Two thirds of Swiss small businesses are not concerned that their business will be interrupted by a security incident. However, the situation changes once they have already been attacked. Companies are also cautious about standards and other certifications.
Easygoing companies
According to a study conducted by the GFS Institute for ICTswitzerland and other organizations, Swiss small businesses are relatively comfortable with IT security risks. The survey of 300 small and medium-sized enterprises shows that functional IT plays a major role for a majority of small businesses, including the smallest ones. In half of the companies, it is the company manager who is responsible for IT security. Small businesses, most of which hold personal data from their customers, mostly consider themselves well protected and well-informed about IT security. While a third of them have already been victims of viruses and other malicious software, only 4% have been victims of extortion (ransom), 3% of DoS and 2% of data theft - by extrapolation, this still represents several thousand Swiss small businesses affected by major incidents.
Scalded cat....
Despite their dependence on IT, two thirds of small businesses surveyed believe that the risk of having their business interrupted for a day due to an IT attack is low. Only 14% of them believe that an attack would go so far as to endanger their lives. However, the situation is significantly different if we look at small businesses that have already been victims of serious incidents. They consider the risks to be higher and 20% of them feel very poorly protected. More of them are also considering improvements in their IT security in the coming years.
Minimum protection
Of all small businesses surveyed, half do not plan to improve their protection against cyber attacks. Only 60% of organizations have complete basic protection (malware protection, firewall, patch management, and backup). In other words, 40% of small businesses have not adopted these minimum measures. More advanced protections (incident identification, incident procedure, employee training, especially to recognize spam) have only been implemented in 15 to 20% of companies.
Source: ICT Journal / December 2017 / © Darest Informatic SA 2017
Comments are closed.