Why Italy remains a top target for cyberattacks in 2025

The Clusit 2025 report paints a sobering picture for Italian businesses. With approximately 357 serious cyber incidents recorded against Italian organisations in 2024 alone, Italy continues to absorb a disproportionate share of global cyberattacks — roughly 10% of all incidents worldwide, despite representing just 2% of global GDP.

For business owners across Europe, and particularly in Italy, these numbers are not abstract. They translate directly into operational disruptions, financial losses, and reputational damage that can take years to recover from.

What the Clusit 2025 data actually tells us

Globally, researchers documented 3,541 serious cyber incidents in 2024, a 27% increase compared to the previous year. Over the past five years, the total number of significant attacks has more than doubled.

Italy’s trajectory is equally alarming. After a staggering 65% spike in attacks between 2022 and 2023, the country saw a further 15-18% increase in 2024. The trend line is clear: cybercriminals are not losing interest in Italian targets.

What makes these figures particularly striking is the methodology behind them. Clusit only tracks publicly disclosed, serious incidents. The actual number of attacks — especially those hitting smaller companies that never make the news — is estimated to be significantly higher.

The sectors under pressure

Manufacturing tops the list of targeted industries in Italy, accounting for roughly 13-15% of recorded incidents. This is well above the global average and reflects the makeup of Italy’s economy, where small and medium manufacturers form the backbone of entire supply chains.

Government and public administration remain the single most attacked sector at 15-18% of Italian incidents, followed closely by healthcare, which has seen rapid growth as a target. Financial services, transportation, and education round out the list.

For SMBs, the manufacturing data is particularly relevant. Many of the targeted “manufacturing” companies are not large multinationals — they are mid-sized firms with 50 to 250 employees, often with limited IT security resources and deep integration into larger supply chains.

How attackers are getting in

Ransomware continues to dominate, making up the bulk of malware-based attacks, which account for around 36% of all incidents globally. The playbook is well-established: attackers encrypt critical business data and demand payment, often after exfiltrating sensitive information for additional leverage.

Exploitation of known software vulnerabilities is the fastest-growing attack vector, now responsible for 18-20% of incidents. This is a critical point for business owners: many of these attacks succeed not because of sophisticated zero-day exploits, but because organisations fail to apply security patches that have been available for weeks or months.

In Italy specifically, DDoS attacks are disproportionately common, reaching 14-17% of all incidents. Much of this activity stems from pro-Russian hacktivist groups that have repeatedly targeted Italian government services and critical infrastructure since 2022. While DDoS attacks are typically less damaging than ransomware, they disrupt operations and can serve as smokescreens for more targeted intrusions.

Phishing and social engineering account for another 8-9% of attacks globally, though their real impact is far greater — phishing emails are frequently the initial entry point that leads to a full ransomware deployment weeks later.

Why European SMBs should pay attention

Italy’s economy is made up of approximately 95% small and medium businesses. Most of these companies lack a dedicated cybersecurity team, and many rely on a single IT generalist — or an external provider who visits once a week — to manage their entire digital infrastructure.

Attackers have noticed. Ransomware operators have increasingly shifted toward a high-volume, lower-ransom model that specifically targets SMBs. The logic is straightforward: a company with 80 employees is less likely to have robust backups, incident response plans, or the negotiating expertise to resist paying a ransom. Multiply that across hundreds of targets and the business model is extremely profitable.

The supply chain risk

Perhaps the most underappreciated threat for SMBs is their role in supply chains. A small component manufacturer or logistics provider may not consider itself an attractive target, but attackers know that compromising a supplier can open doors to much larger organisations downstream.

The Clusit report has repeatedly highlighted this dynamic. Italian SMBs are not just victims — they are increasingly used as stepping stones in broader campaigns against multinational corporations and public institutions.

Practical steps that actually matter

For business owners reading these numbers, the question is always the same: what should we do? Based on the attack patterns documented in the Clusit 2025 report, a few measures stand out for their effectiveness relative to cost.

Patch management is not optional

With vulnerability exploitation growing rapidly as an attack vector, keeping software updated is one of the highest-impact actions any organisation can take. This applies to operating systems, business applications, firewalls, and VPN appliances — which have been a favoured target for attackers in recent years.

Employee awareness training

Phishing remains the most common way attackers establish their initial foothold. Regular, practical training — not annual checkbox exercises — helps employees recognise suspicious emails before they click. Simulated phishing campaigns are inexpensive and measurably effective.

Backup and recovery planning

Ransomware only works as a business model when victims have no alternative but to pay. Organisations that maintain tested, offline backups and have a documented recovery plan can often restore operations without engaging with attackers at all. The key word is “tested” — a backup that has never been restored is not a backup, it is a hope.

NIS2 compliance as a framework

The EU’s NIS2 directive, which expanded cybersecurity obligations across a wider range of sectors and company sizes, provides a useful framework even for organisations not directly subject to it. Its requirements around risk management, incident reporting, and supply chain security represent a reasonable baseline for any business that depends on digital infrastructure.

The bigger picture

The Clusit 2025 report confirms what security professionals have been warning about for years: cyberattacks against Italian and European businesses are not a temporary spike. They are a structural trend driven by organised criminal groups, geopolitical hacktivism, and the expanding digital footprint of companies that were never designed to operate as technology firms.

For SMBs, the gap between the threat landscape and actual preparedness remains wide. Closing that gap does not require enormous budgets or enterprise-grade security operations centres. It requires consistent attention to fundamentals — patching, training, backups, and a clear understanding of what data matters most and how to protect it.

The numbers in the Clusit report will almost certainly be worse next year. The question for each business owner is whether their organisation will be better prepared to face them.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.