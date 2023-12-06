Cyber ​​Security, this is why SMEs make a mistake in feeling safe

Research by Grenke Italia, a company specialized in the operational rental of instrumental goods and services for businesses, highlights how 72.7% of Italian companies have never carried out training activities on cybersecurity, 73.3% do not know what a ransomware attack is while 43% do not have an IT security manager, 26% have almost no protection systems and only 1 company in 4 (22%) has a “segmented” or more secure network. This evidence from the survey, carried out in collaboration with Cerved Group and Clio Security outline a certain “superficiality” of small and medium-sized Italian companiesand who think they are safe or free from possible cyber attacks but who often do not adopt virtuous behavior and know little or nothing about the dangers they face. The research involved a representative sample of more than 800 companies with a turnover between 1 and 50 million euros and between 5 and 250 employees. Affaritaliani.it spoke to the scientific director of the research and founder of DI.GI. Academy Alessandro Curioni.



Why do you think this research is really important?

There are two significant aspects. The first is the over 800 companies extracted from the Cerved databases which register around 700 thousand SMEs and therefore guarantee the correspondence of the sample with respect to the real composition of the universe of national companies. The second is the contribution of the partners Grenke, the main operator in the operational rental sector for small and medium-sized businesses, and Clio Security, a startup that brings together the expertise of analysts and consultants who have long experience with this type of companies. In fact, the questionnaire revealed some very interesting elements.

What are the negative aspects and what, if any, are the positives?

Unfortunately, the scenario is substantially negative and it is unthinkable that it will change in the short term. If 72 percent of companies still do not train their employees on the topic of cyber risks and 70 percent do not periodically verify the security of their systems through penetration or other forms of audit, we certainly cannot say that everything is fine. These and other numbers say that the situation is serious.

In your opinion, what causes the current scenario? Are there precise factors that are easily identifiable?

This is an interesting aspect because, contrary to what we usually think, the problem does not seem to be the costs of security, rather our SMEs believe they have made a significant effort to adapt to the requirements of European data protection legislation and, for some strange reason, they believe this is sufficient to also resolve the issue of cyber security. This would explain why 60 percent of our SMEs consider cyber security important and, in parallel, to the question: “How adequate do you consider the measures adopted by your company for the protection of personal data?” 75 responded by attributing an adequacy level of 8 to 10 to the measures adopted.

In your opinion, is there more a dimensional, organizational or generational issue behind such results?

In reality, I fear that the issue is cultural, therefore one that is very difficult to resolve in the short term, also because it brings together both organizational and generational issues. However, it is now also combined with a psychological factor. On the one hand, the inability to understand that complying with a standard does not produce the immediate solution to one’s safety problems; on the other hand, precisely on this premise, the company will be at least reluctant to invest further resources for something that in his heart he thinks he has already solved it.

Can it be said that SMEs run fewer risks than large ones from an IT security point of view, or is this also a myth to be dispelled?

If by risk we mean the fact that there are fewer chances for an SME to be attacked, it is simply a statistical question. There are more SMEs than large companies and in percentage terms the latter suffer more attacks than the former. In absolute values ​​obviously the roles are reversed. In any case, there is a lot of talk about cyber resilience because the problem is not whether we will be attacked, but when it will happen. If, however, by “fewer risks” we mean that the consequences will be less serious, then everything depends on the level of digitalisation of the SME which often does not include a fundamental aspect of this too. Digital systems have now entered or are about to enter the heart of corporate business. Even the pot manufacturer must start to be aware that his production machines are very similar to a smart phone that also does something else.

Does the world of corporate IT security foresee the development of new professions?

Research has clearly shown that staff dealing with cyber security within SMEs in 90 percent of cases have minimal knowledge of both the technologies and the main forms of attack. There is therefore a huge skills problem. On the other hand, the topic of cyber security has become so complex that ENISA, the European Agency for Cybersecurity, has developed a skills framework that includes 12 different specializations. Today, dealing with cyber security is not so different from being a doctor: not everyone does the same job.



