Small companies less affected by cyber attacks

Small businesses are less often the victim of cyber attacks than larger ones. In 2016, 9 percent of businesses with between 2 and 10 persons employed were faced with an ICT security incident with an external cause. This was the case for 39 percent of the businesses employing 250 or more persons. In both groups, cyber crime resulted in extra expenses for half of all affected businesses. This is reported by Statistics Netherlands (CBS) on the basis of the Cyber Security Monitor 2018.

Companies with ICT incidents, by company size, 2016
Incidents250 or more employees (%)10 to 50 employees (%)2 to 10 employees (%)
Total of ICT incidents704726
ICT incidents due to attack39189
Failure due to attack23126
Data destruction/mutilation due to attack24114
Disclosure of data due to attack621
Failure due to malfunction554121
Data destruction/mutilation due to malfunction1475
Disclosure of data by personnel1732

In 2016, a higher share (23 percent) of companies with 250 or more employees encountered system failure caused by external cyber attacks compared to small companies with between 2 and 10 employees (6 percent). In all size classes, system failure was the most common ICT security incident. Larger companies were relatively more prone (55 percent) than small businesses (21 percent).
The fact that larger companies are more commonly a victim of cyber crime could be related to the higher number of staff working with computers, raising the likelihood of ICT security incidents. Furthermore, larger companies often have a more complex ICT infrastructure, which is therefore more prone to failure.

Small companies with ICT incidents, by sector, 2016
IncidentsHealth and care (%)ICT (%)Manufacturing (%)Accommodation and food services (%)
Total of ICT incidents 31302614
ICT incidents due to attack512106
Failure due to attack31182
Data destruction/mutilation due to attack3363
Disclosure of data due to attack0121
Failure due to malfunction29242110
Data destruction/mutilation due to malfunction2545
Disclosure of data by personnel1311

Small manufacturers and ICT companies most often the victim

The number of ICT incidents varies per sector. Small companies in the ICT sector (12 percent) and small manufacturers (10 percent) are most likely to report external ICT incidents. Less likely to encounter cyber attacks were small companies in the sectors accommodation and food services (6 percent) and health and welfare (5 percent).

Security issues more likely internal at smaller companies

ICT security incidents may arise from either external sources (attack) or internal causes such as incorrectly installed software or hardware, or unintentional disclosure of data by an employee. ICT incidents at smaller companies are relatively more likely due to internal causes. At small companies with between 2 and 10 employees, 2 in 3 ICT incidents resulted from causes inside the company. This was the case for over 2 in 5 companies with 250 or more employees.
ICT incidents at small companies in the health and welfare sector were most likely caused internally (84 percent). In the ICT sector, this share was 60 percent.

Under 10% of businesses report ICT incident

Of all companies faced with ICT incidents, 7 percent report this to one or more authorities, such as the police, the Data Protection Authority, a security team or their bank. The largest companies report ICT incidents far more frequently (41 percent) than the smallest companies (6 percent). Large companies most often report these incidents to the Data Protection Authority; the police come in second as most frequently approached authority for filing a report. The smallest businesses mostly report incidents to their bank.

Companies with ICT security measures, 2017
Measures250 or more employees (%)10 to 50 employees (%)2 to 10 employees (%)
Antivirus software989386
Data storage at another physical location948068
Policy on strong passwords936455
Log files for analysis of incidents884925
VPN in internet use outside the company854823
Risk analyses753417
ICT security assessment methods723517
Authenticaton via software/hardware token712923
Network access control674328
Encryption (for data transmission)612419
Encryption (for data storage)572519
Other measures561811

Small companies take fewer safety measures

Compared to large businesses, small companies record fewer ICT incidents and also take fewer safety measures. Such measures include the installation of anti-virus software, a policy for strong passwords and authentication via a software or hardware token. Of the small companies, 60 percent take three or more of the requested measures, against 98 percent of the companies with 250 or more employees.