Ciberseguridad en pequeñas y medianas empresas: vulnerabilidades, amenazas y desarrollo del ciberseguro

Ibtissame El Ferjani El Ferjani; Manuel; Miguel Angel  Santolino Prieto

doi:10.26360/2025_01

Authors

Ibtissame El Ferjani El Ferjani Universitat de Barcelona (España) https://orcid.org/0009-0008-9035-9098
Manuel Universitat de Barcelona (España) https://orcid.org/0000-0002-5028-1926
Miguel Angel Santolino Prieto Universitat de Barcelona (España) https://orcid.org/0000-0002-0286-3673

DOI:

https://doi.org/10.26360/2025_01

Keywords:

Cybersecurity, SMEs, cyberattacks, cyber insurance

Abstract

Small and medium-sized enterprises (SMEs) represent an essential pillar of the global economic structure. However, their increasing digitalisation also exposes them to an growing number of cyberattacks. Despite their vulnerability, many of these companies do not prioritise cybersecurity due to a lack of resources, knowledge and a misperception of risk. A review of the literature published between 2019 and 2025 is conducted to understand the current state of research in the field of SME cybersecurity and the development of cyber insurance. The results indicate that SMEs lack adequate protection measures, with phishing, ransomware and supply chain attacks being the most frequent types of attacks. Furthermore, while cyber insurance offers an effective solution for business protection and mitigation, its adoption remains low due to a lack of awareness and economic barriers. It concludes that there is a need to develop accessible cybersecurity strategies and promote the adoption of cyber insurance adapted to the reality of SMEs.

Downloads

Download data is not yet available.

References

Adriko, R., & Nurse, J. R. (2024). Cybersecurity, cyber insurance and small-to-medium-sized enterprises: A systematic review. Information & Computer Security, 32(5), 691–710. https://doi.org/10.1108/ICS-01-2024-0025

Alahmari, A., & Duncan, B. (2020). Cybersecurity risk management in small and medium-sized enterprises: A systematic review of recent evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Ireland, 2020, 1–5. https://doi.org/10.1109/CyberSA49311.2020.9139638

Al-Baldawi, Z. A., Kassam, A. H., & Al-Zubaidi, S. S. A. (2024). Assessment the Level of Importance of SME Lean Activities Using an Integrated Model Based on Fuzzy Logic. Management and Production Engineering Review, 15. https://doi.org/10.24425/mper.2024.149991

Aranda, A. (2024) “Los altos ejecutivos son objetivos codiciados por los hackers. Descubre cómo preparar y proteger los datos de los altos cargos en la empresa frente a los ataques cibernéticos” Capterra, https://www.capterra.es/blog/7564/ciberataques-empresas-espanolas

Arroyabe, M. F., Arranz, C. F., De Arroyabe, I. F., & de Arroyabe, J. C. F. (2024). Revealing the realities of cybercrime in small and medium enterprises: Understanding fear and taxonomic perspectives. Computers & Security, 141, 103826. https://doi.org/10.1016/j.cose.2024.103826

Beirlant, J., Goegebeur, Y., Teugels, J., & Segers, J. (2004). Statistics of extremes: Theory and applications. Wiley. https://doi.org/10.1002/0470012382

Chen, M., Chernozhukov, V., Fernández-Val, I., & Melly, B. (2016). Counterfactual analysis in R: A vignette. arXiv. https://arxiv.org/abs/1610.07894v1

Chernozhukov, V., Fernández-Val, I., & Melly, B. (2013). Inference on counterfactual distributions. Econometrica, 81(6), 2205–2268. https://doi.org/10.3982/ECTA10582

Chernozhukov, V., Fernández-Val, I., Melly, B., & Wüthrich, K. (2020). Generic inference on quantile and quantile effect functions for discrete outcomes. Journal of the American Statistical Association, 115(529), 123–137. https://doi.org/10.1080/01621459.2019.1611581

Chidukwani, A., Zander, S., & Koutsakis, P. (2022). A survey on the cyber security of small-to-medium businesses: Challenges, research focus and recommendations. IEEE Access, 10, 85701–85719. https://doi.org/10.1109/ACCESS.2022.3197899

Chidukwani, A., Zander, S., & Koutsakis, P. (2024). Cybersecurity preparedness of small-to-medium businesses: A Western Australia study with broader implications. Computers & Security, 145, 104026. https://doi.org/10.1016/j.cose.2024.104026

Dirección General de Industria y de la Pyme (DGIP) (2025). Cifras PyME: Datos diciembre 2024. Ministerio de Industria y Turismo. https://ipyme.org/Publicaciones/Cifras%20PYME/CifrasPyme-diciembre2024.pdf

El Ferjani, I., Surroca, M., Santolino, M. (2025) Análisis regional de burbujas en el número de consultas sobre ciberseguridad de las empresas. XLIX International Conference on Regional Science, Navarra, 15-17 Octubre.

E&N. (2023). Recuperarse de ciberataques cuesta 20 veces más que invertir en protección. Revista Estrategia & Negocios. https://www.revistaeyn.com/empresasymanagement/recuperarse-de-ciberataques-cuesta-20-veces-mas-que-invertir-en-proteccion-GG13371250

Gundu, T. (2019). Acknowledging and reducing the knowing and doing gap in employee cybersecurity compliance. In ICCWS 2019 14th International Conference on Cyber Warfare and Security (pp. 94–102).

