Home office in SMEs: cyber risks are underestimated

From August to October 2020, the market and social research institute gfs-zürich conducted a representative survey of 503 CEOs of small companies (4 to 49 employees) in German-, French- and Italian-speaking Switzerland on the impact of the Corona pandemic on digitalization. The survey was conducted on behalf of digitalswitzerland, Mobiliar, the National Cyber Security Center (NCSC), the School of Business at the University of Applied Sciences Northwestern Switzerland (FHNW) and the Swiss Academy of Engineering Sciences (SATW).

Opportunities seized - cyber risks underestimated

After an average of 10% of employees worked primarily from home at the beginning of 2020, almost four times as many did so during the lockdown (38 percent). After the lockdown, the figures fell again, but with 16% of employees working from home, the proportion has risen by 60% compared with the start of the year. While Swiss SMEs demonstrate flexibility, the risks of home office and digitalization are underestimated by many. Some results of the study in detail:

• Online conferencing tools on the rise: After e-mail and telephone, communication in SMEs most frequently takes place via private communication channels such as WhatsApp or other messenger services. With the lockdown, online conferencing tools in particular have become more important: The share of virtual meetings has increased from 9% to 20%, more than doubling.
• A quarter of Swiss SMEs have already been the victim of a serious cyber attack: of the approximately 38,250 SMEs attacked throughout Switzerland, around one third (12,930 SMEs) suffered financial damage and one in ten attacks resulted in reputational damage and/or the loss of customer data.
• Preventive measures are taken too rarely: Despite frequent cyberattacks, only one in two SMEs has an emergency plan to ensure business continuity, and around two-thirds neither conduct regular employee training nor have they implemented a security concept in the company.
• People as a risk factor - cyber risks are often underestimated: Only just under half (47%) of CEOs said they were well informed about security-related issues. Even more drastic is the lack of awareness of becoming a victim of a cyber attack themselves: Only just 11% rate the risk of being put out of action for a day by a cyber attack as high.

Federal government to further improve framework conditions for cyber security

Florian Schütz, the federal government's delegate for cybersecurity, praises the adaptability of Swiss SMEs: "It is gratifying to see how progressive even Switzerland's smaller SMEs are in terms of their IT infrastructure and that cybersecurity is attracting more and more attention. The lockdown has shown how important digital transformation is in order to remain adaptable. Many SMEs have recognized this and accelerated their digitization efforts. However, the current situation also makes it clear how important it is that we create framework conditions to shape cybersecurity in Switzerland in such a way that the opportunities of digitization can be exploited as well as possible. To this end, the Confederation intends to further expand its efforts and actively support the population and the economy in protecting themselves against cyber risks." Specifically, the Confederation has developed a quick test for SMEs in collaboration with digitalswitzerland. This allows small businesses to quickly and easily check how well they are protected against cyber risks. More efficiency is also required in the prosecution of cyber crimes. In this regard, cooperation among the cantonal police corps is being strengthened.

Around 13000 SMEs have already been victims of a cyber attack

As mentioned above, almost 13,000 SMEs have already been victims of a cyber attack. Most of these were cases of ransomware: via phishing or open ports, criminals installed malware that encrypts data and decrypts it again for a ransom. Andreas Hölzli, Head of Mobiliar's Cyber Risk Competence Center, regrets that too many SMEs still think that nothing can be taken from them. Accordingly, risk management is poorly developed: "The problem is that organizational measures in particular are often not given as much weight. Companies need measures that go beyond the technical aspects, including, for example, raising the awareness of their employees." In addition to technical protection measures such as antivirus programs or firewalls, functioning backups are also important. "Unfortunately, we often experience that backups cannot be restored properly. Either the data is also encrypted or not all the data has been backed up at all," says Hölzli. He therefore emphasizes that backups must always be kept separate from the system. He also finds that many SMEs lack contingency planning in the event of a business interruption due to a cyber incident.

Home office will become more established - cyber risk awareness must keep pace

Prof. Dr. Marc K. Peter from the FHNW is convinced that the home office will establish itself in the long term as a component of the new working world strategy of "blended working": "In many jobs, a mix between working in the home office and in the office will be part of everyday life. However, it must be urgently taken into account that this will increase the demands on important technology and IT security investments in Swiss SMEs."

The large number of SMEs affected by a cyber attack is an additional motivation for Nicole Wettstein, Program Manager Cybersecurity at SATW, to push forward with the ongoing awareness activities: "It is central to further increase the proportion of SMEs that implement minimum measures for basic cybersecurity protection." Andreas W. Kaelin, deputy managing director and head of the cybersecurity dossier at digitalswitzerland, adds: "The cyber resilience of SMEs must increase." In this context, he speaks of "unconscious incompetence" that is still too widespread in many places. Delegating the issue of IT security to external service providers falls short of the mark. Kaelin points out: "According to the survey, around two-thirds of small companies are supported by external IT service providers. This shows that we urgently need to take measures that make it easier for companies to identify trustworthy IT service providers. After all, a company's security stands or falls with its service providers." A label is therefore also in the works that certifies IT service providers for their competence in cyber risks.

Source and further information: ictswitzerland.ch and digitalswitzerland.com