1. What risks do small and medium-sized businesses face if they don’t invest in cybersecurity?

The main risk, in my opinion, is financial loss, which can come in the form of money or data as well. To give you an idea, 60% of Spanish small and medium-sized businesses that suffer a cyberattack do not recover from it. So that gives us a clear sense that this is a real and significant risk.

Another risk? Reputational damage. If I’m a small business and I experience a security incident, it can affect my customers’ trust. It can harm my company’s image because my systems aren’t properly secured, and that can impact the services I provide.

And finally, legal penalties. There are regulations, such as the General Data Protection Regulation (GDPR), and if our systems aren’t properly secured—or if it’s interpreted that a data breach occurred due to poor security—there can be significant fines and legal consequences.

2. What steps should a small or medium-sized business take to become more cybersecure?

Education and training. For me, that’s the foundation of cybersecurity—being able to train our employees. And often that training comes down to good practices, basic concepts, and common sense. In other words, what do I do in my physical life that I don’t apply in my digital life?

Then, it’s important to assess risks—that is, to identify what I have in my company, what assets (as they’re called in cybersecurity) I possess, and what valuable elements I need to protect. I need to evaluate what they’re exposed to. It’s not the same to just have office software as it is to have a device connected to a large cloud database, which is very common nowadays. So I need to understand what I have, what’s important to me, and what I’m exposed to.

Next, implement basic security measures, such as installing firewalls, antivirus software, and backups. For example, going back to what we mentioned earlier about ransomware attacks—many companies can’t recover their data because the advice is not to give in to blackmail, since there’s no guarantee you’ll get your information back. And even if you do, you’re encouraging illegal practices. But if I have a full backup of my system, and I’ve tested it and know it works, then if I’m compromised, I can restore everything and deploy that backup from scratch.

And finally, free resources. The internet is full of them. But INCIBE, the National Cybersecurity Institute, has an entire section for businesses—especially small and medium-sized ones—that offers materials and guides for free, which are very easy to follow.

3. What tools can small and medium-sized businesses use to assess their level of cybersecurity?

For example, INCIBE, in its section for small and medium-sized businesses, offers a series of free tools—like a very basic Excel sheet or a tool called 'Check your risks in 5 minutes'.

What do we achieve with that? Well, we learn where to look and what’s important. Normally, what we need to consider in this type of audit is: What is most important to me? What could I absolutely not continue operating without? And what would cause the most damage if it were attacked?

That’s what I need to think about first. Once I have the answer, that’s where I need to focus my resources and efforts—both financially and in terms of personnel.

4. What practical exercises can small and medium-sized businesses carry out to prepare their employees for cyberattacks?

Phishing simulations—what is phishing? Phishing is usually a malicious email or message that tricks someone into taking an action, like clicking on a link or downloading a file, which then gives access to their computer—and from there, potentially to the rest of the company’s systems. So simulating those malicious emails from time to time and testing employees helps keep them more alert.

For me, it’s essential to let them practice—without expecting it, without knowing it’s coming. It should look like just another regular email, with something downloadable, and then we can see how many people click on it. And it’s super important that we can measure it. Because if we run the simulation but don’t track the results, we won’t know what to improve. The goal isn’t to point fingers at who clicked, but to identify if there are common weaknesses among employees—so we can focus more on training in those areas.