Cyberattacks: Swiss SMEs lull themselves into a false sense of security
More than a third of Swiss SMEs are affected by cyberattacks. Despite this, the majority still feel well to very well protected and only four percent of SME CEOs see it as a great or very great risk that their existence will be threatened by a cyber attack. These were the findings of the representative survey conducted by the market and social research institute gfs-zürich. Business associations and the state are called upon to counteract this lack of concern about cyberattacks.
We keep reading and hearing about cyberattacks of all kinds. It seems that their number is constantly increasing. But how well protected are SMEs from such attacks from cyberspace? This is what a representative survey of 300 managing directors of SMEs conducted in September 2o17 by the market and social research institute gfs-zürich sought to find out. The study was commissioned by, among others, ICTswitzerland, the federal IT steering body ISB, the Information Security Society Switzerland ISSS, the Swiss Association for Quality and Management Systems SQS, and the Swiss Insurance Association SVV. The selection of SMEs according to scientific methods allows the results to be applied to the entirety of Swiss SMEs (2015: 580,000).
Apparently only a few SMEs affected by cyberattacks
SMEs were first asked about their own assessment of risk factors. Around two-thirds of respondents (62 percent) rate the continuous functioning of IT as very important for their business. This means that a successful cyber attack and an associated business interruption would already cause some damage. SMEs also describe the fact that sensitive data, such as business secrets or personal data, could be stolen as a risk factor. Around three quarters of respondents store such information internally. In more than half of the SMEs, the management itself is responsible for IT security. But only half of them again feel well to very well informed about cyber risks. According to the study authors, this is another risk factor.
The risk of cyberattacks is greatly underestimated by SMEs, as the following results of the survey show: Only 10 % and 4 %, respectively, perceive being put out of action for a day or even having their existence threatened as a great or very great danger. More than half of the CEOs surveyed (56 %) feel well to very well protected against cyber attacks. However, 36 percent say they have been affected by malware (viruses, Trojans), 6 percent by data loss, 4 percent by blackmail, 3 percent by DDoS attacks and 2 percent by data theft. This all sounds like little: based on the 301 SMEs surveyed, for example, the number of companies affected by extortion can be estimated at 23,000 (4 percent), and the 36 percent affected by malware would correspond to 209,000 companies in absolute terms. Nevertheless, more than half of the CEOs surveyed (56 %) feel well to very well protected against cyberattacks.
Technical protection available, but the "employee" risk remains
However, according to the study authors, this protection against cyberattacks is by no means sufficient. Only 60 % of the respondents state that they have fully implemented basic protection measures such as malware protection, firewall, patch management and backup. Cyber incident detection systems have been fully implemented by only one in five companies. Processes for handling cyber incidents were only implemented by 18 % of the companies surveyed, and employee training on the secure use of IT by only 15 %. Simon Dejung of the Swiss Insurance Association is correspondingly concerned: "More than 98 % of Swiss companies are SMEs and form the backbone of the Swiss economy. It is therefore of strategic importance for Switzerland that these companies protect themselves better against cyber risks."
In the form of insurance, for example? 12 percent of the SMEs surveyed stated that they had cyber insurance. However, according to Simon Dejung, in most cases this is unlikely to be pure cyber insurance, but at best partial coverage within another insurance product. He warns: "In the event of a claim, it could turn out that the insurance company understands a loss to be something completely different than the policyholder." This makes it all the more important, he says, to closely examine coverage against new risk landscapes brought about by networking, digitization and automation. It is important to identify the corresponding threat scenarios and assess one's own risk landscape before selecting an insurance product.
Education and coordination in IT security is needed
However, many SMEs seem to fail precisely because of this. Recognized cyber security standards are mostly unknown to them. And getting certified to standards such as ISO 27001, for example, is beyond the resources of most SMEs. An expert commission made up of representatives from the federal government and industry is therefore working on standards with the right altitude for SMEs. "We are taking a very pragmatic approach to this," assured Arié Malz, a leading member of this commission. In addition to the creation of such recognized security standards, however, there are other goals that must be pursued as a priority, as Andreas Kälin, CEO of ICTswitzerland, explains. For example, employees must be systematically sensitized to the secure use of IT. Furthermore, SMEs must be supported by suitable organizations in dealing with cyber risks, and an early warning system must be set up for the entire economy to provide information about new cyber dangers. It should also be examined whether and how an obligation to report cyberattacks can be implemented. Switzerland-wide awareness campaigns for the recognition of cyber risks have also been announced.
Source: ICTSwitzerland
