Information and communication technologies have changed the way people conduct business and communicate, and enabled the development of new business models. With the digitalisation of the economy, the exposure of enterprises to new cyber threats increases. As a result, it is crucial for enterprises that they take care of cyber or information security and take appropriate measures, implement controls and procedures to ensure the security of ICT systems they use and data they have. Primary concepts of information security include confidentiality (the ability to protect data against unauthorized persons), integrity (the ability to prevent unauthorized or undesirable changes to data) and availability (availability of data when needed).
How do enterprises with at least 10 persons employed in Slovenia take care of information security?
Information security: the usage of security measures or procedures in enterprises
More than half of enterprises use strong password authentication and network access control
The most commonly used ICT security measure in enterprises with at least 10 persons employed is keeping software or operating system up-to-date (77%). 62% of enterprises backup data to a separate location or to the cloud (59% of small, 73% of medium-sized and 88% of large enterprises). 57% of enterprises use strong password authentication, i.e. minimum length of 8 mixed characters, which are periodical changed (52% of small, 74% of medium-sized and 85% of large enterprises) and the same percentage of enterprises network access control for management of access by devices and users to the enterprise's network to authorised persons only (52% of small, 75% of medium-sized and 91% of large enterprises). 37% of enterprises use Virtual Private Network or VPN that extends a private network across a public network to enable secure exchange of data. 34% of enterprises maintain log files for analysis after security incidents, and 29% encryption techniques for data, documents or e-mails. 4% of enterprises choose to use identification and authentication via biometric methods, e.g. based on fingerprints, voice, faces.
Almost a quarter of enterprises (26%) conduct ICT security tests, e.g. their perform penetration tests, test security alert systems, review security measures, test backup systems (21% of small, 43% of medium-sized and 63% of large enterprises). 21% of enterprises conduct ICT risk assessment, i.e. periodically assess the probability and consequences of ICT security incidents (17% of small, 32% of medium-sized and 65% of large enterprises).
16% of enterprises with at least 10 persons employed do not use any of the mentioned security measures or procedures. The majority of these enterprises are small (18%), followed by medium-sized (6%) and large enterprises (1%).
4% of enterprises have insurance against ICT security incidents that bears the costs of security incidents connected with ICT (4% of small, 7% of medium-sized and 3% of large enterprises).
ICT security related activities are carried out by employees or external suppliers
In 79% of enterprises the ICT security related activities, e.g. security testing, ICT training on security, resolving ICT security incidents, are carried out by employees (incl. those employed in parent or affiliate enterprises) or by external suppliers. In 37% of enterprises the employees are carrying out the ICT security related activities and in 61% of enterprises external suppliers.
Information security: training of persons employed important for safe ICT usage
More than half of enterprises make their persons employed aware of their obligations in ICT related issues
Persons employed are the most common target of cyberattacks and a possible weak point in providing ICT information security in enterprises. Therefore, their education is crucial in ensuring the secure usage of ICT.
53% of enterprises with at least 10 persons employed make persons employed aware of their obligations in ICT security related issues (48% of small, 71% of medium-sized and 92% of large enterprises). 44% of enterprises make their persons employed aware with voluntary training or internally available information, e.g. information available on the Intranet, 26% of enterprises by contract, e.g. contract of employment, and 15% with compulsory training courses or viewing compulsory material (12% of small, 23% of medium-sized and half of large enterprises).
Regarding enterprise activity 44% of enterprises in manufacturing activities make persons employed aware of their obligations in ICT security related issues and 61% in service activities. The share of persons employed who use computers with Internet access for business purposes is higher among enterprises in service activities (64%) than in manufacturing activities (42%).
Information security: written procedures on measures, practices or procedures on ICT security
Almost three quarters of documents on measures, practices or procedures for secure ICT usage were defined, reviewed or updated in the last 12 months
The purpose of the documents, e.g. established information security policies, is to evaluate potential security risks in the use of ICT, to provide procedures or rules for preventing security incidents, information about storage, protection, access to data, responsibility, rights and duties of persons employed, etc. Due to the development of ICTs and new threats, it is important that documents are kept up-to-date. 35% of enterprises with at least 10 persons employed have such written document (30% of small, 56% of medium-sized and 79% of large enterprises). Almost three quarters of these documents (73%) were defined or most recently reviewed in the last 12 months; 18% more than 12 months and up to 24 months ago and 8% more than 24 months ago.
34% of enterprises address in these documents procedures for storage, protection, access or processing of data; 31% of enterprises address management of access rights for the usage of ICT, e.g. computers, networks, 30% responsibilities, rights and duties of persons employed in the field of ICT, e.g. use of e-mails, mobile devices, social media, etc., 23% training of persons employed in the safe usage of ICT and 21% procedures or rules to prevent or respond to security incidents, e.g. pharming, phishing attacks, ransomware, etc.
Outcomes of ICT related security incidents in 2018: from unavailability of ICT services, destruction or corruption of data to disclosure of confidential data
Medium-sized enterprises encountered problems related to ICT security incidents most often
14% of enterprises experienced at least once in 2018 problems due to ICT related security incidents (13% of small, 19% of medium-sized and 16% of large enterprises).
10% of enterprises with at least 10 persons employed experienced unavailability of ICT services due to e.g. Denial of Service attacks (DDoS), ransomware attacks, hardware or software failures (9% of small, 14% of medium-sized and 12% of large enterprises). 8% of enterprises experienced destruction or corruption of data, e.g. due to infection of malicious software or unauthorised intrusion, hardware or software failures (7% of small, 12% of medium-sized and 8% of large enterprises), and 2% experienced disclosure of confidential data, e.g. due to intrusion, pharming, phishing attack, actions by own employees intentionally or unintentionally (1% of small, 4% of medium-sized and 3% of large enterprises).