SMEs are frequent targets of indirect cybersecurity attacks
"SMEs are part of wider value chains and are therefore a frequent target of indirect cybersecurity attacks," explains Miguel Ángel Cañada, Head of the National Coordination Centre (NCC-ES INCIBE) of the National Cybersecurity Institute, the entity designated to coordinate the European Cybersecurity Competence Centre (ECCC) network in Spain.
Cañada is also a board member and vice-president representing the National Public Authorities of the European Cyber Security Organisation (ECSO).
In a context where comprehensive security is becoming increasingly important, what role does cybersecurity play in protecting SMEs?
Cybersecurity is no longer a purely technological field but a structural element of any organisation's comprehensive security. In the case of SMEs, this is particularly relevant, as they are part of wider value chains and therefore a frequent target of indirect attacks.
Moreover, we live in an environment where the exhibition area is constantly growing, driven by digitalisation, the use of cloud services and the adoption of emerging technologies. In this regard, the data are clear: INCIBE managed 26% more incidents in 2025 than the previous year, confirming a sustained upward trend and evidence of an increasingly dynamic and demanding cyberspace.
In this context, integrating cybersecurity into the overall security strategy is key to ensuring the resilience of SMEs.
Are Spanish SMEs really prepared to face today's cybersecurity threats?
We are moving in the right direction, but there is still some way to go. Although the level of awareness has improved in recent years, data show that SMEs are still the most vulnerable link. At INCIBE we note that a very significant proportion of the incidents we manage affect citizens and small businesses. Moreover, European bodies such as ENISA underline that these organisations generally have lower levels of cybersecurity maturity and greater difficulties in implementing advanced measures.
At the same time, industry data reflect a growing demand for cybersecurity solutions and services. The sector represents more than 25% of employment in the ICT sector, with more than 164,000 professionals, and has more than 3,400 specialised companies. More than 400 new cybersecurity start-ups have been created in the last five years, accounting for around 12% of the sector's turnover, strengthening the ecosystem and generating innovative solutions that are also accessible to SMEs.
Therefore, although the ecosystem is making clear progress, the challenge remains to transfer these capabilities to the business community as a whole, especially SMEs, which need accessible solutions, support and greater awareness in order to move towards a more preventive and resilient cybersecurity model.
Furthermore, it is key to moving towards a preventive model, where cybersecurity is understood as an investment and not as a cost.
What role does public-private collaboration play in strengthening business cybersecurity?
It is an essential lever. Cybersecurity is an area where no actor can operate in isolation. INCIBE works in coordination with companies, public administrations, technology centres and academia to build shared capabilities and defend against the increasingly complex threat environment.
This collaboration translates into concrete initiatives with a direct impact on the business fabric. In recent years, we have mobilised close to 600 million euros from the Recovery and Resilience Plan to boost cybersecurity in Spain. Of this investment, approximately 40% has been earmarked for R&D&I actions, involving companies, SMEs, universities and research centres, while 21% has been channelled through the autonomous communities to reinforce their territorial deployment.
In short, public-private collaboration not only accelerates the development of the sector, but also brings cybersecurity closer to the business community as a whole, making it easier for SMEs to access skills, knowledge and tools that would otherwise be difficult to achieve.
What concrete measures should SMEs prioritise in order to improve their cybersecurity?
Beyond major investments, there are three key measures that make a difference. Firstly, awareness and training of employees, as the human factor remains the primary attack vector. Secondly, the implementation of basic protection measures - such as backups, system updates or access control - i.e. critical aspects that many SMEs have not yet fully implemented. And finally, the use of early warning and monitoring services, where there is still room for improvement: more than 60% of companies do not know about or do not use tools such as INCIBE's Early Warning service. The challenge is to bring these resources closer to the business community in a practical, accessible way that is aligned with their needs.