Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs have been disregarded from cybersecurity initiatives, rendering them ill-equipped to deal with the growing frequency, sophistication, and destructiveness of cyber-attacks. We systematically reviewed the cybersecurity literature on SMEs published between 2017 and 2023. We focus on research discussing cyber threats, adopted controls, challenges, and constraints SMEs face in pursuing cybersecurity resilience. Our search yielded 916 studies that we narrowed to 77 relevant papers. We identified 44 unique themes and categorised them as novel findings or established knowledge. This distinction revealed that research on SMEs is shallow and has made little progress in understanding SMEs' roles, threats, and needs. Studies often repeated early discoveries without replicating or offering new insights. The existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of the cybersecurity risks, limited cybersecurity literacy and constrained financial resources. However, resource availability varied between developed and developing countries. Our analysis indicated a relationship among these themes, suggesting that limited literacy is the root cause of awareness and resource constraint issues.

翻译：中小企业（SMEs）在全球经济中具有举足轻重的地位，占全球企业总数的90%以上，雇佣了60%的劳动力。尽管重要性显著，中小企业却长期被网络安全倡议所忽视，导致其在面对日益频繁、复杂且破坏性不断增强的网络攻击时准备不足。我们对2017年至2023年间发表的关于中小企业网络安全的文献进行了系统性综述，重点关注探讨网络威胁、已采用的安全控制措施、以及中小企业在追求网络安全韧性过程中面临的挑战与约束的研究。通过筛选916篇相关文献，最终纳入77篇论文。我们识别出44个独特主题，并将其归类为新颖发现或既有知识。这一区分揭示了针对中小企业网络安全的现有研究较为浅显，且在理解中小企业角色、威胁及需求方面进展甚微。许多研究重复了早期发现，而未进行复现或提出新见解。现有研究表明，中小企业实现网络安全韧性的主要挑战包括：对网络安全风险缺乏认知、有限的网络安全素养以及资源约束。然而，资源可及性在发达国家和发展中国家之间存在差异。我们的分析表明，这些主题之间存在关联关系，其中有限的素养是造成认知不足与资源约束问题的根本原因。