For 19 percent of small companies in Poland that experienced a cyberattack, the consequences were very serious. At the same time, 32 percent of attacked entities did not introduce any changes after the incident.
Twenty-six percent of small companies declare that they incur no expenses at all on protection against digital attacks. In large organisations, annual spending can exceed PLN 50,000.
In medium-sized and large entities, cybersecurity is most often handled by an employee or a dedicated IT team. In small businesses, this area is more often the responsibility of the owner.
Over the past 12 months, 85 percent of small companies and 45 percent of medium-sized companies have not carried out any cyber risk assessment of their organisations.
The financial and operational costs of a single attack
A Mastercard survey conducted at the turn of 2025 and 2026 among IT specialists in small, medium-sized and large companies in Poland showed the scale of cyberattacks on Polish enterprises and the approach of business owners to cyber threats. Among respondents, every second large company, 44 percent of medium-sized companies and 25 percent of small companies admitted that their organisation had experienced a cyberattack or digital security breach.
What impact did these incidents have on the operations of the affected organisations? In the case of small entities, 42 percent of respondents said that the consequences of the incident were serious or moderate, causing major disruption in 19 percent of cases and partial disruption in 23 percent. Almost one in three medium-sized companies, 31 percent, experienced minor complications and moderate disruption.
Company representatives were also asked how much a cybercriminal attack actually cost their business. One in five small companies admitted that the financial losses were minor, amounting to up to PLN 1,000. In the case of medium-sized and large companies, the consequences of attacks are more often significantly more costly and can reach as much as PLN 50,000.
“Large companies, which more often have an incident response plan and regularly train their employees, are much more likely to declare that they successfully block attacks. Cyberattacks on small companies, however, often mean major disruption to their operations. Although, as our latest study shows, most companies declare no financial losses, uncertainty about the real costs of an incident increases with the size of the organisation,” says Małgorzata Domagała, Vice President and Director of Products and Solutions at Mastercard for Poland, the Czech Republic and Slovakia.
A fairly large share of respondents in Mastercard’s survey — 19 percent among medium-sized companies and 16 percent among large companies — admit that they are unable to estimate financial losses or refuse to answer this question.
“The results of our study show that we still need to increase awareness of cyber threats and the challenges related to cybercrime. At the same time, as cyber threats grow in scale and sophistication, Mastercard continues to invest in technologies, expert knowledge and partnerships that help organisations strengthen their cyber resilience and increase security,” the expert adds.
One in three small companies, 32 percent, as well as 28 percent of large companies and one in five medium-sized companies, did not change their approach to cybersecurity despite having experienced an attack. Minor changes were introduced, on average, in 30 percent of the companies. Preventive measures, such as external audits and cyber risk assessments, are more common in large and medium-sized companies. In the 12 months preceding the survey, such activities were carried out by 72 percent of large companies and 55 percent of medium-sized companies. Among small organisations, 85 percent admitted that they do not carry out such activities.
Cybersecurity spending
Company cybersecurity budgets increase with the scale of operations. The smaller the organisation, the less money it allocates to this purpose. Mastercard’s survey results showed that 26 percent of small entities incur no expenses related to digital security, while 55 percent allocate less than PLN 10,000 per year to this area, or around PLN 833 per month. One in three medium-sized organisations estimates its spending at between PLN 10,000 and PLN 50,000 per year, while 44 percent of large companies put their cybersecurity budgets at more than PLN 50,000 annually.
A trusted IT partner: selection criteria in Polish companies
According to Mastercard’s survey, in small companies cybersecurity is entrusted to the owner in 60 percent of cases or to employees who handle both IT and other tasks in 10 percent of cases. In medium-sized and large companies, cybersecurity is more often the responsibility of an employee or team employed by the company and dedicated exclusively to IT tasks, with 66 percent and 76 percent of indications respectively. It may also be handled by an externally hired person or company working continuously in this area only, indicated by 30 percent of medium-sized companies and 24 percent of large companies.
When choosing a cybersecurity partner or external provider, small companies rely mainly on references and opinions from others, indicated by 53 percent of respondents, as well as experience and reputation, indicated by 33 percent, speed of response and support, indicated by 30 percent, and the price of the service, which is important for 27 percent. Medium-sized companies primarily focus on experience and reputation, indicated by 53 percent, as well as the scope and comprehensiveness of services offered, also indicated by 53 percent. Large entities, meanwhile, prioritise certificates and compliance with standards, with 61 percent of indications.
“Company budgets for cyber protection vary. However, even when relatively large amounts are involved, the problem may lie in the inappropriate allocation of funds and ineffective management of cyber resilience. Another challenge, therefore, remains the delegation of responsibility for this area to the right partner with the appropriate competences. Prevention and trust in professionals have a real impact on the strength of an attack and can minimise its consequences,” concludes Małgorzata Domagała from Mastercard.
