SIDN survey: SMEs over-reliant on IT service providers for cybersecurity
Few SMEs worry much about cybersecurity, although incidents are on the rise
Four out of five SMEs rely heavily on their IT service providers for cybersecurity, according to research by SIDN. Yet 58 per cent of IT service providers say that their SME customers don't have adequate protection. That's a stark mismatch of perceptions. And a worrying one, given that the proportion of SMEs falling victim to cybercrime has risen to 22 per cent over the last twelve months.
On SIDN's behalf, GfK surveyed nearly six hundred SMEs and found that most assume that their IT service providers have a duty of care and therefore provide protection against cyber-threats. That belief is in line with a recent ruling by the Amsterdam High Court that security forms an implicit part of a contracted IT service. In practice, however, things remain more complicated. Research by insurer Centraal Beheer revealed, for example, that only 22 per cent of SMEs had formal cybersecurity arrangements with their IT service providers. It therefore seems that SMEs may be expecting too much in terms of the protection against cybercrime provided by their IT service providers -- even though IT firms have a responsibility to ensure that their services are secure, with or without explicit contractual provisions.
Legal wrangles
"From our findings, it's clear that expectation and reality are out of step," says Alex van Wijhe, CyberSterk Business Developer at SIDN. "It's best to avoid legal wrangles by making clear arrangements about who is responsible for what where the cybersecurity of IT services is concerned. Prevention is always better than cure." SIDN's research paints a complicated picture, however. "At a worrying number of SMEs, cybersecurity isn't seen as a pressing issue," Van Wijhe adds. "Less than a third of the managers we surveyed were concerned about cybercrime. It was much less of an issue for them than staffing or regulatory compliance. Another striking finding is that 72 per cent of respondents didn't see cybercrime as a serious threat to their businesses."
Basic measures
Against that backdrop, the number of SMEs falling victim to cybercrime has risen to 22 per cent over the last twelve months. A year ago, the figure was only 19 per cent. What's more, most SMEs have only basic security measures in place. Sixty-two per cent have good anti-virus software, for example, while 52 per cent have strong spam filters and 47 per cent do regular updates. "Unfortunately, a virus scanner and a firewall are no longer enough to keep out the crooks," explains Van Wijhe. "It's much more important that you're immediately aware of any abnormal traffic in your network environment. Yet only 29 per cent of the SMEs in our survey were using a solution with that kind of functionality. Part of the explanation is that, until recently, there was no security solution on the market that was really designed for SMEs. That's why we decided to develop CyberSterk."
CyberSterk
With CyberSterk, SMEs have an all-in-one solution that flags up potential vulnerabilities in their networks and on their websites. The service includes the installation of a device called the CyberSterk Box, which checks all the user's network equipment for vulnerabilities. There's also a dashboard that clearly highlights any detected issues using straightforward language. Another feature of CyberSterk is support with problem resolution, based on collaboration with a network of IT partners. SIDN is founding partner of CyberSterk. Read the report describing the survey's main findings.
Downloads
Survey - From putting faith in others to taking responsibility pdf (370.7 kB)