Security operations center with threat-monitoring screens
HomeServicesCybersecurity for companies
Cybersecurity service

Cybersecurity for companies. Real defence, not a blinking box.

Security audit, strategic plan, Fortinet or Sophos firewalls, immutable backup and team training. NIS2 and ENS compliance. 26 years protecting mid-sized companies across Spain, Portugal and international markets.

Cybersecurity is no longer optional

Five years ago, cybersecurity for mid-sized companies was a topic that came up after the external audit, usually in a rush and with an improvised budget. Today it's a structural requirement: NIS2 mandates it, insurers demand evidence, corporate clients require certifications, and ransomware attacks have moved from occasional headlines to everyday operational risk. The question isn't whether your business will be the target of an attempted breach — it already is, every business is — but whether your organisation is ready to detect, contain and recover from one without stopping the business.

At Impulso Tecnológico we design, deploy and operate enterprise cybersecurity programmes for mid-sized companies across Spain, Portugal and the other 24 countries where we have active clients. We don't sell isolated "security solutions" — we sell a coherent programme covering audit, prevention, detection, response and training, with leading technologies (Fortinet, Sophos, Microsoft Defender, Veeam) and an in-house team with active certifications in each of them. When an incident happens, we pick up the phone first, not fourth.

Security operations centre with real-time threat-monitoring screens
SOC of one of our corporate clients: real-time threat monitoring, endpoint telemetry and custom detection rules. The difference between catching ransomware in 4 minutes or in 4 days.

Security audit: start from where you actually are

Every security plan starts with an honest diagnosis. Our security audit combines technical analysis and organisational review to produce a complete map of the current attack surface, exploitable vulnerabilities, the policies that are missing and the ones that are excessive. We don't use generic templates — we tailor the scope to the client's sector, size and architecture.

The process covers, at minimum:

  • Infrastructure analysis: network review, segmentation, switch and firewall configuration, WiFi access points and cloud architecture (Microsoft 365 / Azure / AWS where applicable).
  • Critical-asset inventory: servers, databases, business applications, privileged identities. Anything worth protecting.
  • Identity and access analysis: review of accounts with elevated permissions, real MFA usage, password policies, orphaned access.
  • Vulnerability testing: automated internal + external scanning, manual validation of critical findings, prioritisation by real risk (not isolated CVSS scoring).
  • Process review: incident response, backups, change management, user training. The human factor is responsible for more breaches than any technical failure.
  • Regulatory compliance: fit with NIS2, Spain's National Security Framework (ENS), ISO 27001 and GDPR per client profile.

Deliverables: an executive report (for management) and a prioritised technical plan (for IT) with realistic timelines and closed budget per phase. No opacity.

Consultant team running an in-house security audit
On-site audit: combined review of infrastructure, identities and processes. The part most providers skip in order to sell you the firewall directly.

NGFW firewalls and segmentation: the perimeter still matters

Despite the Zero-Trust paradigm and the fact that the office network is no longer the only frontier, the next-generation firewall (NGFW) remains a central piece of any enterprise security architecture. The difference now is that it does much more than filter ports: it inspects encrypted traffic (SSL/TLS), applies policies by application and user identity, integrates IPS/IDS, and communicates with the rest of the security stack.

We work as certified partners with the two platforms that fit mid-sized companies best:

  • Fortinet FortiGate: our recommendation when the client prioritises performance, an integrated ecosystem (Security Fabric with FortiSwitch, FortiAP, FortiClient) and reasonable licensing cost at scale. Excellent for multi-site SD-WAN.
  • Sophos XGS: our recommendation when Sophos Central is already deployed for endpoints, because the synchronised response between firewall and endpoint automatically detects anomalous behaviour and isolates the affected device before the threat spreads.

Deployment includes internal segmentation with VLANs by function (servers, users, IoT, guests, cameras), application policies per Active Directory / Entra ID group, SSL inspection where legislation and productivity allow, and centralised monitoring with alerts that reach an Impulso technician, not just an unread inbox.

Endpoint protection, EDR/XDR and synchronised response

Traditional antivirus stopped being enough a decade ago. Today, workstation protection is called EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response) depending on whether it includes identity, email and network telemetry. We mainly deploy:

  • Sophos Intercept X with XDR: for product maturity, firewall integration and the unified console in Sophos Central that lets us operate everything from a single pane.
  • Microsoft Defender for Endpoint (Plan 2): when the client already has Microsoft 365 E5 or compatible licensing, leveraging native integration with Entra ID, Defender for Office 365 and Defender for Cloud Apps.

The policy includes anti-ransomware protection with automatic rollback, application control, disk encryption (managed BitLocker), USB device control and automated response to indicators of compromise.

Enterprise cloud backup server with immutable copy of critical data
Enterprise backup with an immutable cloud copy. The 3-2-1-1-0 rule: three copies, two media types, one offsite, one immutable, zero errors on periodic verification.

Immutable backup and disaster-recovery plan

Backup is the last line of defence against ransomware — and paradoxically, it's where almost every SMB fails: copies accessible from the same network they're meant to protect, obsolete backup windows, short retention periods, restores that are never tested. Our minimum standard applies the 3-2-1-1-0 rule:

  • 3 copies of the data (the production one + 2 backups)
  • 2 different media (local disk + cloud or tape)
  • 1 offsite copy geographically separated
  • 1 immutable copy no operator can erase within the retention window
  • 0 errors in periodic restore verification

We work with Veeam Backup & Replication and Acronis Cyber Protect for mixed environments (VMware, Hyper-V, Microsoft 365), with replication to immutable Azure Blob or S3 Object Lock. The recovery plan includes documented RTOs and RPOs, quarterly restore tests and annual full-incident simulations.

