While the European Union accelerates toward a more regulated digital landscape with the Cyber Resilience Act and NIS2, the backbone of its economics SMEs remains perilously exposed. A comprehensive study by PXL University of Applied Sciences and Arts, utilising the OWASP SAMM framework and the relevant industry benchmarks and target postures, reveals a critical structural imbalance in software development. The research finds that while Belgian SMEs excel at reactive operational management, they are almost entirely neglecting proactive security measures like threat modelling and developer education. This article explores the findings, the economic “security debt” being accrued, and the urgent necessity of a “shift-left” strategy for cyber-resilience.

The backbone of the digital economy

Located at the “heart of Europe,” approximately 50 kilometres from Brussels, the Belgian region of Flanders serves as a critical hub for software innovation. In this landscape, small-to-medium enterprises (SMEs) are not merely participants; they are the industry’s engine, representing approximately 99% of the industrial landscape. These companies hold a software market share of between 50% and 60%, meaning the products they develop end up in the hands of millions of daily users and large-scale corporate infrastructures.

Despite their significance, the cybersecurity maturity of these organisations has remained a “blind spot” in both scientific literature and practical application. A research team from PXL University of Applied Sciences and Arts, led by Cyber Security Research Coordinator Dr Koen Gilissen and researcher Savannah Eggers, recently set out to map this maturity using a rigorous, internationally recognised framework.

Their findings suggest that the digital foundation of Europe is built on a “reactive” rather than “proactive” culture, a trend that poses significant risks as global cyber threats continue to increase exponentially.

Understanding the framework: OWASP SAMM 

To measure the security posture of these SMEs, the PXL team utilised the OWASP Software Assurance Maturity Model (SAMM). OWASP (the Open Worldwide Application Security Project) is a non-profit foundation providing community-driven resources that act as the “gold standard” for application security.

SAMM assesses an organisation across five functional pillars, each essential to a secure Software Development Life Cycle (SDLC):

1. Governance: Strategy, metrics, policy, compliance, and education.

2. Design: Threat assessment, security requirements, and secure architecture.

3. Implementation: Secure build, secure deployment, and defect management.

4. Verification: Architecture assessment, requirements-driven testing, and security testing.

5. Operations: Incident, environment, and operational management.

The research findings: a “critical structural imbalance”

The analysis of Flemish software SMEs exposed a stark reality: security is often treated as a “thin sauce” poured over the end product rather than being embedded within the software itself.

The “Operations” illusion

The PXL study found that SMEs score relatively high in the Operations pillar. In fact, scores for Environment Management and Operational Management actually exceeded the “Target Posture LOW BASELINE” – the minimum requirement to avoid being considered an “easy target”. This indicates that Belgian SMEs are competent at managing systems that are already “live”.

The proactive gap

However, the “proactive” phases of the SDLC, specifically Governance and Design, showed alarming deficiencies. The most pressing observations involved two critical activities:

• Education and Guidance: Measured at a staggering 0.02 average, compared to a target baseline of 1.0.

• Threat Assessment: Measured at 0.25 average, against a target of 1.9.

Dr Gilissen noted, “The results were at least lower than I naively expected”. This imbalance suggests that companies are “extinguishing fires” in production rather than preventing vulnerabilities at the source.

The economic reality: Features vs. Security

Why do these gaps exist? The PXL team identified several “limitation factors” common to SMEs: a lack of manpower, expertise, skills, and, most crucially, time and resources.

Every line of code that contributes to a new feature is viewed as direct value creation or “money”. Conversely, security efforts are perceived as heavy investments that slow down the development process. This leads to what the researchers call “Security Debt”.

“What is saved today by skipping security will be paid back tomorrow, more than double, in the form of complex patches and recovery work,” the PXL problem statement warns.

This “technological debt” does more than just increase the risk of a breach; it exponentially raises future maintenance costs and threatens the long-term viability of the software.

The “shift-left” necessity and regulatory pressure

The study argues for a fundamental “shift-left” strategy. This concept involves moving security considerations to the earliest possible stages of the development cycle, such as threat modelling and developer education, rather than waiting until the implementation or verification phases.

This shift is no longer just a “best practice”, it is becoming a requirement for market access. New European regulations, such as the Cyber Resilience Act (CRA), the AI Act, and NIS2, are imposing strict demands on software security.

Under the NIS2 legislation, supply chain security is paramount. Larger clients are increasingly demanding proof of security maturity from their SME subcontractors. A low SAMM score could lead to the loss of crucial B2B contracts as larger firms seek to minimise their own third-party risks.

Hope through frameworks

Despite the “no hope” feeling some SMEs might experience when faced with mounting legislation, the PXL team remains optimistic. Frameworks like OWASP SAMM provide a manageable roadmap.

Savannah Eggers highlighted the value of structured guidance: “With SAMM, it’s very easy to pinpoint what you need to know. It tells you, okay, here’s a resource to learn more about security principles”. By breaking down maturity into levels (1, 2, and 3), the framework allows companies to prioritise their limited resources for the “biggest bang for their buck”.

