Structured assessment, GDPR and NIS2 adaptation, cyber risk management and incident response planning for Italian small and medium-sized enterprises. I do not sell products: I analyse your company's real risk and define a proportionate protection plan.
The Clusit 2023 Report recorded a 60% increase in cyber attacks on Italian SMEs compared to the previous year. The average cost of a breach for a small or medium-sized enterprise stands at around €180,000, considering operational downtime, data recovery, emergency communications and potential fines. Cybercriminals increasingly target companies with 50–250 employees: they are large enough to hold valuable data — customer records, patents, financial information, access credentials to critical systems — yet often lack the structured defences that characterise larger organisations. The false belief of being "too small to be attacked" is now one of the primary risk factors.
On the regulatory front, pressure has increased significantly. The GDPR provides for fines of up to 4% of global annual turnover for the most serious violations, with amounts that have already hit medium-sized companies in Italy. The NIS2 Directive, now transposed into Italian law, extends cybersecurity obligations to sectors such as manufacturing, food, transport and digital services — areas where thousands of SMEs operate, often unaware that they are subject to these requirements. Non-compliance is not just an operational risk: it is a legal risk with direct consequences for company directors.
My role is not to sell security products or impose expensive technical solutions. I am an independent consultant: my goal is to provide an objective analysis of your company's real risk and build a proportionate protection plan tailored to your size, sector and available resources. Every SME is different, and cybersecurity cannot be a one-size-fits-all package.
Before protecting, you need to know where you are exposed. The structured assessment across 12 control domains — governance, access, network, endpoints, patches, backup, physical security, suppliers, training, incident response, compliance and continuity — includes a vulnerability scan of internet-facing systems and a social engineering risk evaluation. The output is an executive report with a risk score for each domain and a remediation plan ordered by criticality and cost-to-benefit ratio.
On the GDPR side: Records of Processing Activities, legal basis review, procedures for data subject rights (access, erasure, portability), Data Processing Agreements, and breach notification support within the 72-hour deadline. On the NIS2 side: many SMEs are subject to its obligations — particularly those operating as suppliers to larger companies — often without knowing it. I verify applicability to your company, identify required measures and prepare the documentation to demonstrate compliance.
The human factor is involved in 85% of cyber incidents. I build a risk management framework adapted to the real dimensions of an SME: risk register with probability/impact matrix, prioritised mitigation roadmap, and operational security policies (passwords, BYOD, remote access). I include staff training sessions with phishing simulations to measure the team's real-world vulnerability and build a lasting security culture.
What to do — and who does what — when something goes wrong. The incident response plan defines a clear escalation chain, roles and operational procedures to contain damage in the shortest possible time. It includes a 3-2-1 backup strategy, a business continuity plan for critical functions, a crisis communication plan for customers and authorities, and a post-incident review protocol to prevent recurrence.
The Clusit 2024 Report confirms a trend that shows no sign of reversing: Italian SMEs are the preferred target of cybercriminals. Looking at the sectoral distribution of serious attacks recorded in Italy, manufacturing leads with 22% of incidents, followed by services at 18% and professional services at 15%. The IT and telecoms sector, healthcare, retail and logistics complete the picture. In all these sectors, the share of attacks directed at small and medium-sized organisations continues to grow.
The most frequent attack vectors against Italian SMEs in 2024 were phishing and spear phishing (35% of incidents), ransomware (28%) and credential stuffing — the use of stolen credentials to gain access to corporate systems (19%). Ransomware attacks are particularly devastating for SMEs: they completely block operations, encrypt data and demand ransoms that in many cases exceed the company's financial capacity. Phishing remains the preferred entry point because it requires no technical sophistication: a credible email and an untrained employee are enough.
SMEs are easier targets not because they have less data, but because they invest less in security and combine a generalist internal IT function with a security governance that is almost always absent. A traditional IT provider manages infrastructure and helpdesk: they do not perform structured risk assessments, they do not understand the regulatory implications of GDPR or NIS2, they do not build security policies and they do not train staff against social engineering. An independent cybersecurity consultant fills exactly this gap — without conflicts of interest tied to product sales.
Yes, and the risk is growing rapidly. The Clusit 2023 Report recorded a 60% increase in attacks on Italian SMEs. Cybercriminals target companies with 50–250 employees because they hold valuable data but often have weak defences. The belief of being "too small to be attacked" is now one of the primary risk factors for an SME.
The NIS2 Directive extends cybersecurity obligations to sectors including manufacturing, food, digital services, transport, waste management and many others. It has been transposed into Italian law. Many SMEs are subject to NIS2 obligations without knowing it — in particular those operating as suppliers to medium or large companies. The first step is to verify whether your company falls within its scope.
A cybersecurity consultant complements internal IT, not replaces it. Internal IT manages daily operations: networks, computers, servers, helpdesk. I handle the strategic, regulatory and governance aspects: structured risk assessment, GDPR and NIS2 compliance, security policies, staff training, incident response planning. These are different and complementary skill sets.
A basic assessment for an SME requires 2–4 days of analysis, interviews with key staff and technical verification. The executive report — with a risk score for each control domain, GDPR/NIS2 gaps and a prioritised remediation plan — is ready within one week. For companies with more complex infrastructure or multiple sites, timelines scale proportionally.
Ransomware encrypts your data and halts business operations, often for days or weeks. The average cost for an SME — combining operational downtime, data recovery, crisis management and potential GDPR fines — exceeds €180,000. With an incident response plan and a backup strategy based on the 3-2-1 rule, the damage can be contained significantly. Without them, the options available are drastically reduced.
Not all companies are required to appoint a DPO. The GDPR mandates one in three cases: public authorities, organisations that carry out large-scale processing of special category data (health, ethnic origin, criminal records), and organisations that carry out systematic large-scale monitoring of individuals. Many SMEs do not fall into these cases, but could still benefit from an external DPO on a consultancy basis. During the assessment phase I verify your specific situation and provide a reasoned recommendation.
The first call is free with no obligation. Let's talk about your business goals.
Let's review your business priorities together