Password policies: Missing from many SMEs

Digitalization optimizes processes, makes them faster and cheaper - but also increases the risk of becoming a victim of cybercrime. According to police crime statistics, more than 30,000 digital crimes were reported in Switzerland in 2021 - 24 percent more than in 2020. However, as a representative study by AXA shows, Swiss SMEs still have very low risk awareness with regard to potential cyberattacks. This is demonstrated, for example, by a lack of password guidelines and a lack of employee awareness.

SMEs less affected by cybercrime? A fallacy!

Fifteen percent of the companies surveyed said they had been the victim of a cyberattack in recent years in which external persons attempted to access the company network to obtain company data (14 % of smaller SMEs, 29 % of large SMEs, one in ten even repeatedly). Despite this, Swiss firms hardly expect their company to be targeted by cybercriminals: A full 62 percent of the SMEs surveyed consider the risk of becoming the victim of an attack in the future to be low. Only 12 percent of the companies consider the risk to be high. A fallacy, as Andrea Rothenbühler, Head of AXA Cyber Insurance, explains: "Attacks on the IT systems of Swiss companies are increasing from year to year. SMEs in particular are increasingly targeted by cybercriminals, as they can invest fewer resources in their own IT security than large corporations."

As a result of unwanted access to the corporate network, companies may not only incur direct costs. Such attacks can also lead to a production stop or cause lasting damage to the company's reputation. However, the SMEs surveyed consider the probability that a cyber attack could cause significant material and immaterial damage to their company to be rather low. SMEs most frequently expect costs to be incurred to restore IT security, with as many as 36 percent of respondents expecting this. Twenty-nine percent expect their ability to operate to be severely impaired, and around one in five SMEs anticipate high financial losses because operations will be interrupted, or significant damage to their reputation.

With the exception of the high costs of restoring IT security, however, the predominant assessment is that these effects are rather to very unlikely. According to cyber expert Andrea Rothenbühler: "Just one week of business interruption can lead to a painful loss of sales for a medium-sized mechanical engineering company. In addition, high costs are incurred for data recovery, crisis management and support from IT service providers and cyber security specialists. In addition, data breaches can result in claims for damages from customers and fines for the SME."

Password policies only in about half of SMEs

As survey results show, 60 percent of SMEs feel adequately protected against access to their company data by firewalls and virus protection programs. As many as 17 percent of all respondents believe that their IT protection measures are not sufficient, and around a quarter of the SMEs surveyed were unable to assess whether they have taken sufficient protective measures. And there are also differences in the other technical protective measures: 73 percent of all SMEs surveyed make regular backups of their data, and just over two-thirds have installed virus software. 55 percent of the SMEs surveyed have installed a firewall to protect the corporate network, while only 46 percent have established password policies.

The focus on improving IT security is also less on the company's own employees; only two out of five SMEs sensitize their staff to existing cyber risks. There are clear differences in terms of company size: while 74 percent of large SMEs with 50 to 250 employees sensitize their workforce to potential IT risks, only 51 percent of medium-sized SMEs with 10 to 49 employees and only 38 percent of small SMEs with 2 to 9 employees do so. But this is precisely where SMEs should invest: "In around 70 percent of cyberattacks, employees open the gateway for malware. Accordingly, investments should be made above all in the training of the company's own staff. Not only must the software be regularly updated, but also the company's own people. This makes it more difficult for criminals to get in, and if an infection does occur, well-trained employees know how to react," explains Andrea Rothenbühler.

A good fifth of respondents do not feel affected by the new data protection law

The new data protection law is still barely on the radar of SMEs. The study results show that a good fifth of the SMEs surveyed do not feel affected at all by the total revision. And even among those companies that consider themselves to be within the scope of the DPA, only one in two has taken action to date. Just 16 percent have already obtained information on the subject, and concrete implementation measures have only been taken by around one in ten SMEs. Brigitte Imbach, lawyer and Data Privacy Officer at AXA-ARAG, warns against underestimating the impact of the new Data Protection Act: "With the total revision of the Swiss Data Protection Act, important provisions on the processing of personal data will change from September 2023, and small and medium-sized enterprises will also be affected."

Deliberate violations of the new data protection law, such as breaches of obligations to provide information, to provide information, to cooperate or to exercise due diligence, can be sanctioned with fines of up to CHF 250,000. In principle, the natural person responsible is fined. However, the company itself can now also be fined up to 50,000 Swiss francs if identifying the culprit within the company would involve disproportionate investigation costs. "SMEs would therefore do well to implement the new legal data protection requirements in their company in good time and to review their data protection declarations and guidelines and adapt them accordingly. Anyone who does not have the necessary expertise within the company should seek external support and advice," advises the expert.

Source: AXA