Cyber attacks: Information security in SMEs has potential for improvement
Swiss SMEs are also affected by cyber attacks. Nevertheless, the topic is only slowly becoming the focus of attention for companies, as a study by the Lucerne University of Applied Sciences and Arts shows. The authors recommend that companies allocate more resources to information security and train employees better.
Not only large companies such as banks, insurance companies or the pharmaceutical industry are threatened by cyber attacks from the Internet. Swiss SMEs are also exposed to a growing number of cyber attacks. The Lucerne University of Applied Sciences and Arts took this as an opportunity to survey small and medium-sized enterprises on the topic of information security last year.
Now the two authors Oliver Hirschi and Armand Portmann from the Department of Information Technology have published the results of the study. Lead author Hirschi summarizes the results as follows: "In many SMEs, there is a lack of knowledge on how to deal with the topic of information security." This is despite the fact that around 40 percent of the companies surveyed had recently - i.e. in the 12 months prior to the survey - been affected by cyber attacks such as malware or phishing emails.
The study is based on an online survey that the researchers conducted among 230 SMEs. These included companies from a wide range of sectors such as services, consulting, trade and healthcare. Almost two-thirds of the companies allow their employees to edit business emails on private devices. Just under a third allow access to all IT applications. "That, of course, increases the attack surface," Hirschi said, "as does the use of cloud services," such as data storage that can be accessed from anywhere at any time. Almost 60 percent of companies use these in some form.
Great damage due to misuse feared
If a company is affected by cyber attacks, this leads to it becoming more involved with the topic of information security. The focus of interest is on safeguarding business operations. This happens against the backdrop of a great demand for confidentiality: over two-thirds of companies assess the damage that would result from the improper publication of their confidential data as great or very great.
Protective measures are therefore important. "Nevertheless, the vast majority of companies stated that they allocate no or only minimal resources to the topic of information security," says Armand Portmann, co-author of the study. Many companies also reported that they had not trained their staff in dealing with threats in the year prior to the survey.
Accordingly, the management and control of information security is weak in many places: not even half of the SMEs regularly check their security measures for effectiveness. This also explains why standards or guidelines for information security are rarely used. The situation is better when it comes to technical measures. These include backups, virus scanners and firewalls. According to the survey, almost all of the companies surveyed use these.
Wanted: more staff, more training
In view of these results, the two study authors see a need to catch up, especially in the organizational and personnel areas: In order to improve the situation in Swiss SMEs, the companies would have to provide more resources for information security and better prepare their employees for the dangers of cyber attacks in training courses.
For the full survey analysis on cyber security - and training among SMEs, go to here