Security practices for SMEs

As the end of the year approaches, the general population is more inclined to make festive purchases. And although Christmas boosts online shopping, it also drives digital scams. Last year alone, digital fraud affected 304,746 people, according to the 2024 Report on Cybercrime in Spain, produced by the Cybersecurity Coordination Office (OCC). But cybercrime does not only affect individuals. Addressing cybersecurity for SMEs has become as crucial as protecting individual consumers.

Broadly speaking, small and medium-sized enterprises have become a high-value target for organised crime. Cybercriminals know that these companies often have fewer resources and specialised personnel, making them easy and profitable targets for attacks. For this reason, security for SMEs must be a priority.

SMEs, the primary target of cybercriminals

This year, 1 in 4 companies (24%) has been the victim of a ransomware attack, which is a worrying increase compared to last year, when this figure stood at 18.6%. So, what is behind this change? Mainly the following factors, for which we have taken as a reference the recent Hornetsecurity report, Cybersecurity Trends for 2026:

Human error, the main risk

Every year, the number of cybercriminals willing to commit malicious acts at the slightest opportunity grows. However, it turns out that the main responsibility for this lies with people. This is according to Proofpoint, a cybersecurity platform that focuses on protecting people, data and brands from advanced threats. Based on the experience of 66% of CISOs, it is people themselves who open the door to cybercriminals through data leaks and internal compromise.

AI, also a driver of cybercrime

With the application of Artificial Intelligence in all sectors and areas, it is clear that cybercriminals were not going to take long to jump on the bandwagon of new technologies. So much so that more than three-quarters of CISOs (77%) have seen an increase in the use of AI-driven phishing, although traditional phishing remains the main attack vector in almost half of all cases.

‘False compliance’, a fictitious check

Despite the growing challenges, this does not mean that small and medium-sized enterprises are ignoring them. Many, in fact, comply with a certain superficial level of cybersecurity compliance (in this regard, one of the most popular options is ‘check-box’ training). And although the intention is good, if there is no adequate follow-up, it can lead to an increase in human error, especially in circumstances involving social engineering.

Good security practices for SMEs

After analysing the current context, it is important to differentiate between the two main pillars that support security for SMEs: on the one hand, digital security and device protection, which focuses on protecting technological infrastructure and data; and, on the other hand, preventive culture, the human factor that focuses on raising employee awareness of the need to create a first line of defence. In fact, the latter is the first thing we should consider and implement, as it is what will keep us safe in 95% of cases.

Digital and device security

When thinking about security practices for SMEs that can be implemented by this type of business, the most common approach is to consider digital measures. If we can face digital risks, what better idea than to protect the devices we use in our daily lives? They often ask themselves, and this is precisely one of the arguments that explain why this protection is necessary.

Faced with the need to protect themselves, SMEs must implement several layers of defence:

Two-factor authentication

Using only a password is not enough, no matter how robust and secure it may be. Adding an extra layer of security for SMEs through a second verification (such as OTP codes) greatly hinders unwanted access.

Updated software and operating systems

We often forget to update the software and operating system of the devices we use, such as our mobile phones or computers. Not for any specific reason, but because, in our day-to-day lives, we don’t usually keep track of when we need to update them. This is a big problem because updates often include security patches that fix bugs or vulnerabilities that cybercriminals could exploit.

Control access to information

Each user should have their own individual account and access permissions should be set for each position, following the principle of “least privilege” (access only to what is strictly necessary for their work).

Make backups

Regular automatic and encrypted backups should be made and stored in a secure location (ideally outside the company network) so that data can be recovered in the event of loss or deletion due to ransomware or technical failures.

Protect portable devices

For computers, tablets, and mobile phones used outside the office, disk encryption is essential to ensure that information is unreadable if the device is stolen or lost. The use of remote wipe systems is also recommended.

Lock devices

This is a very easy practice that can help any employee. When you stop using your computer or mobile device (for example, when you go to the toilet or heat up your lunch), it is a good idea to lock it.

Preventive culture

The term preventive culture – also known as ‘safety culture’ – refers to the set of shared beliefs and activities carried out by members of a company to ensure the well-being of all employees. It is a commitment that stems from the pursuit of safety, the promotion of digital well-being and health, and an awareness of the threats and consequences we may face.

Although preventive culture does not necessarily focus on the digital environment and also revolves around the prevention of occupational hazards, it is true that it has been especially in the last decade that preventive measures aimed at protecting workers from cybercriminals have taken centre stage.

In practice, some of the measures taken to promote preventive culture within the company are:

• Train employees. It all starts with making employees aware of what they may face and what the consequences may be. Once they understand the risks, they must be trained to recognise dangerous situations or threats and know how to react to them. But training alone is not enough: many companies have undergone cybersecurity training, but when it came down to it, it proved insufficient or ineffective. To try to avoid this, sessions should be regular, updated in line with new attack trends and tailored to each role or company.
• Establish protocols. It is advisable to set out clear security and incident response policies in writing, as 8 out of 10 companies are already doing by having a Disaster Recovery Plan in place. In addition, putting them into practice through drills can help us to act more quickly when faced with a real situation.

Cybersecurity as a double defence for SMEs

To build a robust defence, SMEs must approach security from a dual perspective: investing in technological infrastructure (digital security) and investing in internalising a preventive culture at their core. Digital factors such as a combination of up-to-date systems, encrypted backups and two-factor authentication, together with a well-trained and aware workforce, are the only way to significantly reduce the risk of digital fraud or scams. Digital tools such as those offered by Viafirma facilitate this double layer of security, for example by requiring two-factor authentication for the signing of important documents.

Cybersecurity should therefore not be seen as a cost, but as an essential investment in business security, customer trust and the survival of SMEs in the digital ecosystem.