Executive summary · TL;DR
SMEs are the most attacked target in Spain because they combine valuable data with limited defences. This plan groups twenty essential cybersecurity measures organised by priority, with budget ranges suitable for an SME and references to INCIBE guides. Implementing them in order takes you from zero to a defensible posture in 90 days.
Sources: INCIBE · CCN-CERT · ENISA · NIST CSF 2.0
Spanish SMEs are an attractive target for cybercriminals: they have valuable data and resources, but are typically less protected than large corporations. According to INCIBE, in 2024 SMEs accounted for more than 70% of cybersecurity incidents in Spain. This guide presents twenty essential measures to protect your SME, organised by priority and complexity of implementation.
Basic measures: the essential foundation
1. Multi-factor authentication (MFA)
Activate MFA on all critical systems: email, banking, CRM, ERP, administration portals. MFA blocks more than 99% of attacks based on stolen credentials according to Microsoft data. Tools such as Google Authenticator, Microsoft Authenticator or hardware keys (YubiKey) are accessible and effective.
2. Backups with the 3-2-1 rule
Three copies of data, on two different media, with one off-site. The off-site copy is critical against ransomware that encrypts everything connected. Verify backups monthly with restore tests.
3. Updates and patching
Operating systems, applications and firmware must be kept up to date. Many ransomware attacks exploit vulnerabilities patched months before. Automate updates where possible.
4. Endpoint protection
Modern endpoint detection and response (EDR) tools go beyond traditional antivirus, detecting suspicious behaviour. Affordable options for SMEs include Microsoft Defender, Bitdefender, Sophos or CrowdStrike Falcon.
5. Email security
The most common attack vector. Implement filters against phishing and malware, SPF, DKIM and DMARC records (anti-spoofing), email encryption for sensitive information, and quarantine for suspicious attachments.
6. Strong passwords and password manager
Mandatory password manager (1Password, Bitwarden, KeePass) with unique strong passwords per service. The 'one master password and the rest random and unique' policy reduces risk dramatically.
7. Awareness training
The human factor is involved in 95% of incidents. Mandatory periodic training, phishing simulations and a culture in which reporting suspicious activity is rewarded.
Intermediate measures: levelling up
8. Network segmentation
Separate critical networks (production, finance) from general user networks. Isolate guest Wi-Fi from the corporate network. Use VLANs and properly configured firewalls.
9. Access control with least privilege
Each user receives only the minimum permissions necessary to do their job. Quarterly review of permissions. Removal of accounts of departed employees within 24 hours.
10. Data encryption
Disk encryption on laptops (BitLocker, FileVault), encryption of sensitive data at rest, TLS for data in transit, and encryption of backups.
11. Centralised log monitoring
Collect and analyse logs from systems and applications. Affordable SIEM tools for SMEs: ELK Stack (open source), Graylog, Wazuh or commercial solutions such as LogPoint or Datadog.
12. Vulnerability management
Quarterly vulnerability scans with tools such as Nessus, OpenVAS or Qualys. Annual penetration testing on critical assets. Risk-based prioritisation of remediation.
13. Mobile device management (MDM)
Centralised management of phones and tablets that access corporate data. Tools such as Microsoft Intune, Jamf (Apple) or Workspace ONE. Enables remote wipe on lost or stolen devices.
14. Documented incident response plan
Document who does what when an incident is detected. Define communication channels, escalation criteria and recovery procedures. Annual tabletop exercises with the management team. Cybersecurity incident management ENS: protocol.
Advanced measures: mature posture
15. Zero Trust Architecture
"Never trust, always verify". Continuous verification of identity and context, no matter where the user connects from. Microsegmentation of network and applications.
16. SOC and managed detection
For SMEs that cannot afford an in-house SOC, MDR (Managed Detection and Response) services from specialised providers offer 24/7 monitoring at affordable cost.
17. Threat Intelligence
Subscribe to threat intelligence feeds relevant to your sector. CCN-CERT publishes free reports for Spanish entities. ENISA provides European-level intelligence.
18. Supply chain security
Assess the cybersecurity of your critical suppliers. Contractual security clauses. Periodic audits. Third-party-risk-management programme.
19. Tested business continuity plan
Beyond technical backups, a complete BCP/DRP. Annual simulations. Defined RTO and RPO objectives. Business continuity plan under the ENS.
20. Continuous improvement and metrics
Cybersecurity KPIs reviewed monthly: MTTD (mean time to detect), MTTR (mean time to respond), patching cadence, phishing-test results, training coverage. Use them to demonstrate progress to the board and to justify investment.
Sensible budget for an SME
A typical SME (50-200 employees) should invest 3-7% of its IT budget in cybersecurity. For a company with an annual IT budget of €200,000, this represents €6,000-14,000 per year in cybersecurity (excluding infrastructure that already incorporates security). A realistic distribution: 40% in tools and software, 30% in services (consultancy, audits, MDR), 20% in training and awareness, 10% in incident response and reserve.
Where to start
If you start from a low maturity level, the priority order is: measures 1-7 (immediate, low cost), then 8-14 (in 6-12 months) and finally 15-20 (in 1-2 years). Don't try to do everything at once: a steady programme with quarterly milestones is more effective than an ambitious plan that gets stuck.
Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.
Frequently asked questions
- What budget should an SME allocate to cybersecurity?
- Between 3% and 7% of the IT budget. For a company with €200,000 of annual IT spend, this means €6,000-14,000 per year in cybersecurity, distributed across tools, services, training and reserve.
- Where should an SME start?
- With the seven basic measures: MFA, 3-2-1 backups, updates, endpoint protection (EDR), email security, password manager and awareness training.
- Is INCIBE a useful resource?
- Yes. INCIBE publishes free guides specifically for SMEs and is the Spanish point of reference for cybersecurity support to SMEs and citizens.
- What does MFA mean?
- Multi-factor authentication. It blocks more than 99% of credential-based attacks according to Microsoft and is a top-priority measure for any SME.
Frequently asked questions
How does this apply to my SME?
It applies as long as you serve Spanish customers or process Spanish data; the framework is mandatory above thresholds we summarise in the table.
What does it cost in 2026?
Indicative ranges for SMEs 10-50 employees: 2,500-12,000 EUR for documentation + auditor fees vary by AENOR / BV / SGS / LRQA.
Which Spanish regulation applies?
BOE references RD 311/2022 (ENS), Regulation EU 2016/679 (GDPR), LOPDGDD, NIS2, DORA and the EU AI Act 2024/1689 depending on scope.
How long does the implementation take?
Average runs 4-7 months for a single ISO. Compound integrated SGI (9001+14001+27001) usually 8-12 months.
Can I co-finance it with Kit Digital or Kit Consulting?
Yes, Kit Consulting 2026 covers up to 24,000 EUR in advisory hours; Kit Digital covers tools (CRM, ERP, ciberseguridad) up to 29,000 EUR.
El marketing del cerebro es más predictible que el marketing de la opinión. — Ángel Ortega Castro