IT security in SMEs is insufficient
VdS study reveals weaknesses
Nowadays, the use of modern IT infrastructure and the Internet connection are absolutely necessary for a company to survive in the international competition and to manage business processes. This applies not only to large corporations, but also to small and medium-sized enterprises (SMEs).

Networking: opportunity and risk
The rapidly increasing digitalization helps SMEs to act faster and more efficiently, and to be therefore more successful and competitive. However, the same technology becomes a challenge when it comes to security. Because in this new, digital working environment the attacking options for cyber criminals are also increasing. Thus, through fake emails, ransomware attacks, DoS/DDoS attacks, botnets or malicious code, cyber criminals are also attacking the medium-sized businesses and targeting personal data, money and company know-how. And once customer data, patent and innovation information or source code are gone, the business or the production operations are usually stopped. Hackers also know this and therefore find a lucrative “field of activity” in medium-sized businesses.
Malicious joy and financial claims
The motives of the hackers are totally different: While some act because of malicious joy or for espionage purposes (politically or economically motivated), others just want to “show what they can do” or to ruin the image of companies or organizations. And for others, it’s just all about money. Because money does not come from large corporations only and this is something cyber criminals are aware of since a long time.

55 billion euros loss
However, attacks do not always come from outside the organizations: In our digital daily working routine thousands of emails are sent from A to B without being checked by employees or USB sticks are used to transport data. We do not even want to know the estimated amount of missing and misdirected data due to such vulnerabilities.
Moreover, cyber-attacks are not always detected immediately. Attacks on IT are often discovered by companies with a delay of six to nine months. According to an estimate by the IT industry association Bitkom, e.g. the annual damage caused by cyber-attacks in Germany is 55 billion euros.
Extensive analysis of IT security in SMEs
In this context, VdS – one of the world’s most renowned institutions for corporate security, has launched a study on information security in SMEs. For this purpose, the institute has evaluated the data from 3000 companies from its “Web Quick Check” to quickly estimate the degree of their individual digital protection. The result is one of the most comprehensive analyzes of IT security, made in Germany, and we would like to present it to you in today’s blog post. You can see the entire study here.
IT security in the mid-tier: Disillusionment across the board
The final result is disillusioning: SMEs are still insufficiently protected against cyber-attacks. The greatest need for improvement is in the field of “IT security management”. Only 32% of the companies surveyed, are well positioned here. Above all, issues such as Cloud computing and IT outsourcing are being addressed insufficiently. However, it is precisely here, where SMEs could achieve high protection levels through simplest optimization measures.
When it comes to safety technology and preventive measures, the figures are also alarming, even though the backlog here is not that substantial. Although both areas are covered by 57%, this result also means that 43% of SMEs are poorly positioned here. Therefore, the protection measures of SMEs for networks, software and mobile devices are still insufficient. Consequently, prevention measures such as data and environmental security or recovery plans seem to be equally poor.
Mobile devices are poorly protected
Let’s take a closer look at the technology section: The first alarming finding comes when we look at the protection of mobile devices: Only 59% of the companies reliably protect data on their mobile devices against unauthorized access. Although there is a slight increase compared to 2017 (57%), it is still two percentage points lower than 2016, the year when the Locky, TeslaCrypt and Cryptowall encryption Trojans wreaked havoc. The situation remained relatively quiet in the recent months as far as large-scale cyber-attacks are concerned: Could companies thus be lulled into a false sense of security? It is namely the mobile working with smartphones, tablets, laptops etc. That opens the door to cyber-attacks: Because of the possibilities for mobile access to the corporate network and to sensitive data respectively, they are often used by employees and are therefore attractive targets for attacking.
Technical security measures are not implemented consistently enough
There are great differences in the individual measures. While 88% of SMEs protect their Internet access and still 86% grant public and wireless networks encrypted access to their internal IT infrastructure, only 27% of the companies carry out regular risk analyzes for those IT networks, which are particularly relevant to them. This is a disturbing result, given the constantly evolving new attack methods and programs. The fact that 12% of the SMEs apparently still have not implemented any protective measures against threats from the Internet is also alarming – especially nowadays, when basic protection with firewall and anti-virus software is taken for granted even for private users.
Prevention: Data backup top, flop in case of emergency
There is some good news, too: Security measures against data loss are implemented well or very well by 96% of SMEs. This is the best result from the entire study. The motto of many IT experts “No backup = no compassion” seems to have spread around. And yet, 86% of SMEs also protect their servers from physical attacks.
However, the question of what must be done in case of a cyber-attack, which internal and external bodies need to be informed, seems to cause confusion among the SMEs: Only 41% of the companies have any guidelines for handling with security incidents or recovery plans for critical systems in case of a hack. Precautions such as a risk analysis for IT systems are particularly insufficient – only 28% of the surveyed companies take such precautions. And only 24% of the SMEs have bindingly defined what is to be understood as an “IT security incident” at all. Despite the strictest legal requirements regarding what should be done in case of emergency, the figures have remained unchanged compared to 2017 and have even slightly decreased compared to 2016: In 2017/2016, 41% and 38% of SMEs respectively had guidelines for security incidents, 42% and 46% had recovery plans.

SMEs need more structured access assignment?
Here again, the good news first: The assignment of access rights (such as reading, writing and executing) on IT applications and data to persons or groups of persons is apparently regulated and the management of access to IT systems works for the SMEs in Germany: 84 % grant administrative access exclusively to administrators (2017: 83 %, 2016: 81 %), 82 % grant access to the respective network only if it is necessary for the accomplishment of the tasks (2017: 78 %, 2016: 80 %). However, the fact that only 49% of the companies check if these access rights are still necessary after a defined time period has elapsed, relativizes the whole result again. Just think of how quickly responsibilities change or employees leave companies and you will understand the problem. Structured access assignment is a small step with a big impact on corporate security, as it blocks many opportunities for causing damage to a company and its employees.
Better regulation of private use of devices required
No matter whether it’s a company computer, smartphone or laptop: These devices are often used for private research in Internet, for communication or for storing private data. But exactly this behavior is a much-loved gateway for attackers. The private USB stick that is plugged in, the external program that has been installed or the opened attachment of a private email: The employer’s computer is infected with a virus or other malware within fractions of a second. So, to completely forbid the private use? But what about sales representatives or home office? Employers simply cannot avoid a regulation on the private use of company laptops etc. And this is exactly where SMEs need to catch up: Only 66% of them regulate this important security point for their employees. The situation is even worse when it comes to access for external service providers: Only 45% of the SMEs have set clear rules for their IT service providers.
Information security management is alarming
Only 32% of the medium-sized companies demonstrate good or very good IT security management. This makes 3% more than in 2017, but is still not enough. Even though the risks of Cloud computing are already well-known, only 27% of the SMEs protect themselves against loss or technical failure with the necessary security requirements such as data encryption, secure access or data backup. Even for outsourcing projects, which are often a particularly weak point in the IT security chain and therefore a preferred point of attack by cyber criminals, only 33% of the companies have specific security requirements.
Conclusion: Digitization at the expense of IT security?
The situation with IT security in SMEs has hardly improved over the last three years despite the progressive digitization. Although many of the SMEs seem to be very innovative in the fields of Internet of Things, Industry 4.0, Smart Cars or Smart Homes, in contrast to large companies, they usually have limited resources for IT security. Many of them lack the necessary know-how or budget to identify and reliably close security gaps in their operations. It is at least obvious that awareness of IT security exists, but it lacks consistency in the implementation. This gap must be closed.