Cyberattacks threaten SMEs as AI escalates risks
Spain’s business landscape faces an unprecedented digital threat. From small shops to medium-sized enterprises (SMEs), the growing wave of cyberattacks is challenging the very survival of thousands of organizations. Recent reports, including “Ciberseguridad como activo” by Vodafone Empresas in collaboration with Spain’s National Cybersecurity Institute (INCIBE), reveal that 60% of SMEs could close within six months after a major cyberattack, highlighting the severe consequences of the digital age.
Alarming rise in cyber incidents
The scale of cyber threats is intensifying. In 2024, Spain reported 97,348 cybersecurity incidents, representing a 16.6% increase from the previous year. Of these, over 31,500 targeted businesses, with SMEs and critical service providers emerging as primary targets. This trend reflects a shift in criminal strategy: smaller companies, often with weaker security frameworks, are now prime targets for cybercriminals seeking fast, high-impact results.
This surge is not confined to conventional malware. While 42,136 malware cases were recorded, the most disruptive threat remains ransomware, which now extends beyond system encryption to include data theft and double-extortion strategies. Hackers demand payment under the threat of exposing sensitive information, significantly increasing operational and reputational risks for victims.
Ransomware and DDoS: the twin threats
Ransomware is compounded by Distributed Denial of Service (DDoS) attacks, designed to overwhelm digital platforms and render online services unusable. In Spain alone, 74,178 DDoS attacks were registered in 2024, some of significant scale, demonstrating the increasing sophistication and capacity of cybercriminal groups. For businesses reliant on online platforms, even a short outage can translate into millions in lost revenue and customer trust.
Stolen credentials and financial data
The theft of credentials and financial data has also surged. During 2024, 3.8 million email-password combinations were compromised in Spain, alongside 157,199 credit card records and 268,093 exposed IP addresses. Such data breaches not only facilitate direct fraud but also enable further attacks within corporate networks, creating a cycle of vulnerability that cybercriminals exploit for financial gain.
This stolen information fuels an increasingly professionalized underground market, with nearly 47% of detected threats linked to the buying and selling of databases on the dark web. These databases can include highly sensitive material, from patient records to user information from mobile applications or even governmental data.
The role of AI in phishing and identity theft
Artificial Intelligence (AI) has accelerated the sophistication of attacks. Phishing incidents rose 31% in 2024, while credential theft incidents increased 36%. AI-powered tools allow cybercriminals to craft highly personalized, convincing messages at scale. Deepfakes have emerged as another vector, replicating voices and images of executives to trick employees or customers into fraudulent transactions.
Alarmingly, 66.52% of phishing domains in Spain used HTTPS, exploiting a perceived sense of security to increase user trust. The rise of AI-driven attacks means that even vigilant organizations can struggle to differentiate legitimate communications from malicious ones, making prevention and rapid response critical.
PYMEs: the most vulnerable link
Despite representing 99% of Spain’s business ecosystem, SMEs remain the weakest link in cybersecurity. Around 43% of attacks handled by INCIBE targeted SMEs, and 70% of these companies cannot accurately measure the real cost of incidents on their operations, as reported by Silicon magazine. A staggering 60% of SMEs lack a defined cybersecurity strategy, often assuming they are too small to be attractive to attackers—a dangerous misconception that leaves them exposed and unprepared.
Experts emphasize that cybersecurity is a strategic investment. Yolanda Barrientos from INCIBE notes, “Regardless of size or sector, every company must understand that cybersecurity protects digital assets and reinforces trust with clients and partners.” Roberto Lara, Vodafone Empresas’ cybersecurity director, echoes this sentiment, stating, “No organization is immune; all have open windows to cybercriminal activity.”
Technician working in a high-tech server room analyzing data.
Global trends: automation and industrialized cybercrime
Spain’s challenges mirror global trends in cybercrime. According to Fortinet’s 2026 Cyberthreat Predictions Report, cybercrime is evolving into an industrialized, machine-speed system, leveraging AI and automation. Attackers are expected to automate reconnaissance, intrusion, data processing, and ransom negotiations, shrinking the time between breach and impact from days to minutes.
AI enables criminals to monetize stolen data instantly, generating personalized extortion messages. Meanwhile, underground markets are becoming more specialized, offering botnet and credential-rental services tailored to industries, geographies, and system types, often with customer service-like features. These developments reflect a shift from opportunistic crime to structured, high-volume operations, requiring defenders to match speed and sophistication.
Adapting cybersecurity strategies
In response, organizations must adopt a “machine-speed defense” approach, integrating intelligence, continuous validation, and real-time response. Frameworks like continuous threat exposure management (CTEM) and MITRE ATT&CK allow security teams to identify active risks and prioritize remediation. Identity management, including the authentication of employees, AI systems, and automated processes, becomes central to defense, preventing large-scale privilege escalation and data leaks.
Fortinet experts underscore the need for international coordination, citing initiatives such as INTERPOL’s Operation Serengeti 2.0 and cybercrime bounty programs as critical in disrupting global criminal networks. By 2027, attackers may execute semi-autonomous, swarm-based attacks and sophisticated supply-chain compromises targeting AI and embedded systems, making adaptive cybersecurity strategies essential for business continuity.
Preparing for a future of cyber uncertainty
The message from experts is clear: cyberattacks are not a question of if, but when. Companies of all sizes must invest in proactive security measures, continuous monitoring, and rapid response capabilities. For Spanish SMEs, this means shifting mindset from reactive to proactive, acknowledging that preparedness can be the difference between survival and closure in a digital-first world.
Frequently Asked Questions
What types of cyberattacks are most dangerous for Spanish SMEs?
Ransomware, DDoS attacks, and AI-driven phishing are among the most severe, often causing data theft, operational shutdowns, and financial loss.
Why are small and medium-sized businesses targeted more frequently?
SMEs often lack defined cybersecurity strategies, making them vulnerable and attractive targets for cybercriminals seeking quick, high-impact attacks.
How is AI influencing cybercrime in Spain?
AI enables attackers to create hyper-personalized phishing messages, replicate voices/images via deepfakes, and automate large-scale cyberattacks efficiently.
What steps can businesses take to defend against cyberattacks?
Implement proactive cybersecurity strategies, continuous monitoring, identity management, employee training, and adopt AI-enabled defenses to respond in real-time.
Are Spanish companies aware of the financial impact of cyber incidents?
Many SMEs underestimate the cost; about 70% cannot accurately quantify the impact of attacks, highlighting the need for better risk assessment and planning.
