Cybercrime: Information security in Swiss SMEs with potential for improvement
Swiss SMEs are also affected by cybercrime. Despite this, the topic of information security is only slowly becoming the focus of attention among companies, as a study by the Lucerne University of Applied Sciences and Arts shows.
Not only large companies such as banks, insurance companies or the pharmaceutical industry are threatened by cybercrime. Swiss SMEs are also facing a growing number of attacks from the Internet. The Lucerne University of Applied Sciences and Arts took this as an opportunity to survey small and medium-sized enterprises on the topic of information security last year.
Lack of knowledge on cybercrime prevention
Now the two authors Oliver Hirschi and Armand Portmann from the Department of Information Technology have published the results of the study. Lead author Hirschi summarizes the results as follows: "In many SMEs, there is a lack of knowledge on how to deal with the topic of information security." This is despite the fact that around 40 percent of the companies surveyed said they had recently - i.e. in the 12 months prior to the survey - been affected by cyber attacks such as malware or phishing emails.
The study is based on an online survey that the researchers conducted among 230 SMEs. These included companies from a wide range of industries such as services, consulting, trade and healthcare. Almost two-thirds of the companies allow their employees to edit business emails on private devices. Just under a third allow access to all IT applications. "That naturally increases the attack surface," Hirschi said, "as does the use of cloud services," such as data storage that can be accessed from anywhere at any time. Almost 60 percent of companies use these in some form.
Great damage due to misuse feared
If a company is affected by cybercrime, this leads to it becoming more involved with the topic of information security. The focus of interest is on safeguarding business operations. This happens against the backdrop of a great need for confidentiality: over two-thirds of companies assess the damage that would result from the improper publication of their confidential data as great or very great.
Protective measures are therefore important. "Despite this, the vast majority of companies said they allocated no or only minimal resources to the topic of information security," says Armand Portmann, co-author of the study. Many companies also said they had not trained their staff in dealing with threats in the year prior to the survey. As a result, the management and control of information security is weak in many places: Not even half of the SMEs regularly check their security measures for effectiveness. This also explains why standards or guidelines for information security are rarely used. The situation is better when it comes to technical measures. These include backups, virus scanners and firewalls. According to the survey, almost all of the companies surveyed use these.
Wanted: more staff, more training
In view of these results, the two study authors see a need to catch up, especially in the organizational and personnel areas: To improve the situation in Swiss SMEs, the companies would have to provide more resources for information security and better prepare their employees for the dangers of cyber attacks in training courses.
Source: Lucerne University
Continuing education on information security: www.hslu.ch/information-security-privacy
Tips for more IT security include here
