|Incidents||250 or more employees (%)||10 to 50 employees (%)||2 to 10 employees (%)|
|Total of ICT incidents||70||47||26|
|ICT incidents due to attack||39||18||9|
|Failure due to attack||23||12||6|
|Data destruction/mutilation due to attack||24||11||4|
|Disclosure of data due to attack||6||2||1|
|Failure due to malfunction||55||41||21|
|Data destruction/mutilation due to malfunction||14||7||5|
|Disclosure of data by personnel||17||3||2|
In 2016, a higher share (23 percent) of companies with 250 or more employees encountered system failure caused by external cyber attacks compared to small companies with between 2 and 10 employees (6 percent). In all size classes, system failure was the most common ICT security incident. Larger companies were relatively more prone (55 percent) than small businesses (21 percent).
The fact that larger companies are more commonly a victim of cyber crime could be related to the higher number of staff working with computers, raising the likelihood of ICT security incidents. Furthermore, larger companies often have a more complex ICT infrastructure, which is therefore more prone to failure.
|Incidents||Health and care (%)||ICT (%)||Manufacturing (%)||Accommodation and food services (%)|
|Total of ICT incidents||31||30||26||14|
|ICT incidents due to attack||5||12||10||6|
|Failure due to attack||3||11||8||2|
|Data destruction/mutilation due to attack||3||3||6||3|
|Disclosure of data due to attack||0||1||2||1|
|Failure due to malfunction||29||24||21||10|
|Data destruction/mutilation due to malfunction||2||5||4||5|
|Disclosure of data by personnel||1||3||1||1|
Small manufacturers and ICT companies most often the victim
The number of ICT incidents varies per sector. Small companies in the ICT sector (12 percent) and small manufacturers (10 percent) are most likely to report external ICT incidents. Less likely to encounter cyber attacks were small companies in the sectors accommodation and food services (6 percent) and health and welfare (5 percent).
Security issues more likely internal at smaller companies
ICT security incidents may arise from either external sources (attack) or internal causes such as incorrectly installed software or hardware, or unintentional disclosure of data by an employee. ICT incidents at smaller companies are relatively more likely due to internal causes. At small companies with between 2 and 10 employees, 2 in 3 ICT incidents resulted from causes inside the company. This was the case for over 2 in 5 companies with 250 or more employees.
ICT incidents at small companies in the health and welfare sector were most likely caused internally (84 percent). In the ICT sector, this share was 60 percent.
Under 10% of businesses report ICT incident
Of all companies faced with ICT incidents, 7 percent report this to one or more authorities, such as the police, the Data Protection Authority, a security team or their bank. The largest companies report ICT incidents far more frequently (41 percent) than the smallest companies (6 percent). Large companies most often report these incidents to the Data Protection Authority; the police come in second as most frequently approached authority for filing a report. The smallest businesses mostly report incidents to their bank.
|Measures||250 or more employees (%)||10 to 50 employees (%)||2 to 10 employees (%)|
|Data storage at another physical location||94||80||68|
|Policy on strong passwords||93||64||55|
|Log files for analysis of incidents||88||49||25|
|VPN in internet use outside the company||85||48||23|
|ICT security assessment methods||72||35||17|
|Authenticaton via software/hardware token||71||29||23|
|Network access control||67||43||28|
|Encryption (for data transmission)||61||24||19|
|Encryption (for data storage)||57||25||19|
Small companies take fewer safety measures
Compared to large businesses, small companies record fewer ICT incidents and also take fewer safety measures. Such measures include the installation of anti-virus software, a policy for strong passwords and authentication via a software or hardware token. Of the small companies, 60 percent take three or more of the requested measures, against 98 percent of the companies with 250 or more employees.