In 2019, 93% of EU enterprises with 10 or more persons employed used at least one ICT security measure, control or procedure in order to ensure integrity, authenticity, availability and confidentiality of data and ICT systems. One in three enterprises (34%) reported having documents on measures, practices or procedures on ICT security. 62% of enterprises made staff aware of their obligations in ICT security related issues. One in four enterprises (24%) was insured against ICT security incidents.
Almost all large enterprises used at least one ICT measure (99% of enterprises employing 250 persons or more), whilst this share was slightly smaller for medium (97% of enterprises employing 50 to 249 persons) and small enterprises (92% of enterprises employing 10 to 49 persons).
A wider spread is observed among enterprises for having documents on measures, practices or procedures on ICT security, from 76% for large, through 54% for medium to 30% for small enterprises.
The vast majority (91%) of large enterprises made their employees aware of their obligations in ICT security related issues, while 78% of medium and 58% of small enterprises did so in 2019.
1 in 10 enterprises used biometric methods for user identification and authentication.
In 2019, the most common ICT security measure used by EU enterprises was keeping their software or operating systems up-to-date (87% of enterprises), followed by strong password authentication (77%), data backup to a separate location or cloud (76%) and network access control (64%). Less than half of enterprises reported maintaining log files for analysis after security incidents (45%) and use of Virtual Private Network (VPN, 42%). Enterprises less frequently used encryption techniques for data, documents or e-mails (38%), ICT security tests (36%), ICT risk assessment (34%) and user identification and authentication via biometric methods (10%).
2 in 3 enterprises made their staff aware about their obligations in ICT security related issues
In 2019, almost two thirds of enterprises (62%) made their employees aware of their obligations in ICT security related issues. Voluntary training or internally available information for instance on the intranet was the most common form used (44% of enterprises), followed by contracts such as employment contracts (37%) and by compulsory training courses or viewing compulsory material (24%).
1 in 8 enterprises affected by ICT related security incidents
In 2018, one in eight enterprises (12%) experienced at least once problems due to ICT related security incidents. The most commonly reported problem caused by ICT security incidents was unavailability of ICT services, such as hardware or software failures (excl. mechanical failure and theft), denial of service attacks, ransomware attacks, affecting 9% of enterprises. It was followed by destruction or corruption of data due to infection with malicious software, hardware or software failures or unauthorised intrusion (5% of enterprises) and less frequently enterprises (1%) reported disclosure of confidential data for instance due to intrusion, pharming or phishing attack.