Most small and medium-sized enterprises (SMEs) in Germany take many technical measures to protect their data and secure computer systems. However, training employees accordingly and creating sufficient awareness of cyber risks falls by the wayside in some companies. This is what CISPA researcher Nicolas Huaman Groschopf found out in a large-scale interview study on information security in small and medium-sized enterprises in Germany. The study was funded by the German Federal Ministry of Economics (BmWi) and the VHV Foundation with more than 1.2 million euros. The BmWi contributed the lion's share with almost one million. Huaman Groschopf presented his findings at the renowned IT security conference USENIX Security Symposium.
"Most German SMEs have solid basic technical protection against cyberattacks," says Nicolas Huaman Groschopf. But the 27-year-old can't get around one point: "However, many still lack the necessary awareness of cybersecurity risks," says the CISPA researcher. Together with colleagues, Huaman Groschopf has collected data and information from 5,000 companies with 10 to more than 500 employees. It took more than half a year at the end of 2018 and the beginning of 2019 to interview the companies' IT managers on a computer-assisted basis about their security measures, risk awareness, and security-related incidents in the past.
"We found it interesting that an overwhelming majority of 83 percent of companies put the maintenance of their IT infrastructure, and therefore its security, in the hands of external service providers." Not a bad decision, it seems. After all, regular backups, anti-virus software, and firewalls have long been standard practice in almost all of the companies surveyed, according to Huaman Groschopf. The situation is different when it comes to more organizational measures: For example, according to the study, only about 60 percent of companies offer information security training, just over a third prepare for emergencies with exercises, and only about a quarter of companies aim to obtain a certificate attesting to their secure IT structures.
"The study showed us that the respective industry, the number of employees, and the age of the companies influence the use of technical and organizational security measures and on which protection is particularly important in the companies," says Huaman Groschopf. According to the study, companies in the financial and energy sectors are most likely to rely on organizational security measures in addition to technical ones. "Banks overall have often demonstrated extensive competencies when it comes to cybersecurity measures."
Forty percent of the companies interviewed had experienced cybercrime during the 12 months before the survey and had to take action. Most companies reported incidents such as phishing and malware. CEO fraud, a scam in which attackers impersonate a known individual and manipulate their victims into transferring funds, also appeared to be a more common problem. So did (D)DoS attacks, in which computer systems are deliberately overloaded and thus rendered inoperable. "Depending on the industry, certain types of attacks were more common," says Huaman Groschopf.
In addition, he says, it has become apparent that smaller companies, in particular, underestimate their risk of being targeted. If anything, they tend to expect mass attacks. "The lower perceived risk of targeted attacks could make small businesses more vulnerable to attacks like CEO fraud, targeted ransomware attacks, and insider threats." According to the CISPA researcher, a mass attack can quickly turn into targeted spying on a company. "The Emotet malware is the best example of this," Huaman Groschopf says. The computer virus is still considered one of the biggest malware threats globally and caused a lot of damage in Germany in recent years, according to estimates by the German Federal Office for Information Security (BSI). The malware is distributed via spam emails and can, for example, read contacts and mail contents from the mailboxes of infected systems. Once the computer is infected, Emotet downloads further malware. These malicious programs enable attackers to steal data or even take complete control of the system. "The attackers often proceed cautiously and thus remain unnoticed for a very long time," says Huaman Groschopf.
The research team led by Huaman Groschopf concludes that risk awareness among SMEs is still too low, and legislators should actively work to create more awareness of information security and the risks of cybercrime. "Companies should also examine organizational measures such as information security policies and employee training and evaluate which of these measures make sense for their business model," advises Huaman Groschopf.
The 27-year-old from Saarland is conducting research under the direction of CISPA faculty member Sascha Fahl and is part of the now 15-member team that has been driving CISPA's research on web and industrial security as well as user-oriented IT security in Hanover since the beginning of the year. "Such a large-scale study at research level has been lacking so far and gives us many starting points for further investigations," says Huaman Groschopf.
translated by Oliver Schedler
