What the Clusit 2025 report tells us about cyber threats in Europe
The annual Clusit report has become one of the most authoritative references for understanding the state of cybersecurity in Italy and across Europe. The 2025 edition, covering incidents from 2024, paints a picture that no business leader can afford to ignore: 3,541 serious cyber incidents were recorded globally, a staggering 27% increase over the previous year. For small and medium businesses operating in the European market, the findings carry urgent and very practical implications.
Over the past five years, serious cyber incidents have grown by 110%. That is not a gradual uptick — it is an acceleration. And the data shows that Europe, and Italy in particular, are bearing a disproportionate share of the burden.
Italy under pressure: a disproportionate target
One of the most striking findings in the Clusit 2025 report is Italy’s outsized role as a target. Despite representing roughly 1% of global GDP, Italy accounted for approximately 10–11% of all serious incidents tracked worldwide. That gap is hard to explain away, and it points to structural vulnerabilities in the country’s digital infrastructure and business fabric.
Italy recorded around 357 serious incidents in 2024, with a year-over-year growth rate of roughly 65% — more than double the global average. The manufacturing sector, the backbone of Italy’s economy, was hit particularly hard. While manufacturing accounts for about 6–7% of attacks globally, in Italy that figure climbs to 16–18%. This reflects the reality that many Italian manufacturers, especially smaller ones, still operate with outdated systems and limited cybersecurity budgets.
Government and public administration were also heavily targeted, alongside a sharp increase in attacks on healthcare organisations. For any SMB that works within these supply chains — as a vendor, contractor, or service provider — the risk extends well beyond your own network perimeter.
How attackers are getting in
Understanding the methods behind these attacks is critical for building an effective defence. Malware, including ransomware, remained the dominant attack type in 2024, accounting for roughly 36% of all incidents globally. Ransomware in particular continues to be the weapon of choice for financially motivated criminals, who now operate with the sophistication of legitimate businesses.
The exploitation of software vulnerabilities rose sharply, reaching 18–20% of all attacks. This growth reflects the increasing speed at which threat actors weaponise newly discovered flaws — often before organisations have had time to apply patches. For SMBs that struggle to maintain a regular patching cycle, this trend is especially dangerous.
Phishing and social engineering still make up about 16% of incidents. These attacks do not target your firewalls — they target your people. A single convincing email can bypass every technical control you have in place. DDoS attacks also saw a notable uptick, particularly in Italy, where hacktivist groups linked to geopolitical conflicts launched disruptive campaigns against government services and critical infrastructure.
The severity problem: most attacks now cause real damage
It is not just the volume of attacks that should concern business leaders — it is their impact. The Clusit 2025 report found that over 80% of recorded incidents were classified as “high” or “critical” severity. Nearly 40% fell into the critical category, meaning they caused significant operational, financial, or reputational damage.
This shift matters because it indicates that attackers are becoming more targeted and more effective. The days of opportunistic, low-impact attacks are giving way to carefully planned operations designed to extract maximum value. For an SMB, a single critical incident can mean weeks of downtime, regulatory fines, and lasting damage to client relationships.
What is driving the attacks — and who is behind them
Financially motivated cybercrime accounts for roughly 84% of all incidents globally. This is overwhelmingly a money problem, driven by organised criminal groups that treat ransomware and data theft as a business model.
However, hacktivism is a growing factor, particularly in Italy and across Europe. Approximately 8–9% of global attacks were attributed to hacktivist groups, but in Italy the figure was significantly higher — around 15–18% — largely driven by pro-Russian groups conducting DDoS campaigns and defacement attacks in the context of the ongoing geopolitical tensions.
Espionage and information warfare round out the picture, accounting for a smaller but strategically significant share. For businesses operating in sensitive sectors or working with government clients, these threats add another layer of complexity to an already challenging landscape.
What European SMBs should do now
The Clusit report is not just a catalogue of bad news. It also highlights the areas where organisations can make the most meaningful improvements. Here is what matters most for SMBs:
Take the NIS2 directive seriously
The EU’s NIS2 directive has expanded the scope of cybersecurity obligations to a much wider range of businesses and sectors. If you are in a covered sector — and the list is broader than many expect — compliance is not optional. Beyond the legal requirement, NIS2 provides a practical framework for building baseline security capabilities. Use it as a roadmap, not just a checkbox exercise.
Prioritise vulnerability management and patching
With vulnerability exploitation growing as an attack vector, timely patching is no longer a best practice — it is a survival skill. Automated patch management tools and regular vulnerability scanning can dramatically reduce your exposure, even with a small IT team.
Invest in people, not just technology
Phishing remains a top entry point because it works. Regular, practical security awareness training for all employees is one of the highest-return investments an SMB can make. Focus on realistic simulations and short, frequent sessions rather than annual compliance presentations.
Strengthen your supply chain posture
If you are part of a larger supply chain — as many Italian SMBs are — your security posture affects your clients and partners. Expect increasing pressure from larger organisations to demonstrate your cybersecurity maturity. Start documenting your controls and incident response procedures now, before a client audit forces the conversation.
Build an incident response capability
The question is not whether you will face an incident, but when. Having a tested incident response plan, even a simple one, can mean the difference between a contained disruption and a full-blown crisis. Know who to call, what to isolate, and how to communicate — before you need to.
The bigger picture
The Clusit 2025 report confirms a trend that has been building for years: cyber threats are growing faster than most organisations’ ability to defend against them. Europe’s share of global attacks continues to rise, and Italy’s position as a disproportionate target makes the situation particularly acute for businesses operating in the Italian market.
The good news is that the fundamentals of effective cybersecurity have not changed. Patch your systems, train your people, manage your access controls, and plan for incidents. What has changed is the urgency. The data no longer allows anyone to treat cybersecurity as someone else’s problem.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.