Information security is a problem in SMEs
Swiss SMEs are also affected by cybercrime. Nevertheless, the topic is only slowly becoming the focus of attention among companies, as a study by the Lucerne University of Applied Sciences and Arts shows.
Cyber attacks are on the rise. For this reason, the Department of Computer Science at the Lucerne University of Applied Sciences and Arts (HSLU) has developed a Survey among SMEs on the subject of information security. Lead author Hirschi summarizes the results as follows: "In many SMEs, there is a lack of knowledge on how to deal with the topic of information security." This is despite the fact that around 40% of the companies surveyed had stated that they had been affected by cyber attacks (malware, phishing emails) in the twelve months prior to the survey (year 2016).
According to the survey, almost two-thirds of companies allow their employees to process business e-mails on private devices (cf. BYOD). Just under a third enable access to all IT applications. "That, of course, increases the attack surface," Hirschi said, "as does the use of cloud services, such as storing data that can be accessed from anywhere at any time." Nearly 60% of companies would use cloud services in some form.
Major damage feared
According to the institute, companies that are affected by cyber-attacks subsequently focus more on the issue of information security. The focus of interest is on safeguarding business operations. This is done against the backdrop of a great demand for confidentiality: more than two-thirds of the companies surveyed assess the damage that would result from the improper publication of their confidential data as great or very great.
Protective measures are therefore important. "Nevertheless, the vast majority of companies stated that they allocated no or only minimal resources to the topic of information security," says Armand Portmann, co-author of the study. Many companies also said they had not trained their staff in dealing with threats in the year before the survey. Accordingly, the management and control of information security is weak in many places: Not even half of the SMEs regularly check the effectiveness of their security measures. This also explains why standards or guidelines for information security are rarely used. Things look better when it comes to technical measures such as backups, virus scanners and firewalls. According to the survey, almost all the companies surveyed use these.
Wanted: more staff, more training
In view of these results, the two study authors see a need to catch up, especially in the organizational and personnel areas: To improve the situation in Swiss SMEs, the companies would have to provide more resources for information security and better prepare their employees for the dangers of cyber attacks in training courses. Source: HSLU
The study is based on an online survey conducted by the researchers among 230 SMEs from various industries.
- Security tips on the "eBanking - but secure" platform: www.ebas.ch
- Specialized course information and cyber security in small businesses and other Continuing education on information security: www.hslu.ch/information-security-privacy