Regulatory compliance: NIS2, ENS, ISO 27001, GDPR

The regulatory burden on enterprise cybersecurity has grown substantially in the last three years. NIS2 (EU Directive 2022/2555) covers a much broader perimeter of companies than its predecessor, including medium enterprises in essential and important sectors. The National Security Framework (ENS) is mandatory for Spanish public-sector suppliers. ISO 27001 remains the reference standard for corporate clients that require certification from their providers. GDPR has been the common floor since 2018.

We accompany the client across the full journey: applicability analysis, gap analysis against the relevant standard, adequacy plan, implementation of technical and organisational controls, policy documentation, team training and, where required, support during the external certification audit.

Impulso team reviewing a security plan with a corporate client
Security plan review session with a corporate client. Adapting to NIS2 or ENS isn't a one-off project — it's a programme that lives with the company.

Training and awareness: the human link

Over 80% of real breaches start with a user clicking where they shouldn't. That's why any serious cybersecurity plan includes a continuous anti-phishing training and awareness programme:

  • Monthly simulated phishing campaigns with per-department reports.
  • 5-minute micro-trainings when a user fails — delivered in the moment.
  • Annual in-person workshops for high-risk profiles (executives, finance, HR).
  • Material tailored to the client: real sector examples, user's language (ES, EN, PT), tone that doesn't insult their intelligence.

How we work

Every client enters through the free security assessment (2 hours, on-site or remote) → full technical audit with report (2-3 weeks) → security plan with phases and closed budget → phased rollout without stopping the business → ongoing operation with 9×5 SLA and optional 24×7 on-call → quarterly review of security posture against real KPIs.

If your company is breached right now, call +34 91 505 7575. The first step we resolve in hours, not weeks.

Topics

Frequently asked questions

  • What is NIS2 and which companies does it affect?
    NIS2 is the EU cybersecurity directive in force since 2024. It applies to mid-sized companies (50+ employees or €10M+ revenue) in essential or important sectors: energy, healthcare, transport, critical manufacturing, digital services, banking, water and administration. Fines up to 2% of revenue. Impulso prepares clients with scope diagnosis, compliance plan and audit support.
  • What is the Spanish National Security Scheme (ENS) and when is it mandatory?
    ENS is the Spanish information-systems security framework for entities handling public-administration data. Mandatory for any company contracting with public bodies (state, regional or municipal) or forming part of critical chains. Basic / Medium / High categories by sensitivity. Impulso has prepared ENS certifications since 2018 — diagnosis, treatment plan and audit support.
  • What should I do if my company is hit by ransomware?
    Do not pay the ransom. Disconnect affected machines from the network (do not power off), call your cybersecurity provider immediately, and notify the data-protection authority within 72 hours if personal data is involved. Impulso handles critical incidents with <4-hour response, containment, immutable-backup recovery and forensic reporting for your insurer. Three industrial clients recovered in 2024 without paying.
  • What is a virtual CISO and when do I need one?
    A virtual CISO (vCISO) is a senior cybersecurity leader hired part-time — designs the strategy, leads certifications (ISO 27001, ENS, NIS2), reports to the board and handles audits. You need one when corporate clients demand technical evidence but you can't justify a full-time in-house CISO. Impulso provides vCISO from 2 to 10 hours/month to professional firms, mid-sized industrials and multinational subsidiaries.
  • How many backups does my company need? (the 3-2-1 rule)
    The 3-2-1 rule: 3 copies of your data, on 2 different media, with 1 copy off-site. Modern guidance extends to 3-2-1-1-0: one copy must be immutable (ransomware-proof) and verified with zero errors in a semi-annual drill. Impulso deploys this with Veeam — immutable offsite repository, demonstrable critical-system restoration in under 2 hours.
  • What is the difference between IT and OT and why segment them?
    IT (Information Technology) is the corporate network: office, ERP, M365. OT (Operational Technology) is the industrial network: PLCs, SCADAs, robots, vision systems. If both share a network, office ransomware can jump to the plant and stop production. Segmentation with industrial FortiGate and Purdue zones prevents the jump. Impulso has implemented OT/IT segmentation in plants with Siemens S7-1500, Schneider Modicon and ABB robots.

Related resources

Guides and analysis on this topic.

Network Security

Learn how layered network security controls protect your business from modern threats—and how to build a strategy that balances protection, performance, and resilience.

Network Firewall Installation

Plan, deploy, and validate a network firewall that protects your perimeter, meets compliance requirements, and stays optimised long after go-live.

IT Security Plan

Learn how to build an IT Security Plan that maps controls to requirements, satisfies auditors, and keeps your systems protected every day.

IT security for businesses

A structured, risk-based approach to protecting your business—covering controls, governance, incident readiness, and NIST CSF implementation.

All resources
Let's talk

Ready to upgrade your infrastructure?

30 minutes with a senior consultant. No commitment, no sales pitch. An honest conversation about what you need and what we can do together.

Book a diagnosis See all services