Cybersecurity in SMEs: Employees are the decisive key to success

The attitude of their employees toward cyberattacks makes small and medium-sized enterprises in Switzerland vulnerable: It is true that they are aware of the general risks of cybercrime and the great damage potential of an attack. However, they do not consider their own company and themselves important enough to be a worthwhile target. This attitude can lead employees to be insufficiently vigilant. These are the findings of a study conducted by the ZHAW School of Management and Law in collaboration with Allianz Suisse. The researchers conducted in-depth interviews with employees from selected SMEs to understand their attitudes and the drivers of decisions made regarding cyber risks.

Current widespread home office increases risks

"Cyber criminals usually target people and try to use them to inject malware into the corporate system or obtain passwords. The attitude and behavior of employees are therefore crucial in defending against attacks," explains Carlos Casián, co-author of the study and underwriter Property / Cyber Risk at Allianz Suisse. "Especially in today's world, where many employees work from home, the risks are increasing: on the one hand, technical aspects such as external access to the corporate network play a role. On the other hand, ad hoc exchanges with colleagues about suspicious e-mails are more difficult, which makes employees more vulnerable to manipulation attempts." According to the study, SME employees primarily associate cyberattacks with geopolitical confrontations, terrorism or organized crime. They see Switzerland, on the other hand, as a sphere that is significantly safer by comparison. "However, this is a fallacy. In this country, too, around a third of SMEs have already been exposed to attacks," says study leader Carlo Pugnetti, a lecturer at the ZHAW School of Management and Law.

Cyberattacks only perceived as a problem for specialists

The SME employees surveyed feel relatively helpless when it comes to recognizing a specific attack on their own company and reacting to it. In such a case, however, they assume that specialists would help. This assumption can encourage a certain passivity and lead employees to underestimate their own role in minimizing cyber risks. At the same time, the study results show that SMEs have a corporate culture with a strong solution orientation. Accordingly, employees usually act proactively and would want to help deal with a specific case of damage.

Strategies for more cyber security in SMEs

In order to reduce the risks and impact of a cyberattack, the authors of the study make a number of recommendations for greater cybersecurity in SMEs: These include information measures within SMEs that sensitize employees to the objective threat and show them how they can contribute to its defense. Furthermore, companies should develop strategies to cope with possible attacks and associated IT system failures and train for these scenarios. In developing appropriate solution strategies, companies should actively involve their employees and take advantage of their dedicated working attitude.

Special methodology

The study "Cyber Risks and Swiss SMEs - An Investigation of Employee Attitudes and Behavioral Vulnerabilities" was conducted by the Institute of Risk & Insurance at the ZHAW School of Management and Law in collaboration with Allianz Suisse and with the support of various partners. The researchers conducted in-depth interviews with 17 employees from various functions in three selected SMEs from the heating and manufacturing sector. To do so, they used the so-called "deep metaphor interview technique," in which interviewees selected images that expressed their perceptions and attitudes toward various aspects of cybercrime. "Thanks to this methodology, we were also able to identify personal patterns of attitudes that the interviewees themselves were not immediately aware of," explains Carlo Pugnetti. "The focus was accordingly on bringing hidden insights to the surface and thereby developing more effective measures." The interviews took place in September 2020.

Sources: zhaw and Allianz Suisse