Small and medium-sized enterprises (SMEs) face persistent cybersecurity challenges stemming from low risk awareness, limited knowledge, and constrained resources. Method: We conducted a systematic literature review (SLR) covering 2017–2024, coding and analyzing 132 peer-reviewed studies to identify 44 research themes. Contribution/Results: The analysis reveals stagnating progress, high thematic redundancy, and a critical gap in understanding SMEs’ real-world threats and operational needs. We propose the first comprehensive taxonomy of SME cybersecurity research themes and introduce “cybersecurity literacy deficit” as the root cause underlying both awareness and resource constraints—challenging conventional attribution frameworks. Cross-national comparison further uncovers pronounced disparities between developed and developing countries in policy support, tool accessibility, and capacity-building infrastructure. These findings provide an empirically grounded foundation for targeted interventions and theoretical reorientation in SME cybersecurity research and practice.

Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs are often disregarded in cybersecurity initiatives, rendering them ill-equipped to deal with the growing frequency, sophistication, and destructiveness of cyberattacks. We systematically reviewed the cybersecurity literature on SMEs published between 2017 and 2024. We focus on research discussing cyber threats, adopted controls, challenges, and constraints SMEs face in pursuing cybersecurity resilience. Our search yielded 1090 studies that we narrowed to 132 relevant papers. We identified 44 unique themes and categorised them as novel findings or established knowledge. This distinction revealed that research on SMEs is shallow and has made little progress in understanding SMEs'roles, threats, and needs. Studies often repeated early discoveries without replicating or offering new insights. Existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of cybersecurity risks, limited cybersecurity literacy, and constrained financial resources. Resource availability varied between developed and developing countries. Our analysis indicated a relationship among these themes, suggesting that limited literacy is the root cause of awareness and resource constraint issues.