Cybersecurity now sits at the center of corporate agendas worldwide. Yet between the declared intent to protect and the actual deployment of effective measures, a gap persists that leaves many SMBs more exposed than they realize. Although Spanish SMBs lead the global ranking in trust in cybersecurity, 47.5% report feeling secure in managing cyber threats, data show that this positive perception masks gaps in basic security measures and in employee training.
This is highlighted by the Sage and IDC study “SMBs in the AI Era: How to Face the Complexity of Cybersecurity and Strengthen Resilience.” It analyzes the main cybersecurity concerns of businesses and identifies the strategic changes needed to move from reactive defense to proactive security, as well as sustainable cyber resilience adapted to the risks of new technologies like AI.
Fewer incidents, but gaps in basic cybersecurity management practices
Spanish SMBs believe they are navigating a stable cyber threat landscape, claiming fewer cyber incidents than the European average (38.5% vs. 45.5%), which reinforces their sense of strength.
However, behind this strength lie significant gaps in the most fundamental security measures. Spanish SMBs show lower adoption in key areas of basic protection:
- Email protection (72% vs. 79.2% global)
- Endpoint protection (61.5% vs. 66.8% global)
- Multifactor authentication or MFA/SSO (57.5% vs. 62.2% global)
These data reveal that basic cybersecurity practices need to be reinforced. Although many SMBs have said they prioritize basic security measures, the study also shows that far fewer companies conduct periodic security reviews (50%) or test their incident response plans (36%), which limits the real effectiveness of investments when attacks occur.
Nevertheless, more than half (52%) of the SMBs surveyed view cybersecurity and data protection as one of their top business priorities for the next 12 months, only behind growth (59%) and well ahead of expanding AI adoption (33%). In addition, six in ten SMBs (60%) also expect to increase cybersecurity spending during the same period.
The human factor remains the weakest link
Beyond tools, reviews, and investment, the main weak point in cybersecurity for Spanish SMBs remains people. 36% of Spanish companies cite a lack of employee awareness about cybersecurity expectations as one of their top challenges, a figure that is six points above the global average (30.2%). Despite this vulnerability, Spanish companies demonstrate a culture of active awareness, with 6 in 10 (62%) stating they train their workers to identify cybersecurity risks.
These results gain particular relevance in a context where Spain’s regulatory framework demands an increasing level of cybersecurity preparedness, from the transposition of the NIS2 European Directive to the guidelines of the National Security Scheme (ENS) and INCIBE recommendations for SMBs.
“Spanish SMBs show notable confidence in their management of cyber threats, but this study reminds us that, without a solid everyday protection base, that confidence can become a vulnerability. At Sage, we work to make security part of the day-to-day for Spanish SMBs, integrated into the management tools they already use, without adding complexity to an already demanding regulatory environment,” says José Luis Martín Zabala, Managing Director of Sage Iberia.
Spanish SMBs embrace AI with conviction
AI deployment is increasing pressure on SMB cybersecurity. Yet Spain stands out as the country where SMBs place AI high on their business agenda, with almost four in ten (37.5%) considering it one of their top business priorities, the highest share across all markets analyzed in the study. This strategic bet is paired with a decidedly optimistic outlook: nearly four in ten Spanish SMBs (39.5%) believe AI creates more opportunities than risks, above the global average (37%).
This enthusiasm also translates into how Spanish SMBs view their readiness. 30% consider themselves prepared to tackle AI-related cyber threats, six points above the world average (25%).
Moreover, the study reveals that AI has driven deeper, more structural security transformations in Spain than elsewhere in the world. In fact, 8.5% report already having mature AI security (vs. 5.6% globally) and 10.5% have completely overhauled their IT security approach as a result of AI deployment, exceeding the global figure by more than three points (7.4%).
This contrast becomes even more striking when viewed against the global landscape. Eight in ten (81%) SMBs worldwide are not prepared or are in the early stages of preparation for AI-related threats, and nearly a quarter (22%) have not implemented AI-specific protections for AI applications.
Tools and regulation, main challenges to secure AI adoption
However, Spanish optimism has its blind spots. The study highlights that a lack of specific tools acts as a barrier to truly secure AI adoption in Spanish SMBs. 19% report the absence of solutions to monitor and detect AI-related security risks, more than double the global average (12.2%).
To these challenges adds a paradox: they perceive AI regulations as both a guarantee and a constraint at the same time. Spanish SMBs are generally better prepared to meet AI regulations than peers in other markets. However, 35.5% say these regulations are slowing technology adoption, above the global 32.4%.
Gustavo Zeidan, Chief Information Security Officer at Sage, says, “Many SMBs are excited about AI’s potential, but they are seeking simple and practical ways to adopt it safely as threats become increasingly sophisticated. Businesses should not have to choose between innovation and security. By facilitating cybersecurity implementation through security-by-design products, clearer guidance, and collaboration between the private sector and public authorities, we can help SMBs build resilience, innovate safely, and grow at the right pace.”
Joel Stradling, European Security Senior Research Director at IDC, explains that “the study suggests many SMBs still believe they are not a top target for cyberattacks, even as threats grow more sophisticated and widespread. IDC recommends SMBs integrate cybersecurity into their AI initiatives from the start and adopt a holistic cyber resilience approach. SMBs that bridge their growth ambitions with security readiness will be well-positioned to foster long-term digital trust among customers, partners, and investors.”
