Spanish companies are grappling with an unprecedented surge in cyberattacks, yet investment in cybersecurity remains alarmingly low. According to the 2024 Cyber Preparedness Report, 57% of businesses allocate only 1–10% of their IT budgets to security measures1. This trend persists despite the fact that 81% of organizations face costs of approximately €100,000 per major cyber incident1. The disparity between threat levels and budgetary commitments raises critical questions about organizational resilience.
Budget Allocation Trends
The median company dedicates just 4% of its IT budget to cybersecurity, with 60% of IT leaders attributing this to a “lack of maturity” in security programs6. Regional disparities exist: Latin American banks allocate 7–10%8, while 32% of global enterprises spend only 1–3%4. These figures contrast sharply with the 66% year-over-year increase in cyberattacks reported in Spain during Q1 20252.
Emerging Threat Landscape
AI-driven threats now surpass human capabilities in phishing campaigns, with generative AI tools demonstrating higher success rates2. This aligns with findings that 56% of firms report increased vulnerability due to AI adoption3. Meanwhile, operational technology (OT) environments show systemic weaknesses—55% contain four or more remote-access tools, creating exploitable entry points2.
| Metric | Value | Source |
|---|---|---|
| Companies allocating 1–10% of IT budget to security | 57% | 1 |
| Median security budget allocation | 4% | 6 |
| Q1 2025 attack increase in Spain | 66% | 2 |
Industry Responses
Some organizations are adapting: 70% of firms plan budget increases, focusing on cloud security and ransomware defenses5. CyberArk recently launched an AI protection solution, while Palo Alto Networks exposed the “Slow Pisces” malware campaign targeting cryptocurrency firms via LinkedIn and GitHub2. However, EU SMEs still lag 15% behind larger enterprises in implementing security controls2.
Strategic Recommendations
Organizations should consider these steps:
- Benchmark security spending against industry peers (e.g., banking sector averages)
- Prioritize AI threat detection capabilities
- Conduct OT environment audits to identify excessive remote-access tools
The data reveals a troubling gap between cyber risk and resource allocation. With threat actors increasingly leveraging AI, companies allocating less than 10% of IT budgets to security may face disproportionate consequences. Future research should examine whether budget constraints correlate with specific attack success rates.
References
- “57% de las empresas destinan apenas 1% y 10% del presupuesto de TI para ciberseguridad,” Data Center Dynamics, 2025.
- Various articles, CyberSecurity News, Apr. 2025.
- “Empresas españolas advierte que el uso de IA aumenta las posibilidades de sufrir ciberataque,” El Español, 2024.
- “Un tercio de las empresas solo dedican entre el 1% y el 3% de su presupuesto de TI a seguridad,” IT Digital Security, 2023.
- “El 70% de las empresas aumentará el presupuesto en ciberseguridad,” Lantek.
- “La mediana empresa apenas destina un 4% de su presupuesto informático a ciberseguridad,” Revista Ciberseguridad, Mar. 2025.
- “Sector bancario y ciberseguridad en América Latina,” OAS, 2018.
