More and more companies are taking measures to allow their customers or employees to securely login to their ICT systems, websites or apps. For example, the use of two-step verification increased from 26 percent in 2017, to 61 percent in 2024. 72 percent of companies had a password policy, up from 57 percent in 2017. This is according to the Cybersecurity Monitor 2024. CBS produces the monitor on business resilience to digital threats at the request of the Ministry of Economic Affairs.
Two-step verification or two-factor authentication (2FA) is a way of logging in that, in addition to a password, requires entering an additional code that changes for each login session. The user receives this code, for example, via a text message, an app, or a separate device.
A password policy allows companies to require employees or customers to choose a password that meets certain requirements, such as the use of numbers, capital letters and special characters.
Large companies are more likely to use secure ways to log in than small businesses. For example, 97 percent of companies with 250 or more employees used two-step verification in 2024, compared with 57 percent of companies with 2 to 10 employees.
A similar pattern can be seen for the percentage of companies with password policies.
The use of secure ways to log in did increase faster among smaller companies. For example, the use of two-step verification by companies with 10 to 50 employees more than doubled: from 29 percent in 2017, to 76 percent in 2024. Using a password policy also increased: from 64 percent in 2017, to 80 percent in 2024.
Two-step verification was most frequently used in 2024 by companies in information and communications (88 percent), followed by financial services (83 percent) and health and wellness (80 percent). In the hospitality industry, two-step verification was used the least often, but did increase the most: from 16 percent in 2017, to 44 percent in 2024. A similar picture can be seen for the percentage of companies with password policies.
Despite the measures taken, cybersecurity incidents may continue to occur. Large companies are more likely to have cyber incidents than small companies, but across all company sizes, the number of companies with incidents decreased. As recently as 2017, nearly 40 percent of the largest companies (250 or more employees) reported having had an incident due to an outside attack in the previous year; in 2024, the figure was 16 percent.
