Vulnerable SMEs: One in four SMEs is at very high risk of suffering a cyberattack
At BOTECH, we have produced the report “The State of Cybersecurity in SMEs”, a comprehensive overview of the level of exposure and protective measures of small and medium-sized enterprises. This document was produced after a process of data collection and analysis among almost 1,000 SMEs, revealing worrying data such as:
This study offers an unprecedented snapshot of cybersecurity in the SME business sector. Thanks to this analysis, it has been possible to define a risk score from 0 to 100 for the main threat vectors, as well as at a global level. The average risk score is 43.80 out of 100, revealing a deficient average level of protection against cyberattacks. In addition, a significant difference has been detected in the protective measures adopted by SMEs and an urgent need for action has been identified.
One of the main conclusions of the study is that 1 in 4 SMEs is at very high risk of suffering a cyberattack. Targeted intrusions and privilege escalations (threats arising from the misuse of accounts with high privileges or external attackers who have managed to escalate privileges) top the list of the most dangerous cyber threats, and 100% of SMEs are exposed in the initial stages of access due to poorly managed privileges.
Despite the increase in ransomware and malware (a set of threats based on the installation of malicious code in an organization's systems) in recent years, only 6% remain low exposure to this type of incident, a figure that stands out when compared to 35% in countries such as the United Kingdom or the United States. However, the study shows us extreme inequality in the cybersecurity landscape in Spain. On the one hand, we find SMEs that are totally vulnerable or have a very low level of security, coexisting in the same ecosystem with companies that do have more robust defenses.
The most common pattern is that of areas that are reasonably covered at some stages, alongside areas that are completely vulnerable and neglected. More than inequality, it is absolute heterogeneity. In this sense, the study highlights some critical shortcomings in the digital protection of Spanish SMEs. On the one hand, only 18% of companies manage to effectively limit the installation of malware on their key devices, leaving the rest exposed to infections that can spread unchecked. On the other hand, we find something even more worrying, as less than 10% have adequate mechanisms in place to manage the final impact, which implies a very limited response capacity in the event of serious incidents.
In addition, one in four businesses allows malicious tools to be executed once the attacker has passed the initial access phase, demonstrating a lack of containment at critical stages of the attack. Added to this is an alarming lack of technical surveillance: only 5% of SMEs conduct external security audits or have deployed specific firewalls for their web applications (WAF), key elements for detecting vulnerabilities and stopping attacks in real time.
These data confirm that, despite some awareness of the risk, the implementation of effective measures remains very low, especially in the most sensitive and vulnerable environments.
These data confirm that, despite some awareness of the risk, the implementation of effective measures remains very low, especially in the most sensitive and vulnerable environments.
Strengthening access to critical systems through MFA and strict password policies dramatically reduces the risk of intrusions due to credential theft.
Dividing the network into isolated zones and protecting them with specific firewalls prevents an attacker from moving freely (“laterally,” in cybersecurity jargon) after an initial breach.
Implementing secure, offline backups increases recovery capabilities, even in the event of massive data encryption.
Training staff and conducting real-life simulations allows you to detect human weaknesses, which are responsible for a large part of initial accesses.
Keeping systems up to date and proactively monitoring security flaws helps close doors before they are exploited.
The overall picture provided by the data analyzed confirms a starting point of medium-high risk, with large gaps between advanced and lagging companies. Almost 60% of small and medium-sized enterprises have a medium-high or high risk of suffering a ransomware and malware attack. What the study data shows us is that, currently, SMEs have minimal coverage in some areas and major shortcomings in most, so it is important to take measures to protect them.
This report is not intended to alarm, but rather to provide concrete tools and serve as a basis for SMEs to make the best decisions based on empirical and comparative data. SMEs are the economic heart of society and need realistic, scalable, and effective solutions to cope with an increasingly complex environment.
You can access the full report here 👉 https://botech.info/informe-pymes-2025/
Send us an email to info@botech.info or fill out the following contact form.