During 2025, Spanish companies are facing a significant increase in cyberattacks. The rapid evolution of artificial intelligence and the greater sophistication of cybercriminals are causing a surge in incidents that jeopardizes the digital security of the national business landscape.
In light of this situation, many companies are strengthening their defense systems by investing in cybersecurity technologies and protocols. However, when attackers manage to exploit a vulnerability, the speed of reaction becomes a decisive factor in minimizing damage and resuming activity with the least possible interruption.
According to data from Stoïk, the first European insurtech specializing in cyber risks for companies with revenues of up to 1 billion euros, during 2024, 74% of ransomware incidents were successfully managed in less than a week. However, only 22% of the affected organizations managed to fully restore their activity in less than 12 hours, highlighting the importance of being prepared to act effectively and quickly in the face of such threats.
“The speed of reaction to an incident not only limits the economic impact but is also essential for preserving the trust of customers and partners. In an increasingly digitized environment, being prepared to act effectively is more important than ever,” explains Diego Montojo, Cyber Underwriter for Iberia at Stoïk.
Well-Configured Backups: The Key to Successful Recovery from a Ransomware Incident
However, there is a correlation between the presence of well-configured backups and response time to incidents. Stoïk has found that, in 100% of cases where there were immutable backups or completely disconnected from any IT network, and perfectly configured, the management of ransomware attacks and their recovery occurred in less than 12 hours.
“Recovering an entire company after a cybersecurity incident in such a short time is quite an achievement. This has been made possible by advances in technology, among other factors. For this reason, at Stoïk, we work on raising awareness and constantly improving, offering the best service available to our insureds,” says Montojo.
In contrast, in all cases where the management time exceeded a week, the backups of the affected companies were not correctly configured or, even if they were, the IT teams could not restore all necessary files to restart the system, shedding light on the importance of having well-configured backups.
“A large number of companies believe they have their backups properly configured and restorable when, in reality, they can only restore part of the files. While restoring a file or a virtual machine is quick, restoring an entire file server often takes several hours longer than anticipated in the BCP (Business Continuity Plan). Therefore, at Stoïk, we believe it’s important for companies to conduct two annual complete restoration tests of their backups to be able to quickly resume activity in the event of a ransomware incident,” states the Cyber Underwriter for Iberia at Stoïk.
Preventive Measures to Help Companies Recover After a Cyberattack
Managing an attack by a cybercriminal is not an easy mission for cybersecurity departments and external teams. Achieving this in the shortest time possible and with minimal impact on the companies is even more difficult. Among the solutions is not only the need to have well-configured backups but also to implement a series of changes to be prepared for a possible incident. Stoïk warns of four measures to try to minimize recovery time after an attack:
Preparation: It’s important to have procedures for managing security breaches, such as a crisis management plan, a BCP (Business Continuity Plan), etc. These plans help companies anticipate possible breaches and know how to act in case one occurs. Conducting incident management drills and simulations could significantly reduce recovery time as well.
EDR Systems: The implementation of a managed EDR (Endpoint Detection and Response) system is directly related to a significant reduction in ransomware attack frequency, thanks to its proactive detection capabilities, rapid isolation, and advanced investigation. This way, implementing an EDR allows for the generation and centralization of logs of what happens in the information system for further investigation.
Backups: It is also important to have a copy of the critical data and elements of the IT system on a physical device that is isolated from the Active Directory, allowing companies to recover those systems and vital critical information for their business sooner.
- Multi-Factor Authentication: One of the most emphasized points in the business cybersecurity environment is the importance of having multi-factor authentication (MFA) to protect against potential external agents trying to penetrate the company.
“Although companies in Spain are increasingly better protected, there is still much work to be done in terms of cybersecurity. It is a significant risk for businesses, and everyone must be aware that they may be targeted at any moment. Thus, the question is not whether they will be affected but when they will be,” emphasizes Montojo. “It’s important for companies to understand that having advanced prevention tools is not enough; this should be combined with cyber insurance to cover damages in the event of a loss. At Stoïk, we advocate for this combination because we believe in the importance of centralizing everything under one umbrella, which greatly facilitates communication and management with companies.”