Conclusion: a call to action for Flemish SMEs

The PXL study serves as both a warning and a guide. For the thousands of SMEs in Flanders and the wider Belgian and European region, the “time is now” to address the critical gaps in Education and Threat Assessment.

Increasing a company’s cybersecurity posture is not just about compliance; it is a significant business opportunity. Those who can demonstrate a secure development process will differentiate themselves from competitors, secure lucrative B2B contracts, and build products that are resilient by design rather than by chance.

As Dr Gilissen summarises for the next generation of developers, SMEs have the potential to make a massive difference in regional cyber-resilience. The journey from “firefighting” to “prevention” begins with the first step of the shift-left strategy: a good analysis of where we stand.

Bee House, located at Milton Park, celebrated four years of supporting business growth and collaboration in one of the UK’s leading innovation communities on May 20.

The hub has supported more than 225 companies since its launch, with 91 businesses currently based there and occupancy at 89 per cent.

Lorna Wright, flexible workplace manager at Milton Park, said: “The Bee House plays a critical role in how we support business growth at Milton Park.

“It gives companies a clear starting point, but more importantly, a pathway to scale without needing to leave.

“We’re seeing businesses build traction here and then move into larger space across the Park as they grow.

“That continuity is a real advantage and a key part of how we support ambitious science, technology, media and innovation companies.

“I’d also like to thank the whole team at Ashdown Phillips for their ongoing role in bringing the Bee House to life day to day.”

The workspace combines co-working areas, serviced offices, and meeting facilities to support businesses at every stage.

Since 2022, meeting room bookings at Bee House have risen by 52 per cent.

Companies based at Bee House include Elemica International, Middleton Advisors, Oodle Financial Services, OxeHealth, Smith Robotics, and Total Projects.

Sarah Stevens, co-founder and people director at hoomph, said: “The sense of community here has been fantastic from day one.

“There’s a real energy in the building, with like-minded companies, which creates opportunities for collaboration that you simply don’t get in a traditional office setting.”

John Werrell & Son Ltd traces its origins back to 1926, when John Werrell entered the haulage trade alongside his son, Frank, both working as Foden drivers.

The business quickly established itself, but like many operators of the time, faced early challenges.

First John Werrell & Son lorry (Image: John Werrell & Son)

By 1929, the company had survived the General Strike and invested in a new six-wheeled Foden vehicle name The Pride of Oxford with the headboard including the slogan “WEKANKARRYIT”, which is still used today.

However, the introduction of the Salter Report brought significant pressures to steam wagon operators, with higher costs, reduced carrying capacity and tighter operating restrictions. Licensing changes also saw annual fees rise sharply, creating further strain.

READ MORE: Historic RAF Chipmunk planes spotted flying over Bicester

John Werrell & Son became a limited company in 1926 (Image: John Werrell & Son)

Despite these setbacks, the business endured and grew. By 1955 it was firmly established, with the third generation, David Werrell, joining the company from the ground up as a driver.

A year later, in 1956, the firm became a limited company, led by John, Frank and David Werrell.

The company maintained a strong relationship with Foden during this period, reflecting its longstanding loyalty to the manufacturer.

New DAF John Werrell & Son lorries still carrying the ‘WEKANKARRYIT’ motto (Image: John Werrell & Son)

Following John Werrell’s death in 1968 and Frank Werrell’s in 1981, David continued to lead the company.

Over time, the fleet evolved, moving from traditional Foden vehicles to include Leyland and Transcontinental models.

The fourth generation joined in 1976, when John began training as an HGV mechanic. He later became a director in 1987.

New DAF John Werrell & Son lorries still carrying the ‘WEKANKARRYIT’ motto (Image: John Werrell & Son)

READ MORE: Former Oxford pub tenants in £30,000 debt enter liquidation

After David Werrell’s sudden death in 1988, his wife Margaret stepped into a more active role, later becoming a director in 1991 until her death in August 2025.

Fleet modernisation continued through the 1980s and beyond, with ERF vehicles eventually replaced by DAF trucks.

READ MORE: Three Oxford flats closed after drug activity linked

Today, the company operates a fleet of 12 DAF XF106 units alongside a wide range of trailers, supporting its long-standing motto.

The firm has also expanded its services, now handling specialist transport including ADR hazardous goods across multiple classes.

New DAF John Werrell & Son lorries still carrying the ‘WEKANKARRYIT’ motto (Image: John Werrell & Son)

Now in its 100th year, the company remains family-run, led by John Werrell and his daughter Katherine, who became a director in November 2025 after 17 years of working within the company’s administration and accounts.

Despite ongoing regulatory challenges in the haulage industry, the company says it is committed to continuing its legacy for generations to come.

The company said: “We hope that we can continue to serve the road haulage industry for many more years, with new legislation and ruling making it more and more difficult each year.”