60% of Spanish SMBs close after a cyberattack: how to avoid becoming a statistic
Cybersecurity

60% of Spanish SMBs close after a cyberattack: how to avoid becoming a statistic

The statistic is stark: according to data from INCIBE and the National Cybersecurity Institute, 60% of Spanish SMBs that suffer a significant cyberattack are forced to close within six months. Not because the attack was unsurvivable, but because they had no plan, no backups, and no capacity to absorb the cost of recovery.

Our cybersecurity team works across both ends of this problem — incident response when things go wrong, and proactive hardening so they don't. This is what we see most often.

The most common attack vectors in 2026

  • Phishing and spear-phishing — still the entry point for over 70% of incidents. Employees receive convincing emails impersonating suppliers, banks, or colleagues.
  • Unpatched systems — servers and endpoints running software with known vulnerabilities. Many SMBs postpone updates indefinitely.
  • Weak or reused credentials — especially on VPNs, remote desktops, and control panels exposed to the internet.
  • Supply chain compromise — attacking an SMB through a trusted supplier or software vendor with weaker security controls.
  • Ransomware as a Service (RaaS) — commoditised attack toolkits available on dark web markets, lowering the bar for attackers significantly.

What a real cybersecurity strategy looks like

We're not talking about buying a firewall and calling it done. A functional security posture for a PYME in 2026 has these components:

  • Asset inventory — you cannot protect what you don't know exists
  • Patch management — systematic, scheduled updates for all systems
  • MFA everywhere — multi-factor authentication on every externally-accessible service
  • Backup strategy with tested recovery — the 3-2-1 rule, with offline copies
  • Incident response plan — a written, rehearsed procedure for when (not if) something happens
  • Staff awareness training — quarterly simulated phishing and security briefings

The INCIBE angle

Spain's INCIBE (National Cybersecurity Institute) offers free resources for SMBs, including incident reporting, basic guidance and subsidised assessments. We work with INCIBE as a technical partner — when clients need to report incidents or access public resources, we help navigate that process.

But public resources are a starting point, not a complete solution. A proactive audit from an independent team will surface vulnerabilities that generic checklists miss.

What a security audit actually involves

When we conduct a security audit for an SMB, the engagement typically covers:

  1. External perimeter scan — what's exposed to the internet and how it looks to an attacker
  2. Internal network assessment — segmentation, access controls, lateral movement risks
  3. Credential and access review — who has access to what, and whether that's appropriate
  4. Phishing simulation — testing staff response to realistic attack scenarios
  5. Report with prioritised remediation list — not a generic finding dump, but a practical action plan

The best time to find a vulnerability is before an attacker does. The second best time is now.

Frequently asked questions

What percentage of Spanish SMBs close after a cyberattack?

According to INCIBE data, 60% of Spanish SMBs that suffer a significant cyberattack are forced to close within six months. This isn't usually because the attack itself was unsurvivable, but because the business had no incident response plan, no tested backups, and no capacity to absorb the cost and downtime of recovery.

What is the most common way attackers get in?

Phishing and spear-phishing remain the entry point for over 70% of incidents. Attackers send convincing emails impersonating suppliers, banks, or colleagues to trick employees into clicking malicious links or handing over credentials. Unpatched systems and weak or reused credentials on internet-facing services are the next most common vectors.

What should a basic cybersecurity strategy include?

At minimum: an asset inventory, systematic patch management, multi-factor authentication on every externally-accessible service, a backup strategy following the 3-2-1 rule with offline copies, a written and rehearsed incident response plan, and quarterly staff awareness training with simulated phishing.

If you'd like a no-obligation discussion about your current security posture, contact our team.