In 2019, 93% of EU enterprises with 10 or more persons employed used at least one ICT security measure, control or procedure in order to ensure integrity, authenticity, availability and confidentiality of data and ICT systems. One in three enterprises (34%) reported having documents on measures, practices or procedures on ICT security. 62% of enterprises made staff aware of their obligations in ICT security related issues. One in four enterprises (24%) was insured against ICT security incidents.
One in eight enterprises (12%) at least once experienced problems due to ICT related security incidents in 2018.
Almost all large enterprises used at least one ICT measure (99% of enterprises employing 250 persons or more), whilst this share was slightly smaller for medium (97% of enterprises employing 50 to 249 persons) and small enterprises (92% of enterprises employing 10 to 49 persons).
A wider spread is observed among enterprises for having documents on measures, practices or procedures on ICT security, from 76% for large, through 54% for medium to 30% for small enterprises.
The vast majority (91%) of large enterprises made their employees aware of their obligations in ICT security related issues, while 78% of medium and 58% of small enterprises did so in 2019.
Overall, large enterprises were more likely to experience problems due to ICT related security incidents, as almost a quarter (23%) experienced at least once problems due to such incidents in 2018, compared with one in six medium enterprises (17%) and one in ten small enterprises (11%). In 2019, 40% of large, 33% of medium and 22% of small enterprises reported being insured against ICT security incidents.
This information, issued by Eurostat, the statistical office of the European Union, is part of the results of a survey conducted in 2019 on ICT (Information and Communication Technologies) usage and e commerce in enterprises.
1 in 10 enterprises used biometric methods for user identification and authentication
In 2019, the most common ICT security measure used by EU enterprises was keeping their software or operating systems up-to-date (87% of enterprises), followed by strong password authentication (77%), data backup to a separate location or cloud (76%) and network access control (64%). Less than half of enterprises reported maintaining log files for analysis after security incidents (45%) and use of Virtual Private Network (VPN, 42%).
Enterprises less frequently used encryption techniques for data, documents or e-mails (38%), ICT security tests (36%), ICT risk assessment (34%) and user identification and authentication via biometric methods (10%).
2 in 3 enterprises made their staff aware about their obligations in ICT security related issues
In 2019, almost two thirds of enterprises (62%) made their employees aware of their obligations in ICT security related issues. Voluntary training or internally available information for instance on the intranet was the most common form used (44% of enterprises), followed by contracts such as employment contracts (37%) and by compulsory training courses or viewing compulsory material (24%).
1 in 8 enterprises affected by ICT related security incidents
In 2018, one in eight enterprises (12%) experienced at least once problems due to ICT related security incidents. The most commonly reported problem caused by ICT security incidents was unavailability of ICT services, such as hardware or software failures (excl. mechanical failure and theft), denial of service attacks, ransomware attacks, affecting 9% of enterprises. It was followed by destruction or corruption of data due to infection with malicious software, hardware or software failures or unauthorised intrusion (5% of enterprises) and less frequently enterprises (1%) reported disclosure of confidential data for instance due to intrusion, pharming or phishing attack.
The European Union (EU) includes Belgium, Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Croatia, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, the Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, Sweden and the United Kingdom.
Methods and definitions
Data presented in this News Release are based on the results of the 2019 European Union survey on ‘ICT usage and ecommerce in enterprises’. This survey covered 160 000 enterprises with 10 or more persons employed out of 1.7 million in the EU-28 in manufacturing; electricity, gas and steam; water supply; construction; wholesale and retail trade, repair of motor vehicles and motorcycles; transportation and storage; accommodation and food service activities; information and communication; real estate; professional, scientific and technical activities; administrative and support activities; repair of computers and communication equipment.
ICT security means measures, controls and procedures applied on ICT systems in order to ensure integrity, authenticity, availability and confidentiality of data and systems.
ICT security measures refer to any of the following: strong password authentication (minimum length of 8 mixed characters, periodical change); keeping the software (including operating systems) up-to-date; user identification and authentication via biometric methods implemented by the enterprise (e.g. based on fingerprints, voice, faces); encryption techniques for data, documents or e-mails; data backup to a separate location (including backup to the cloud); network access control (management of access by devices and users to the enterprise’s network); Virtual Private Network (VPN that extends a private network across a public network to enable secure exchange of data over public network); maintaining log files for analysis after security incidents; ICT risk assessment (periodical assessment of probability and consequences of ICT security incidents); or ICT security tests (e.g. performing penetration tests, testing security alert system, review of security measures, testing of backup systems).
Enterprises are classified in different categories according to the number of persons employed.
– small enterprises: 10 to 49 persons employed;
– medium sized enterprises: 50 to 249 persons employed;
– large enterprises: 250 or more persons employed.
Results on ICT security refer to the year 2019, those on enterprises that experienced problems due to ICT related security incidents refer to 2018.