Latvia Cybersecurity: SMEs at Risk & Regional Differences | LMT Study
A recent survey indicates that cybersecurity oversight is significantly less common among smaller businesses in Latvia. While just over half of all Latvian companies regularly monitor and assess cyber threats, that figure drops considerably when looking at micro and small enterprises, raising concerns about their vulnerability to increasingly sophisticated attacks.
The findings, released by LMT, highlight a stark contrast between large and small businesses. More than 80% of large companies consistently monitor cybersecurity, compared to just over 40% of small businesses. The disparity is even more pronounced in the Zemgale region, where 100% of large companies actively oversee cybersecurity, but only 45% of small businesses and 28% of micro-enterprises do the same. Similar gaps exist across other Latvian regions, suggesting a systemic issue rather than a localized problem.
Regional Disparities in Cybersecurity Awareness
The lack of consistent monitoring isn’t the only concern. The survey also revealed significant differences in how regularly employees are informed and trained about cybersecurity and data protection risks. The most significant discrepancies were observed in the Pierīga region, where 44% of small businesses and 88% of large businesses actively engage in employee training. Even in Latgale, a region often considered more rural, 56% of large companies prioritize employee cybersecurity education.
Mārtiņš Kaļķis, Head of LMT Cybersecurity Development, emphasizes that the perception that cybersecurity incidents only affect large organizations is a dangerous misconception. According to LMT, cyberattacks occur daily against small and medium-sized enterprises, leading to reputational damage, financial losses, and operational downtime. These incidents can be particularly devastating for smaller businesses, which often lack the financial resources to recover quickly.
Kaļķis further points out that small businesses are often crucial partners to larger organizations, making them potential entry points for attacks targeting bigger entities. This interconnectedness underscores the importance of robust cybersecurity practices across all business sizes.
The Growing Threat Landscape and NIS2 Directive
The heightened focus on cybersecurity comes amid a broader global trend of increasing cyber threats. LMT’s website highlights that 97% of organizations have experienced an increase in cyber threats since the start of the Russia-Ukraine war. In 2023, the majority of global organizations faced ransomware attacks, and the projected global cost of cybercrime is expected to reach $10.5 billion by 2025.
Adding to the urgency is the implementation of the NIS2 directive, a European Union regulation aimed at strengthening cybersecurity standards. The NIS2 directive, adopted in 2022, expands the scope of industries required to comply with new cybersecurity rules, as outlined by LMT. In Latvia, the National Cybersecurity Law and related regulations will enforce these requirements. Sectors now included beyond the original NIS1 directive include postal services, courier services, food production, industrial manufacturing, and waste management.
The directive is being phased in, with requirements taking effect from May 2024. The goal is to ensure a consistently high level of cybersecurity across the entire European Union. Key dates include the approval of the National Cybersecurity Law in June 2024, the directive’s effective date in September 2024, and the deadline for companies to report their compliance status in April 2025.
Financial Implications and Business Continuity
The financial implications of a cyberattack can be substantial. Beyond the immediate costs of remediation and data recovery, businesses face potential fines, legal fees, and loss of customer trust. LMT Group’s financial performance demonstrates the importance of stability in a volatile environment. Preliminary data indicates that LMT Group’s turnover in 2026 was €335.1 million, an increase of 8.2% compared to 2025. But, in 2025, the group’s turnover was €308.608 million, a slight decrease of 0.5% compared to 2024, while profit increased by 6.1% to €34.038 million. These figures underscore the demand for proactive risk management, including cybersecurity, to maintain financial health.
The ownership structure of LMT Group is also undergoing changes, with Telia Company and its subsidiary Sonera Holding signing a memorandum of understanding to sell their shares to Latvia, Latvenergo, and Latvijas Valsts radio un televīzijas centrs (LVRTC). Upon completion of the sale and the attraction of a strategic investor, all parties involved – Latvenergo, LVRTC, Possessor, and the strategic investor – are expected to hold approximately 25% of the company’s capital.
Addressing the Skills Gap and Promoting Awareness
The lack of awareness and resources among small businesses highlights the need for targeted support, and education. LMT Group is hosting a practical webinar, “Small Business – Big Target. First Steps to Protect Your Business,” on March 24th, featuring cybersecurity experts from Cert.lv, EDIC, and LMT. The webinar aims to provide actionable guidance for small businesses looking to improve their cybersecurity posture.
The EDIC survey involved 10,000 companies across Latvia, providing a broad representation of the business landscape. The results clearly indicate that a concerted effort is needed to raise awareness and provide accessible resources to assist small businesses mitigate the growing threat of cyberattacks.
Looking ahead, strengthening cybersecurity will require a collaborative approach involving government agencies, private sector companies, and individual businesses. Investing in employee training, implementing robust security measures, and staying informed about the latest threats are crucial steps for protecting businesses of all sizes in Latvia’s evolving digital landscape.