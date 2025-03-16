SMEs are seen as one of the weakest links in business cybersecurity, which makes them an easy goal for cybercriminals and a gateway to large corporations. The lack of investment and awareness exposes them to growing risks. … According to the Global Ransomware Survey 2024 of OpenText, 76% of SMEs have been a victim of cyber attacks, mainly through ‘ransomware’ and ‘phishing’. This vulnerability not only affects its stability, but it compromises the safety of the entire supply chain.

Large companies begin to recognize that their supply chains are a weak point in cybersecurity, since the attackers see in SMEs the most fragile link, says Marc Rivero, security researcher in Kaspersky. Even so, many small companies continue to underestimate these risks, believing that their size makes them less visible to cybercriminals, he adds. However, their little protection and link with large companies make easy objectives for directed attacks, warns the expert.

The ignorance and lack of resources aggravate this vulnerability, Rivero explains. Many SMEs lack experience in cybersecurity and prioritize other investments, which leaves its exposed systems, he maintains. Although the GDPR has promoted data protection, many still do not meet minimal standards, it indicates. In addition, some great signatures do not audit their suppliers, which amplifies the problem. To reduce risks, it is key to reinforce collaboration and improve cybersecurity training, concludes.

Economic limitations and lack of specialized talent also make SMEs reinforce their cybersecurity, says Juan José Sánchez Peña, director of the online university master’s degree in cybersecurity of Alfonso X University (Uax). Many cannot afford to hire experts or implement advanced solutions, which leaves them even more exposed, he warns. To this is added the wrong perception that cybersecurity is a technical problem and not a strategic issue, which delays its adoption. To mitigate risks, it is essential to invest in training, basic tools and good security practices, remarks.

From Kymatio, his CEO, Fernando Mateus, points out that one of the most effective strategies to reinforce cybersecurity in SMEs goes through the Awareness of the human factor. The correct management of credentials, the application of the principle of not assuming that internal users are default trust and the continuous evaluation of human risk are key, he explains. This startup, backed by Wayra, ensures that its process automation approach allows employee errors to be reduced by social engineering attacks by up to 80%.

Far behind European vision Although awareness has improved in recent years, SMEs in Spain continue to drag cybersecurity, according to Marc Rivero, Lead Security Research of Kaspersky. The lack of investment, a less entrenched security culture and the absence of audits in the supply chain leave them at a disadvantage against other European countries. While in many economies of the continent cybersecurity is assumed as a strategic pillar, in Spain it continues to be seen as an expense more than as a key investment for business continuity, he says. Despite this, Rivero believes that Spain advances in this field, although at a lower pace than its European neighbors. The National Cybersecurity Plan and European funds are favoring a greater investment in digital protection, and more and more SMEs reinforce their systems. However, the challenge remains that cybersecurity ceases to be a secondary issue and become a key element within the business strategy

This lack of investment and talent not only leaves SMEs unprotected, but also represents a risk to the business ecosystem in which they operate. Their role as suppliers of large companies exposes them even more, since cybercriminals use them as a route of access to larger corporations, warns Miguel López, director for southern Emea in Barracuda Networks. Its lower level of protection facilitates infiltration in companies and public administrations, he explains. In recent years, attacks directed against them have grown significantly, and the trend is still upward in 2025, he says. Among the most frequent threats are the ‘ransomware’, the ‘phishing’, the directed attacks, the ‘malware’ and the ddos, he points out.

Devastating impact

The problem is not only the frequency of attacks, but also their impact, which can be devastating. The effects of an attack can be disproportionate in relation to their income, he warns. Data loss, operational interruption, recovery cost and reputational damage can be critical. In many cases, customer escape and financial instability end up taking them to bankruptcy, indicates, López

In addition, the lack of awareness and resources perpetuates a reactive approach. According to a study by the University College of London, the little investment in cybersecurity is due to the lack of knowledge, budget and trained personnel, says Diego León, CEO of Flamera. Although European regulations have promoted improvements, Its direct impact remains limited except in critical sectors, he says. However, the growing pressure of large companies and regulators is forcing many SMEs to strengthen their systems to stay competitive in the market, he adds.

«For a safety program to be effective, it must contemplate not only the organization itself but the entire supply chain. Globalization and high digitalization of services forces companies to demonstrate continuous compliance with multiple regulations and laws, ”says Tatiana Beron, Managing Director, Concentix Spain.

Faced with this scenario, SMEs can reinforce their digital security without compromising their financial stability, says José Luis Díaz, CEO of Advens Iberia. Technologies such as Endpoint Detection and Response (EDR) offer more advanced protection than traditional antivirus, by detecting anomalies with AI. Multifactor authentication and efficient password management are also key measures to reduce risks, while the training of personnel in threat detection helps minimize human errors, responsible for much of security incidents.

Cloud and Ia Union

Cybersecurity in SMEs remains a neglected market, although these companies face increasing risks, says Sánchez Peña, from the Uax. The opportunities for cybersecurity firms are to offer affordable solutions, integrated in cloud services and based on artificial intelligence. In addition, the training and awareness of employees It is key to mitigating attacks, he points out.

Along the same lines, Luis Corrons, Security Evangelist de Gen, explains that the lack of investment in cybersecurity between SMEs responds, in large part, to ignorance and lack of resources. Many companies do not have specialized personnel and do not implement adequate protection measures. To correct this situation, it agrees that affordable solutions based on the cloud, intelligent automation and continuous training are key to strengthening their safety without generating great costs. Corrons highlights three key areas where cybersecurity companies can make a difference. First, offering accessible tools such as the detection and response managed (MDR) or cloud safety, designed for organizations with limited resources. In addition, he insists on the importance of formation, since human errors remain a determining factor in attacks, especially phishing and the use of weak passwords. Finally, it emphasizes that integrating security measures into SAAS platforms and digital services would allow SMEs to adopt best practices without the need for complex infrastructure.

Large companies have hardened their cybersecurity requirements for SME suppliers, especially in critical sectors, Corrons adds. However, complying with these standards implies complex audits that can delay contracts and income. In addition, some SMEs face difficulties in implementing advanced measures without support. To prevent this from becoming a barrier, large companies should adopt a collaborative approach, providing tools, training and security guidance. This would not only strengthen its suppliers, but would reinforce the entire supply chain, he says.

Looking ahead, SMEs must face more sophisticated attacks, increasingly automated and promoted by AI, says Díaz, from Advens Iberia. Digital security will go from an option to an obligation, especially before stricter regulations that will require higher protection standards in all sectors. To survive in this environment, companies will have to bet on automated solutions, managed security and a continuous prevention culture. Adapting will no longer be a matter of competitiveness, but a fundamental requirement to guarantee the continuity of the business in an increasingly hostile digital environment, he concludes.