Herath, B.M.T.I.T. (2024). The economic impact of cyberattacks: A comprehensive analysis. Social Science Research Network. https://ssrn.com/abstract=4885666

Instituto Nacional de Ciberseguridad de España (INCIBE) (2024). Las principales vulnerabilidades de una pyme en materia de ciberseguridad. INCIBE. https://www.incibe.es/empresas/blog/las-principales-vulnerabilidades-de-una-pyme-en-materia-de-ciberseguridad

Imízcoz, J. (2025). Una pyme podría perder 50.000 euros de media tras un ciberataque.El Mundo. https://compartiendoconocimiento.elmundo.es/una-pyme-podria-perder-50-000-euros-de-media-tras-un-ciberataque

Junior, C. R., Becker, I., & Johnson, S. (2023). Unaware, unfunded and uneducated: A systematic review of SME cybersecurity. arXiv preprint arXiv:2309.17186. https://doi.org/10.48550/arXiv.2309.17186

Koenker, R., & Bassett, G. (1978). Regression quantiles. Econometrica, 46(1), 33–50. https://doi.org/10.2307/1913643

Koenker, R. (2005). Quantile regression. Cambridge University Press. https://doi.org/10.1017/CBO9780511754098

Kostyaeva, E. V., & Chernyakov, M. K. (2020). Factors of development of insurance of small and medium-sized businesses in the conditions of digitalization. In 2nd International Scientific and Practical Conference on Digital Economy (ISCDE 2020)(pp. 417–423). Atlantis Press. https://doi.org/10.2991/aebmr.k.201205.070

Lloyd, G. (2020). The business benefits of cyber security for SMEs. Computer Fraud & Security, 2020(2), 14–17.https://doi.org/10.1016/S1361-3723(20)30019-1

Machado, J. A. F., & Santos Silva, J. M. C. (2005). Quantiles for counts. Journal of the American Statistical Association, 100(472), 1226–1237. https://doi.org/10.1198/016214505000000330

Montiel (2024) Por qué las pymes también deben priorizar la ciberseguridad en 2025.Oficinas Montiel. https://www.oficinasmontiel.com/blog/por-que-pymes-priorizar-ciberseguridad-2025/

Moriña, D., Fernández-Fontelo, A., Cabaña, A., Puig, P. (2021). New statistical model for misreported data with application to current public health challenges. Sci Rep 11, 23321 https://doi.org/10.1038/s41598-021-02620-5

Mott, G., Turner, S., Nurse, J. R., MacColl, J., Sullivan, J., Cartwright, A., & Cartwright, E. (2023). Between a rock and a hard (ening) place: Cyber insurance in the ransomware era. Computers & Security, 128. https://doi.org/10.1016/j.cose.2023.103162

Ordóñez, A. (2025). Los 'otros' costes que los ciberataques propinan a las pymes. CESCE. https://www.cesce.es/es/w/asesores-de-pymes/costes-ciberataques

Ponsard, C., Grandclaudon, J., & Bal, S. (2019). Survey and lessons learned on raising SME awareness about cybersecurity. ICISSP, 558–563. https://doi.org/10.5220/0007574305580563

PwC (2020). Informe del estado de cultura de ciberseguridad en el entorno empresarial. PricewaterhouseCoopers España, Cyber Risk Culture https://www.pwc.es/es/publicaciones/digital/informe-cultura-ciberseguridad.pdf

PwC (2024). Una de cada cinco empresas tiene previsto aumentar su presupuesto de ciberseguridad más de un 11% en 2025. PricewaterhouseCoopers España https://www.pwc.es/es/sala-prensa/notas-prensa/2024/empresas-aumento-presupuesto-ciberseguridad-2025.html

Saha, B. and Anwar, Z. (2024). A Review of Cybersecurity Challenges in Small Business: The Imperative for a Future Governance Framework. Journal of Information Security, 15, 24-39. https://doi.org/10.4236/jis.2024.151003

Salzberger, A. (2025). An empirical analysis of the behavioral influences and information sources affecting the cyber insurance decisions of German SMEs. Journal of Risk Finance.https://doi.org/10.1108/JRF-05-2024-0151

Soyer, B., Nicholas, A., & Leloudas, G. (2023). Cyber risk insurance –An effective risk management tool for SMEs in the UK? Edinburgh Law Review, 27(2), 157–184. https://doi.org/10.3366/elr.2023.0826

Tam, T., Rao, A., & Hall, J. (2021). The good, the bad and the missing: A narrative review of cyber-security implications for Australian small businesses. Computers & Security, 109, 102385. https://doi.org/10.1016/j.cose.2021.102385

Taskin, N., Özkeleş Yıldırım, A., Ercan, H. D., Wynn, M., & Metin, B. (2025). Cyber insurance adoption and digitalisation in small and medium-sized enterprises. Information, 16(1), 66. https://doi.org/10.3390/info16010066

Verma, S., Boonsanong, V., Hoang, M., Hines, K., Dickerson, J., & Shah, C. (2024). Counterfactual explanations and algorithmic recourses for machine learning: A review. ACM Computing Surveys, 56(12), Article 12. https://doi.org/10.1145/3677119

Wee, B. V., & Banister, D. (2016). How to write a literature review paper? Transport Reviews, 36(2), 278–288.https://doi.org/10.1080/01441647.2015.1065456

Zhang Wu, M., Luo, J., Fang, X., Xu, M., & Zhao, P. (2021). Modeling multivariate cyber risks: deep learning datingextreme value theory. Journal of Applied Statistics, 50(3), 610–630. https://doi.org/10.1080/02664763.2021.1936468