Executive support from top management for cybersecurity in medium-sized businesses has grown by 30% compared with last year, a crucial element for aligning the security strategy with the company’s objectives. This is one of the conclusions of the II Barometer of Cybersecurity in Medium-Sized Businesses, recently published by Cylum, the cybersecurity business unit of Factum.
However, this figure is not matched by an increase in investment, as currently 70% allocate less than 5% of their overall IT budget to cybersecurity, only 1 percentage point more than the prior year. Looking ahead through 2026, 60% of these companies plan to raise the budget dedicated to protecting assets, while the remaining 10% intend to reduce it.
One of the reasons for the lack of investment in cybersecurity is tied to the level of cybersecurity maturity, with 4 out of 10 IT leaders describing their maturity as intermediate, which means basic measures are in place without formalized processes, and thus require training, infrastructure investment, and better security practices.
At an intermediate protection level sits 30%. These companies have defined strategies but with areas for improvement, such as the need to focus on strengthening policies, monitoring, and incident response capabilities to move to a higher level of protection.
Outsourcing and Vendors
Another finding is that, while some companies opt for outsourcing IT services, nearly a third (30%) have 1 or 2 providers specialized in cybersecurity, with 10% having more than 5. In other words, the number of companies with specialized partners in this field is growing, while those relying on non-specialized third parties or exclusively internal staff are shrinking.
62% of medium-sized companies still have difficulty complying with key regulations such as GDPR and NIS2. This may be due, as 80% of these professionals report, to a lack of financial resources and a shortage of qualified personnel. At this point, Cylum experts recommend adopting frameworks such as ISO/IEC 27001 to standardize security and minimize the risk of penalties.
Among the main risks identified by IT leaders are phishing attacks and social engineering, which are the most cited threat. Alongside them, ransomware continues to be one of the most critical cybersecurity threats for businesses. Another relevant risk identified in the study are vulnerabilities in systems and applications, reflecting the challenges many organizations still face in managing security across increasingly complex and distributed infrastructures.
“The results show a growing awareness of the risks, but many organizations still struggle to translate that concern into real defensive capabilities,” explains David López, Chief Operating Officer and Head of Pre-Sales at Cylum.
