70% of cyberattacks in Spain target SMEs. Not because they are more interesting than large companies, but because they tend to be more vulnerable. This guide gives you the tools to change that.

A successful cyberattack can cost an SME between €35,000 and €150,000, according to data from the National Cybersecurity Institute (INCIBE). Add to that reputational damage, GDPR sanctions and customer loss. Cybersecurity is not a cost: it is an investment with measurable ROI.

The 5 most common threats for SMEs in 2025

Phishing and spear phishing

Fraudulent emails impersonating identities (bank, tax authority, supplier) to steal credentials or install malware.

Ransomware

Software that encrypts all company files and demands a ransom. The average paralysis time is 21 days.

Social engineering

Psychological manipulation of employees to obtain access or fraudulent financial transfers.

Outdated software vulnerabilities

Operating systems, applications and routers without updates are the most exploited entry vector.

Insecure networks and remote work

Accessing internal systems without VPN from public or home networks is a common entry point.

The complete checklist: 25 control points

Group these controls into five categories. Evaluate each point with Yes / No / Partial and prioritise the 'No' answers with the highest potential impact.

Category 1: Identity and access

  • You use unique, strong passwords (minimum 12 characters) for each account.
  • You have implemented two-factor authentication (2FA) on email, ERP and VPN.
  • Each employee has their own credentials (accounts are not shared).
  • Access levels exist: each person can only see what they need for their work.
  • Passwords of departing employees are revoked on the same day they leave.

Category 2: Devices and network

  • All devices have active and up-to-date antivirus (corporate licence).
  • The operating system and applications are updated regularly (at least monthly).
  • The office router has its default password changed and firmware updated.
  • There is a separate WiFi network for guests or IoT devices.
  • Remote access to company systems is always through VPN.

Category 3: Backups

  • You back up all critical data automatically and daily.
  • Backups are stored in a separate location (cloud or disconnected device).
  • You have verified in the last 6 months that backups restore correctly.
  • You have at least one offline copy not connected to the network (anti-ransomware protection).
  • A documented disaster recovery procedure exists.

Category 4: Team awareness

  • Employees have received basic cybersecurity training in the last 12 months.
  • There is a clear protocol for what to do if someone receives a suspicious email.
  • Phishing simulations are conducted to assess actual team awareness.
  • An acceptable use policy for company devices exists.
  • Employees know who to report a security incident to.

Category 5: Compliance and suppliers

  • You have documented the Record of Processing Activities for personal data (GDPR).
  • Contracts with your software suppliers include data protection clauses.
  • Your website has updated privacy policy, legal notice and cookie policy.
  • You have conducted a risk assessment of your critical technology suppliers.
  • You have taken out cyber risk insurance or evaluated its need.

"You do not need perfect security; you need to be harder to attack than your neighbour. Attackers always go for the easiest target."

Basic principle of defence-in-depth cybersecurity

Incident response plan

If you suffer an attack, the first 60 minutes are critical. Have this protocol ready before you need it:

  1. Contain the damage: disconnect affected devices from the network (without turning them off). Change passwords from an uncompromised device.
  2. Document: take screenshots of error messages, network activity and any indication of the type of attack.
  3. Notify internally: alert management and the IT manager. Do not try to resolve the problem alone.
  4. Contact specialist support: if you have cybersecurity support contracted, activate it. If not, contact INCIBE (017, free and confidential).
  5. Evaluate notification to the data protection authority: if personal data has been compromised, you have 72 hours to notify the relevant data protection authority.
  6. Restore from the last clean backup and document the incident to prevent future recurrences.

At Grupo Unifema we offer cybersecurity audit services and support in implementing the measures in this checklist. Contact us for a free initial assessment .