SMEs are accused of being too naive in the face of cyberattacks. Is it true ? In Switzerland, studies highlighting the lack of preparation of small businesses in the face of cyber risks are increasing. But the reality is more nuanced than that and progress has been made, says an expert. The identity of the authors of these studies is also debated.
Swiss SMEs? What’s more, they don’t train their staff enough. Not to mention their ignorance of the future data law, which will come into force in a year. This is, in essence, the content of Axa’s latest study, published this week. Conclusions which are precisely in line with those of other reports published in recent months. So, are SMBs that bad at cybersecurity?
Let’s start with the Axa study, published on Monday. According to his survey, 15% of companies surveyed say they have been victims of a cyberattack in the past few years, when outsiders have tried to penetrate their internal network. This does not prevent SME bosses from sleeping, according to Axa: 62% of them consider the risk of being the victim of such an attack low, only 12% qualifying it as high.
More and more targeted”
As a direct consequence, few take measures to protect themselves: only 73% of SMEs make regular backups of their data, and just over two-thirds use antivirus software. Even more alarming, just over half (55%) have installed a firewall to protect their network and 46% have defined rules for creating passwords.
Axa is not the only one to notice this lack of preparation. And two-thirds of companies surveyed said they regularly update their software and use firewalls. In addition, only one in ten SMEs believed that cybersecurity was every employee’s business. “Many SMEs have already been victims of cyberattacks. The directors say they are aware of this, but remain passive despite everything”, affirmed this summer Andreas Hölzli, head of the Cyber Risk competence center at La Mobilière.
What about it? “Be careful, we must differentiate very small companies from those with 50 to 200 employees, nuance Steven Meyer, director of the cybersecurity company Zendata. The hairdresser, the restorer or the carpenter do not feel at all concerned because they do not a priori handle data deemed sensitive.
According to Steven Meyer, “companies managing sensitive data, such as doctors, notaries or trustee managers, are now very attentive to their security. The vast majority of them are taking steps to increase their protection.” For the head of Zendata, “from now on, large SMEs are integrating security into their internal processes. This is a welcome development.”
There is also the question of the sponsors of the aforementioned studies, often insurance companies… who want to sell products related to cybersecurity. “Insurers want to sell insurance, but above all to companies that present the least risk, believes Steven Meyer. It is therefore necessary to be very careful in the face of these insurances, whose prices are exploding and the scope is shrinking. The good thing is that these insurers require companies that sign a higher level of security.