Összefoglalás. A tanulmány célja az információbiztonság vizsgálata a magyarországi kis- és középvállalkozások (kkv-k) körében. Tanulmányunk aktualitását az adja, hogy az Európai Unió Bizottsága által évente kiadott Digitális Gazdaság és Társadalom Indexe szerint a magyarországi kkv-kat alacsony adat- és információbiztonsági szint jellemzi. Kutatásunk során egyaránt alkalmaztunk kvalitatív és kvantitatív módszereket. Az előbbinél dokumentumelemzéssel megvizsgáltuk, hogy a hazai szakirodalom milyen fontosabb információbiztonsági kihívásokat azonosít, illetve interjúk segítségével feltérképeztük a kkv-k információbiztonsági gyakorlatait és kihívásait, az utóbbinál pedig egy online, nagymintás kérdőív révén vizsgáltuk a szektor vezetőinek információbiztonsággal kapcsolatos véleményét, fejlettségét. Summary. The aim of the study is to examine information security among small and medium-sized enterprises (SMEs) in Hungary. The relevance of our study is that, according to the Digital Economy and Society Index published annually by the Commission of the European Union, Hungarian SMEs are characterised by a low level of data and information security. In our research, we used both qualitative and quantitative methods. In the former, we conducted a document analysis to identify the main information security challenges identified in the domestic literature and mapped the information security practices and challenges of SMEs through interviews, while in the latter, we used an online, large-scale questionnaire to investigate the views and development of the sector’s managers on information security. The findings of our study are based on the responses of 150 SME managers and 31 IT professionals working in the sector. We divided our questionnaire into six sections: demographics, business profile, device usage, digital habits, information security awareness survey based on the international HAIS-Q, information security awareness in daily practice. In the present research we deviated somewhat from the international model, firstly because we had to adapt the model to the domestic requirements and our research objectives, and secondly because this model was only a part of our questionnaire. During the research we have clearly identified the need to develop and implement practice-oriented training programmes that can help managers and IT professionals in the domestic SME sector to develop their information security awareness and even to make the transition to Industry 4.0. Based on the responses to the interview questions, it can be concluded that, overall, SME managers and their organisations are increasingly starting to build cybersecurity solutions and information security measures around their organisation. There is still a need to develop and share information security good practices that can reach SMEs, as there is a need for training and exchange of experiences, but not all companies are fully committed to the issue, so the actual need for action and organisation is ultimately lagging behind. A small proportion of the organisations surveyed have been victims of a cybersecurity incident and a good proportion of SME managers believe that until an incident has happened to an employee or the organisation, they will not learn from it. Basically, there is a growing demand for increased security and the use of security tools and education in information security, but this is evolving as a slow process and not as fast as the world around us is changing, so it is questionable when an information security explosion will occur that may radically change the tools and attitudes of organisations.