  29. Bryan, L. L. (2020). Effective information security strategies for small business. International Journal of Cyber Criminology, 14(1), 341–360. https://doi.org/10.5281/zenodo.3760328
  30. Kaila, U., & Nyman, L. (2018). Information security best practices: First steps for startups and SMEs.
  31. Polkowski, Z., & Dysarz, J. (2018). IT security management in small and medium enterprises. Retrieved from https://www.researchgate.net/publication/324966050
  32. Sangani, N. K., & Vijayakumar, B. (n.d.). Cyber security scenarios and control for small and medium enterprises.
  33. Heidt, M., Gerlach, J. P., & Buxmann, P. (2019). Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers, 21(6), 1285–1305. https://doi.org/10.1007/s10796-019-09959-1
  34. McLilly, L., & Qu, Y. (2020). Quantitatively examining service requests of a cloud-based on-demand cybersecurity service solution for small businesses. In 2020 International Conference on Computational Science and Computational Intelligence (CSCI) (pp. 116–121). IEEE. https://doi.org/10.1109/CSCI51800.2020.00027
  35. Bada, M., & Nurse, J. R. C. (2019). Developing cybersecurity education and awareness programmes for small- and medium sized enterprises (SMEs). Information & Computer Security, 27(3), 393–410. https://doi.org/10.1108/ICS-07-2018-0080
  36. McLaurin, T., Olson, P., & Aberman, J. (2021). Efficacy of small business cybersecurity: A study on the efficacy of small business cybersecurity controls.
  37. Carias, J. F., Borges, M. R. S., Labaka, L., Arrizabalaga, S., & Hernantes, J. (2020). Systematic approach to cyber resilience operationalization in SMEs. IEEE Access, 8, 174200–174221. https://doi.org/10.1109/ACCESS.2020.3026063
  38. Junior, C. R., Becker, I., & Johnson, S. (2023). Unaware, unfunded and uneducated: A systematic review of SME cybersecurity. Retrieved from http://arxiv.org/abs/2309.17186