CBS Cybersecuritymonitor 2019: Improvements made, yet a lot is to be done
Companies have made improvements regarding cyber security during 2018, according to the Central Agency for Statistics’ (CBS) Cybersecuritymonitor 2019. The report is the third edition, made at the request of the Ministry of Economic Affairs. 25% of the 12k Dutch companies that took part in the survey had more than six different measures in place in 2018, which is an increase of five percentage points compared to 2017. Although cyber resilience has risen, cyber security incidents still occur regularly.
Companies have expanded their cyber security resilience. Specific measures included in the survey are antivirus software, strong password policy, two-factor authentication, encryption for storing data as well as sending data, data storage on an external site, network access control, use of VPN when working off-site, maintaining logfiles, methods for assessing IT security, and risk analyses. Generally, the large companies take more of those cyber security measures than medium- and smaller sized companies. For example, whereas 81% of the large companies uses two-factor authentication, this is 43% for medium sized companies.
Nonetheless, cyber security incidents are inevitable. Approximately two-thirds of the large companies reported a cyber security incident, while this was 50% for medium sized companies, and less than 20% for smaller ones. Large companies have bigger, more complex ICT infrastructures, and tend to have more (financial) assets. Also, they are more prone to (publicity) damage, making them a more interesting target for cyber criminals.
Sector wise, the percentage of companies that endured a cyberattack is similar between different sectors. Yet, some sectors take more measures than others. ICT and healthcare score better than for example the catering industry, probably caused by the sensitivity of the data they process. One should note as well that the catering industry mainly consists of small companies; those take less measures in general, thereby by explaining the lower score.
Cyber security in individuals
Cyber security awareness among individuals grows. Still, 8.5% of Dutch internet users report to have been a victim of digital crime during the last 12 months; 1.8% has been hacked. In 45% of the cases the root of the hack was a stolen password. In more than half of the cases, attacks concern social media accounts.
Actions to be taken
There is still a lot to be done regarding cyber security. Cyber resilience with companies and individuals increases, but so do the risks and dependencies between actors. Especially for medium- and small-sized companies there’s work to be done. The situation asks for an integral approach and coordinated actions, like the Digital Trust Center initiative, Cybersecurity Health Check by accountants and Cyberwerf, that unite companies and professionals to work together on cyber security for SME’s.
For cybersecurity solution providers and integrators there lies a challenge to integrate the growing number of measures companies take for a cost effective integrated digital risk management.