Dutch companies are increasingly being targeted by cyber attacks. This increasing threat poses "a growing challenge" to the business community and self-employed individuals without staff (zzp'ers). They are behind the times and cannot keep up with the speed at which hackers and cybercriminals are developing new methods of attack. This has led to a resilience gap between cyber threats and digital resilience.
So says the Digital Trust Center (DTC), part of the Ministry of Economic Affairs and Climate (EZK) (1). The agency investigated the cyber resilience of small and medium-sized enterprises (SMEs) and sole traders operating in the Netherlands.
To map the digital resilience of small businesses, researchers mapped what security measures they were taking. The purpose of this exercise is, on the one hand, to create awareness and, on the other hand, to find out where SMEs can increase their cyber resilience. A total of 766 entrepreneurs and self-employed workers participated in the study.
The survey found that both SMEs and sole proprietors are taking security measures to keep out hackers and cybercriminals. Installing antivirus software on devices is the most frequently mentioned measure among small business owners, at 85 percent. Recognizing phishing and securing the domain name come in second and third place with 82 percent and 80 percent, respectively. Three-quarters of SMBs also keep a record of all devices and applications (78 percent) and regularly back up company data (77 percent).
Recognizing phishing emails (85 percent) and installing a virus scanner (83 percent) are also the most frequently mentioned security measures among self-employed workers. Furthermore, self-employed small businesses try to protect themselves from cybercriminals by setting up a spam filter (77 percent), using unique passwords (73 percent) and keeping work equipment up-to-date (68 percent).
What is striking is that both small business owners and sole proprietors rank two-factor authentication (2FA) as one of the least mentioned security measures. In SMEs, 60 percent of respondents said they protect all business applications with 2FA. Among the self-employed without employees, the figure is only 44 percent.
Less than half of SMBs (43 percent) say they have considered implementing network segmentation or zero-trust policies. If a hacker or cybercriminal manages to infiltrate a corporate network and the network is segmented, he has access to only part of the network and thus corporate data. More than half of the respondents reported having macros disabled (55 percent) and logging enabled (57 percent). One in three small businesses (35 percent) allow employees to install their own software.
A mistake that most self-employed people make is that they also use their business computer for private purposes. This increases the risk of getting a virus or other malware. A quarter (28 percent) regularly perform a risk analysis to assess digital security. One in three self-employed individuals without staff (33 percent) has a call list on hand in case a digital emergency occurs.
"Although the self-employed group scores lower on average on taking cybersecurity measures, this group has more insight into the measures taken than the SME group," the DTC concludes. Among SMEs, it is more often unclear whether or not certain security measures have been taken.
Another notable difference between the two groups is that self-employed people test their backup less often than SMEs (54 percent versus 66 percent). Furthermore, 9 percent of the self-employed say they use an IT company to handle their cybersecurity. Among SMEs, the figure is 64 percent. This may explain why SMEs often have no idea what security measures have been implemented.
