Detect cyber-vulnerabilities: Europe´s largest study on weak spots of information security in SMEs
Data from 3,000 international companies participating in the VdS Quick-Check proves that SMEs are still inadequately protected against the increasing cyber-attacks. // Vulnerability analysis reveals the most serious need for improvement in the area of IT security management. // Advantage for medium-sized companies: especially in the worst rated security fields, even simple measures achieve a high level of protection.
Media reports about IT attacks not only on companies have become an almost daily standard. Experts agree that both the number and the destructiveness of those attacks will continue to increase: Cyber-crime is extremely lucrative, resulting in strong pressure to act for companies. Nevertheless, the conclusion of Europe´s most comprehensive study on safeguarding SMEs is: Insufficient protection. The VdS analysis of the IT security activities of 3,000 international companies was evaluated using a traffic light system – and for all core topics, these traffic lights are red.
Background of the study
VdS supports the particularly threatened medium-sized companies with comprehensive protection services around the award-winning Cyber-Security guidelines VdS 10000, which are already among the top 3 standards implemented throughout Germany (BSI study). One of the services offered by Europe's largest institute for corporate security is the free Web-Quick-Check to quickly determine the individual degree of digital protection, including suggestions for optimisation. The anonymous data of 3,000 participating companies forms the basis of the VdS study on information security in SMEs. This figure makes it the most comprehensive analysis of this important topic in Europe.
Highest protection values achieved by SMEs are in the fields of technology and prevention (both with 57% positive coverage), followed directly by the organisation of IT security with 56%. However, as in previous years, even these three figures are in the “red” range: highly vulnerable. Even far behind rank the activities of the companies subsumed under IT-management, e.g. measures such as outsourcing. Only 32% are well positioned here. Moreover, even topics that are no longer really new (such as cloud computing and the use of mobile devices) are not yet being dealt with systematically. A positive result of the VdS study is that the comparison with the previous year is improved in all core areas – but only by a maximum of 3%.
Among the individual measures most successfully implemented are regulations on decisive data protection (96% positive) and on the structured allocation of administrative access (88% positive). Problematic is that only 49% of the companies regularly check these accesses for their further necessity – highly threatening the last comparatively good value. Structured access allocation is a small step with a big impact on corporate security, blocking numerous opportunities for cyber criminals to harm a company and its employees from the outset.
Recommendations to ensure protection: simple measures, great effect
“The conclusion is unfortunately quite clear: the valuable patents and processes of innovative SMEs are still far too easily open to cyber criminals,” summarises Markus Edel, Head of the VdS Cyber-Security Department, the findings of the study. “Of the 52 protective measures evaluated by the 3,000 companies, only one, data protection, is in the green. Annual losses running into billions – and with a strong upward trend – illustrate the enormous pressure to act.”
Edel´s recommendations based on the current results are as follows: “A major advantage for our threatened medium-sized businesses is that a great deal can be achieved with little money, especially in the poorest rated field, the management of IT security. Among other things, the contract with each IT outsourcing and cloud computing service provider should contain precise legal and security-related requirements and, of course, oblige them to fulfil those. In general, regular backups, as required by VdS 10000, are the most important protective measure. So Wannacry, Rapid and their even stronger relatives, who are sure to come, can let off steam as they please – their destruction is kept within very narrow limits. Even the simple structuring of access rights minimises the effect of each of the millions of malware programs wafting through the Internet. The training and sensitisation of employees is also crucial. Criminals will always come up with something new, which is why the holistic orientation of information security is so important. It is by no means just a matter for the IT departments, but a management task to be implemented holistically. Because like so many other studies on the subject, the largest one also confirms: We have to protect ourselves better, systematically, and quickly!”
The free Quick-Checks for fast status determination of information security (also especially for process automation technology) as well as for the General Data Protection Regulation (GDPR), including direct optimisation aids, are available at:
Caption Study: 3,000 participants make the VdS study on vulnerabilities of corporate information security the most comprehensive analysis of this important topic. Conclusion: despite a slightly positive trend compared to the previous year, the majority of the protective measures are still inadequate. The pressure to act is strong – and the study highlights key areas where to act first to achieve the greatest impact.
More information at www.vds-global.com