Fewer cyber incidents among businesses, large enterprises more resilient
- In 2024, 4 percent of businesses faced at least one cyber incident, compared with 11 percent in 2016.
- Businesses in the information and communication sector were the most likely to be affected, while those in the health care and accommodation and food services sectors were the least likely to be affected.
- Large enterprises were more likely to take precautions and to be more resilient to cyberattacks.
In 2024, 4 percent of businesses dealt with at least one cyber incident resulting from an external attack. In 2016, the share was 11 percent. A cyber incident is defined as a situation in which a firm is faced with the consequences of a cyberattack, such as the failure of their IT systems due to a ransomware attack. Statistics Netherlands (CBS) reports this on the basis of its 2025 Cybersecurity Monitor, which is published at the request of the Ministry of Economic Affairs and Climate Policy. This edition focuses on the cyber resilience of enterprises.
Compared to 2016, both larger and smaller enterprises suffered fewer cyber incidents due to attacks from outside. Incidents were also down compared to 2023, except for businesses with 250 employees or more: for these large enterprises, the incidence of cyber incidents remained the same (16 percent).
| Werkzame personen | Jaar | Costs due to a cyber incident (% of businesses) | No costs due to a cyber incident (% of businesses) |
|---|---|---|---|
| Total of businesses | 2024 | 1 | 3 |
| Total of businesses | 2023 | 1 | 4 |
| Total of businesses | 2016 | 6 | 5 |
| 2-9 employees | 2024 | 1 | 2 |
| 2-9 employees | 2023 | 1 | 3 |
| 2-9 employees | 2016 | 4 | 5 |
| 10-49 employees | 2024 | 1 | 5 |
| 10-49 employees | 2023 | 2 | 5 |
| 10-49 employees | 2016 | 10 | 8 |
| 50-249 employees | 2024 | 2 | 6 |
| 50-249 employees | 2023 | 2 | 8 |
| 50-249 employees | 2016 | 15 | 14 |
| 250 or more employees | 2024 | 3 | 13 |
| 250 or more employees | 2023 | 4 | 12 |
| 250 or more employees | 2016 | 19 | 20 |
Fewer businesses incur costs as a result of cyber incidents
It is important to note that not all cyber incidents result in financial loss, and the share of businesses incurring costs has been declining in recent years. In 2016, for instance, 6 percent of businesses reported costs arising from an incident caused by an external attack, compared with 1 percent in 2024.Cyber incidents most frequent in information and communication sector
Cyber incidents caused by an external attack occurred the most among businesses in the information and communication sector (7 percent). Businesses in the accommodation and food services sector and in health and social care are least likely to be affected by this (2 percent). For the accommodation and food services sector, this is unsurprising, as businesses in this sector are less likely to rely on IT systems than those in other sectors. This also reduces the chance of downtime due to hardware or software failures. Businesses in the health and social care sector have strict information security policies and are therefore generally better protected against external attacks.
| Bedrijfstak | Jaar | Cyber incidents (% of businesses) |
|---|---|---|
| Manufacturing | 2024 | 4 |
| Manufacturing | 2023 | 5 |
| Manufacturing | 2016 | 14 |
| Accommodation and food services | 2024 | 2 |
| Accommodation and food services | 2023 | 3 |
| Accommodation and food services | 2016 | 6 |
| Financial services | 2024 | 6 |
| Financial services | 2023 | 3 |
| Financial services | 2016 | 15 |
| Health and social care | 2024 | 2 |
| Health and social care | 2023 | 4 |
| Health and social care | 2016 | 8 |
| Information and communication | 2024 | 7 |
| Information and communication | 2023 | 6 |
| Information and communication | 2016 | 14 |
Larger enterprises are more likely to take steps to protect themselves
A firm's resilience to cyberattacks increases when multiple precautions are put in place simultaneously. Larger enterprises are more likely to do this than smaller ones, on average. For instance, 86 percent of large enterprises with 250 or more employees had put in place ten or more of the twelve precautions surveyed, compared with 13 percent of firms with between 2 and 10 employees.
| Bedrijfsgrootte | Three or fewer (% of businesses) | Four to six (% of businesses) | Seven to nine (% of businesses) | Ten or more precautions (% of businesses) |
|---|---|---|---|---|
| Total of businesses | 34 | 25 | 21 | 19 |
| 2-9 employees | 40 | 29 | 20 | 13 |
| 10-49 employees | 14 | 20 | 27 | 38 |
| 50-249 employees | 3 | 7 | 23 | 68 |
| 250 or more employees | 1 | 1 | 11 | 86 |
For simpler precautions, such as the use of antivirus software, the differences between larger and smaller enterprises are not significant. However, larger differences can be seen when it comes to precautions that are more difficult to implement, such as data encryption. 33 percent of firms with between 2 and 10 employees use data encryption, compared with 91 percent of large enterprises (250 or more employees).
Sectors that make greater use of ICT or handle sensitive (personal) data, such as information and communication, health and social care, and financial services, are more likely to take cybersecurity precautions than other sectors. Businesses in the accommodation and food services sector take fewer precautions than average.