Cybersecurity in Manufacturing SMEs : 3 Blind Spots Revealed by Our Survey

Lire en français

On March 30 and 31, 2026, we con­duct­ed an in-per­son sur­vey of 30 French SMEs in the man­u­fac­tur­ing sec­tor.

Method­ol­o­gy note : This sur­vey includ­ed only three ques­tions, but it also led to direct dis­cus­sions with respon­dents, which enriched our analy­sis beyond the respons­es alone. That said, we are ful­ly aware that it is not intend­ed to be sta­tis­ti­cal­ly rep­re­sen­ta­tive of all French man­u­fac­tur­ing SMEs. It does, how­ev­er, pro­vide a use­ful field-based sig­nal.

Our objec­tive was to bet­ter under­stand how these com­pa­nies per­ceive cyber threats, as well as their lev­el of pre­pared­ness, so that we can adapt our aware­ness efforts accord­ing­ly. The con­text makes this nec­es­sary. Finan­cial­ly moti­vat­ed cyber­at­tacks are now more indus­tri­al­ized, more oppor­tunis­tic, and affect orga­ni­za­tions of all sizes. At the same time, the French frame­work for imple­ment­ing the NIS2 Direc­tive is being clar­i­fied.

Our sur­vey high­lights a clear gap between the real­i­ty of cyber threats, the lev­el of pre­pared­ness required, and the way many SME lead­ers still per­ceive these issues.

Source : LINARIS

#1 : “We are not a target”

A lin­ger­ing sense of immu­ni­ty

Most of the com­pa­nies sur­veyed believe they are exposed. How­ev­er, a sig­nif­i­cant pro­por­tion — 7 out of 30 — still think they can­not be a tar­get.

The facts point in the oppo­site direc­tion

Yet the lat­est pub­lic data shows oth­er­wise. ANSSI (French Nation­al Cyber­se­cu­ri­ty Agency) states that SME remain among those most affect­ed by ran­somware. It also empha­sizes that cyber­crim­i­nals tar­get most sec­tors and geo­graph­ic areas. In oth­er words, the ques­tion should no longer be, “Why us?” but rather, “What makes us eas­i­er to tar­get?”.

Cyber­at­tacks are becom­ing indus­tri­al­ized

This shift in think­ing is all the more impor­tant because cyber­crime has become increas­ing­ly pro­fes­sion­al­ized.

ANSSI notably describes the ran­somware-as-a-ser­vice mod­el, which makes it pos­si­ble to indus­tri­al­ize attacks and mul­ti­ply them. In prac­ti­cal terms, one group pro­vides the tools, infra­struc­ture and some­times even sup­port. Affil­i­ates then car­ry out the attacks in exchange for a share of the ran­som pay­ments.

We are no longer deal­ing with a hand­ful of iso­lat­ed hack­ers. We are fac­ing a qua­si-indus­tri­al mod­el of cyber­at­tacks. And this trend may accel­er­ate fur­ther with gen­er­a­tive AI, which makes cam­paigns faster, more cred­i­ble and eas­i­er to deploy at scale.

#2 : Knowing how to restart “in theory” is not enough

Recov­ery time is often assumed, rarely proven

Based on the respons­es col­lect­ed, only 7 out of 30 com­pa­nies appear able to say that they know their recov­ery time and have already test­ed it. But among them, some last test­ed it more than a year ago.

In the event of a cyber­at­tack that brings every­thing to a halt — in oth­er words, a cyber cri­sis — the real ques­tion is not sim­ply whether back­ups exist. Above all, it is whether busi­ness activ­i­ty can be restored with­in a time­frame that is com­pat­i­ble with the company’s busi­ness needs.

CNIL also points out that back­up restora­tion, as well as the imple­men­ta­tion of busi­ness con­ti­nu­ity or dis­as­ter recov­ery plans, must be test­ed reg­u­lar­ly. Until that test has tak­en place, this is not a proven capa­bil­i­ty, and recov­ery time remains an assump­tion.

Recov­er­ing with­out major loss is a lead­er­ship mat­ter

More impor­tant­ly, a recov­ery test is not just an IT exer­cise. It requires trade-offs between busi­ness pri­or­i­ties, deci­sions on what needs to be restart­ed first, and some­times accep­tance of a tem­po­rary degrad­ed mode of oper­a­tion. It also requires coor­di­na­tion across pro­duc­tion, logis­tics, finance and cus­tomer rela­tions.

IT restores sys­tems. But only senior man­age­ment can val­i­date a recov­ery sequence that is aligned with the company’s busi­ness pri­or­i­ties.

#3 : NIS2 is still unclear for many business leaders

A top­ic that remains lit­tle known

The lev­el of aware­ness around NIS2 remains low, as 25 out of the 30 com­pa­nies say they have either nev­er heard of it or are unfa­mil­iar with its con­tent. This does not sur­prise us. It is a new, dense reg­u­la­to­ry top­ic, and it is not always easy to trans­late into oper­a­tional terms.

More than a direc­tive, a broad­er sig­nal

Yet this issue goes well beyond the cir­cle of spe­cial­ists. NIS2 is a Euro­pean direc­tive aimed at rais­ing the lev­el of cyber­se­cu­ri­ty across 18 crit­i­cal sec­tors. It requires the enti­ties con­cerned to strength­en the way they pre­vent, gov­ern and man­age cyber risk. Like the GDPR, non-com­pli­ance can lead to sanc­tions.

Senior man­age­ment is now respon­si­ble for cyber­se­cu­ri­ty

Beyond the reg­u­la­to­ry frame­work, how­ev­er, the mes­sage is clear : cyber­se­cu­ri­ty is not just an IT mat­ter ; it direct­ly involves senior man­age­ment. It is an issue of gov­er­nance, orga­ni­za­tion and antic­i­pa­tion. The Euro­pean Com­mis­sion also empha­sizes that NIS2 strength­ens top man­age­ment account­abil­i­ty for cyber risk man­age­ment.

In summary

These three find­ings tell the same sto­ry. Many com­pa­nies have not yet ful­ly shift­ed from an IT-dri­ven view of cyber­se­cu­ri­ty to a busi­ness-dri­ven one — that is, a view cen­tered on busi­ness con­ti­nu­ity, resilience and lead­er­ship respon­si­bil­i­ty.

Author
Lai LY
Cyber­se­cu­ri­ty Gov­er­nance Spe­cial­ist

Con­trib­u­tor
Stéphane HIVERT
Cyber­se­cu­ri­ty Spe­cial­ist for SMEs

Thank you

We warm­ly thank the 30 com­pa­nies in the man­u­fac­tur­ing sec­tor that took part in this sur­vey for their time and for the qual­i­ty of their respons­es.

Would you like to know where your SME stands on these three key issues — actu­al expo­sure, recov­ery capa­bil­i­ty, and pre­pared­ness for NIS2 ?

LINARIS can help.

We are one of the few con­sult­ing firms spe­cial­ized in SME cyber­se­cu­ri­ty that can sup­port you across the full cyber-resilience cycle, from assess­ment to gov­er­nance.


Con­tact us for a free, no-oblig­a­tion dis­cus­sion.

Disclaimer

This report is pro­vid­ed for infor­ma­tion­al pur­pos­es only and reflects the author’s opin­ion at the time of analy­sis.
It does not con­sti­tute legal or reg­u­la­to­ry advice and does not guar­an­tee the absence of risks or vul­ner­a­bil­i­ties.
Threats and risk lev­els may evolve over time.
Any deci­sions tak­en on the basis of this report remain the sole respon­si­bil­i­ty of the read­er.

Similar Posts