The paper investigates the cybersecurity management systems of SMEs and research institutes. It identified the key aspects of cyber security management and explored the sources and types of cybersecurity challenges with their associated risks and mitigation methods. Smart Innovation Norway (research organization) was considered as a case and the authors analyzed user data collected from its five different departments during six months. For the analysis purpose, various statistical methods and visualization dashboards were used. In the analysis, the authors extracted usage data from the organization’s Microsoft tenant using the dedicated tools for compliance and security. The result from the analysis showed a total compliance score for Smart Innovation Norway (SIN) of 85%. This score is based on ISO 27001 controls. We also investigated the main reasons for improvement to achieve the required compliance level. The research analyzed the impact of IT awareness before and after training and compared the compliance score of SIN with similar-sized organizations using Microsoft 365 portals. The result comprises a business impact assessment and the bow tie method which includes mitigation actions and preventive measures. Furthermore, the paper lays a foundation and has implications for managing cyber security not only for the SME and research organization but also for startups that have limited resources.