Small and medium-sized businesses continue to face an increasingly risky cybersecurity environment. In recent months, cyberattacks have not only risen in frequency but have also had a significant impact on the operational and financial stability of organizations. According to Hiscox’s 2025 Cyber Readiness Report, only 1% of affected Spanish SMEs managed to avoid any consequences arising from cyberattacks in the last 12 months.
The consequence of cyberattacks: a persistent threat
The analysis of the main consequences suffered by Spanish companies after a cyberattack shows the impact remains high, although in some cases a slight improvement compared with the previous year is observed.
Financial loss from payment diversion fraud continues to be the most frequent consequence, affecting 53% of companies, compared with 55% in 2024 and 38% in 2023. They are followed by distributed denial-of-service (DDoS) attacks, which affected 49% of organizations, a figure slightly below 51% last year, but well above 24% in 2023.
Meanwhile, misuse of IT resources, such as cryptocurrency mining or botnet creation, has impacted 43% of companies, down from 53% in 2024, though still far from the 23% registered in 2023. As for ransomware, including cyber extortion, 31% of companies report having suffered it, compared with 38% the prior year.
Data breaches also remain a notable concern. 30% of companies report unencrypted data loss, compared with 35% in 2024, while 26% suffered encrypted data loss, below the 33% recorded last year. Additionally, virus outbreaks (excluding ransomware) have declined notably to 20%, from 46% in 2024.
Vulnerability verification: a practice increasingly widespread
Against this backdrop, Spanish companies are strengthening their prevention strategies by conducting cyber vulnerability verifications, such as penetration tests or attack simulations. Specifically, 18% of organizations perform these checks at least weekly, 26% do so a couple of times per month, and 28% about once a month. Additionally, 19% carry out these evaluations quarterly.
Collectively, 72% of companies perform verifications at least monthly, and 91% do so at least quarterly, demonstrating a high level of awareness around identifying vulnerabilities. Practically the entire Spanish business landscape (99%) says they have carried out this type of testing at some point.
The supply chain, a key link in cybersecurity
Protection against cyberattacks not only concerns a company’s own infrastructure but also covers its entire ecosystem of suppliers and partners, which can become an entry point for attackers if not properly managed. In this sense, cybersecurity risk assessments in the supply chain have become a more common practice among Spanish companies, reflecting heightened awareness of the importance of third-party risk management.
Thus, 18% of companies review these risks at least weekly, indicating ongoing, proactive monitoring. This group is joined by organizations that perform frequent evaluations, such as 21% who do so several times a month and 25% who carry out these analyses monthly, forming a sizable bloc of companies that routinely monitor the security of their partner network. Meanwhile, 24% opt to conduct these assessments on a quarterly basis, further evidence of integrating these processes into the company’s periodic planning.
Overall, these data show that 64% of companies assess supplier risks at least monthly, while 88% do so at least quarterly, underscoring that the vast majority maintain some form of regular control over their supply chain. Moreover, the fact that 99% of companies have conducted this type of analysis at any time reflects a near-universal concern about third-party risks and their potential impact on the organization’s overall security.
