Unaware, Unfunded and Uneducated: A Systematic Review of SME Cybersecurity

Abstract

Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs are often disregarded in cybersecurity initiatives, rendering them ill-equipped to deal with the growing frequency, sophistication, and destructiveness of cyberattacks. We systematically reviewed the cybersecurity literature on SMEs published between 2017 and 2024. We focus on research discussing cyber threats, adopted controls, challenges, and constraints SMEs face in pursuing cybersecurity resilience. Our search yielded 1090 studies that we narrowed to 132 relevant papers. We identified 44 unique themes and categorised them as novel findings or established knowledge. This distinction revealed that research on SMEs is shallow and has made little progress in understanding SMEs' roles, threats, and needs. Studies often repeated early discoveries without replicating or offering new insights. Existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of cybersecurity risks, limited cybersecurity literacy, and constrained financial resources. Resource availability varied between developed and developing countries. Our analysis indicated a relationship among these themes, suggesting that limited literacy is the root cause of awareness and resource constraint issues.