Cybersecurity is no longer just a matter for big companies. More and more small and medium-sized businesses, retailers, professional firms, and freelancers rely on digital tools to invoice, sell, communicate with customers, manage payments, store documents, or work in the cloud. Therefore, when an incident occurs — a ransomware attack, credential theft, a systems outage, or data loss — the problem is not only technical: it can bring the business to a complete halt.
Against this backdrop, a new study from ManageEngine, a division of Zoho Corporation, highlights a particularly relevant finding for Spain’s business fabric: nearly 7 out of 10 companies in Spain lack a formal methodology to measure their operational cyberresilience. In other words, they do not have a clear framework to know to what extent they are prepared to anticipate, withstand, respond to, and recover from a cybersecurity incident.
The report, titled Operational Resilience in 2026, was prepared from surveys of 1,500 IT and business decision-makers across Europe, 300 of them in Spain, and includes organizations of all sizes, from small businesses with fewer than 50 employees to mid-sized and large companies.
Although the study notes that Spain is the country with the lowest percentage of recorded cyber incidents in the last 12 months among the five European markets analyzed, the figure can be misleading. 47% of Spanish organizations report having suffered a cyber incident in the last year, compared with the European average of 66%. However, having fewer reported incidents does not necessarily mean being better protected. In fact, the report warns that Spain shows lower levels of maturity in planning, recovery, and improvement after an attack.
Consequences of not having a cybersecurity strategy
For a small business or a freelancer, this lack of preparation can have very concrete consequences. Not having a clear strategy can translate into not knowing how long it would take to resume activity, which data could be lost, who should act in case of a security breach, or which systems are truly critical to keep operating.
One of the most troubling data points is that only 35% of Spanish organizations have a formal methodology to assess their overall level of cyberresilience, compared with a 56% average across the analyzed countries. In practice, this means many companies do not systematically measure their capacity to withstand an incident, nor do they have clear indicators to improve.
“The most relevant data point isn’t just how many companies have suffered a cyber incident, but how many are truly prepared to respond, learn, and reinforce their operations,” explains Andrés Mendoza, technical director for Southern Europe and Latin America at ManageEngine. In his view, organizations need “visibility, metrics, and clear procedures before, during, and after an incident.”
The problem doesn’t end there. According to the study, almost half of Spanish companies, 49%, limit themselves to making one-off improvements after a cyber incident, focused on patching the detected breach. Only 30% implement broader changes to their long-term strategy. This short-term reaction can be especially common in SMEs, where many security decisions are made after the problem has already occurred.
Another key aspect is response time. Twenty-five percent of Spanish companies do not have defined time-based objectives for detecting and responding to critical incidents. For any small business, this is essential: it’s not the same to regain access to the invoicing system in one hour as in three days; nor to restore a recent backup as to discover that the last usable backup is weeks old.
It is also concerning that 17% of Spanish organizations lack a backup strategy for disaster recovery, the highest percentage among the five countries analyzed. For SMEs and freelancers, a well-planned backup can be the difference between weathering an attack with limited damage or losing tax data, customer data, budgets, projects, or business documentation.
The study also points to a shift in the landscape: Spanish organizations expect AI-driven attacks to pose the greatest risk in the next 12 months. This includes more automated threats, more convincing phishing emails, more sophisticated impersonations, and attacks capable of exploiting human error or weak configurations more quickly.
For SMEs, the takeaway is clear: cyber resilience should not be seen as a large investment reserved for corporations, but as a practical way to protect business continuity. It’s not just about installing antivirus software; it’s about asking basic questions: which systems are essential, what data cannot be lost, how often backups are made, who can access what information, how suspicious behavior is detected, and what steps would be taken if an incident occurred tomorrow.
As Mendoza summarizes, cyber resilience requires moving from a reactive security mindset to a “continuous, measurable, and collaborative” approach, in which technology, processes, and executive accountability work together in a coordinated manner.
In a moment when digitization is advancing across all areas of business — electronic invoicing, online commerce, document management, remote work, digital payments, or cloud services — SMEs and freelancers cannot afford to improvise. Measuring cyber resilience, defining procedures, and having reliable backups are no longer optional advanced practices: they are becoming a basic condition to continue operating with confidence.
