ICT security in enterprises

Data from December 2015. Most recent data: Further Eurostat information, Main tables and Database. Planned article update: February 2019.

This article analyses recent statistical data on information and communication technologies (ICT) security in the European Union (EU). Results were obtained through a specific set of questions in the 2015 questionnaire of the Community survey on ICT usage and e-commerce in enterprises. In this context, ICT security refers to relevant incidents as well as measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of their data and ICT systems.

Figure 1: Enterprises having a formally defined ICT security policy, by size class, EU-28, 2015 (% enterprises) Eurostat (isoc_cisce_ra)
Figure 2: Enterprises having a formally defined ICT security policy, by economic activity, EU-28, 2015 (% enterprises) Eurostat (isoc_cisce_ra)
Table 1: Enterprises having a formally defined ICT security policy, by economic activity, 2015 (% enterprises) Eurostat (isoc_cisce_ra)
Figure 3: Enterprises having defined or reviewed their ICT security policy, 2015 (% enterprises) Eurostat (isoc_cisce_ra) see Country codes
Figure 4: Enterprises having defined or reviewed their ICT security policy, by economic activity, EU-28, 2015 (% enterprises) Eurostat (isoc_cisce_ra)
Figure 5: Enterprises addressing specific ICT security risks, 2015 (% enterprises) Eurostat (isoc_cisce_ra)
Table 2: Enterprises addressing all ICT security risks, for selected economic activities, 2015 (% enterprises) Eurostat (isoc_cisce_ra)
Table 3: Enterprises with a formally defined ICT security policy addressing specific security risks, 2015 (% enterprises) Eurostat (isoc_cisce_ra)


Main statistical findings

  • In 2015, almost one out of three enterprises in the EU-28 had a formally defined ICT security policy.
  • The share of large enterprises that had a formally defined ICT security policy was almost three times the share of small ones.
  • The majority of enterprises having an ICT security policy (32 %), defined or reviewed their policy within the last 12 months (20 %).
  • In all countries, most of the enterprises addressed the risk of "destruction or corruption of data due to an attack or some other unexpected incident".

ICT security policies by enterprise size, sector and country

The existence of an ICT security policy in an enterprise means that the enterprise is aware of the importance of its ICT systems and the relevant potential risks. Moreover, the existence of an ICT security policy would imply an enterprise's strategy to safeguard data and ICT systems as well as mandatory obligations for all employees. In 2015, 32 % of enterprises in the EU-28 had a formally defined ICT security policy; shares of over 45 % were registered in Sweden and Portugal (51 % and 49 % respectively). In the context of this article, a formally defined policy should refer to an assessment of ICT security risks in terms of likelihood of occurrence of incidents and their possible impact on the operations of the enterprise. In addition, a policy should describe the various actors and their responsibilities in relation to incident handling and possible contingency plans.

Figure 1 shows that the share of large enterprises that had a formally defined ICT security policy was almost three times the share of small ones. The highest proportions of enterprises having such a policy in the EU-28 was reported by enterprises in the sector of Information and communication activities (60 %) as well as by enterprises with Professional, scientific and technical activities (49 %) (Figure 2). The lowest proportions were registered in the sectors of Construction (20 %), Real estate (25 %) and Transportation and storage (26 %) .

It is assumed that the existence of ICT security policy and the frequency of reviewing it is positively correlated to the readiness of the enterprises to report ICT security incidents. Out of all EU enterprises that reported having an ICT security policy (32 %) the majority of them reported having defined or reviewed their policy within the last 12 months (20 %) (Figure 3). The highest percentage of enterprises that most recently defined or reviewed their policy was reported in Ireland (30 %), Croatia and Portugal (both 29 %). Some (40 %) of enterprises in Information and communication activities – highest proportion among all economic activities – reported having defined or reviewed their ICT policy in the last 12 months (Figure 4).

Types of risks

The risk of destruction or corruption of data due to an attack or some other unexpected incident is the risk mostly addressed by enterprises’ ICT security policies.

The three types of risks addressed by enterprises having a formally defined ICT security policy correspond essentially to the core elements of the ICT security definition, i.e. integrity, confidentiality and availability of data and systems. These elements are further described in the following section of this article.

V3 Types of risks.png

The highest percentage of enterprises with a formally defined ICT security policy addressing the risks of destruction or corruption of data due to an attack or some other unexpected incident was reported in Portugal (44 %). Similarly enterprises in Portugal reported the second highest percentage with a formally defined ICT security policy addressing the risks of unavailability of ICT services due to an attack from outside (e.g. Denial of Service attack) (35 %).

The highest percentage of enterprises with a formally defined ICT security policy addressing the risks of disclosure of confidential data due to intrusion, pharming, phishing attacks or by accident was reported in Ireland (39 %). In addition, enterprises in Ireland reported the highest percentage with a formally defined ICT security policy addressing all the above mentioned risks (35 %).

Data sources and availability

Source: Data presented in this article are based on the results of the 2015 Community survey on 'ICT usage and e-commerce in enterprises'. Statistics were obtained from surveys in enterprises conducted by National Statistical Authorities in the first months of 2015.

Sample: Some 148 800 enterprises, with 10 or more persons employed, out of 1.5 million in EU-28 were surveyed. Out of these 1.5 million enterprises approximately 83 % were enterprises with 10-49 persons employed, 14 % with 50-249 and 3 % with 250 or more.

Symbols: Data in tables shown as ‘:’ refer to data that are unavailable, unreliable, confidential or not applicable. Unreliable data are included in the calculation of European aggregates. Data presented in this article may differ from the data in the database on account of updates made after the data extractions used for this article.

Main concepts: The surveys' reference period was the current situation of the survey period or for some questions (like e.g. e-commerce) the year 2014. The observation statistical unit is the enterprise, as defined in the Regulation 696/1993 of 15 March 1993. The survey covered enterprises with at least 10 persons employed. Economic activities correspond to the classification NACE Revision 2. The sectors covered are manufacturing, electricity, gas and steam, water supply, construction, wholesale and retail trades, repair of motor vehicles and motorcycles, transportation and storage, accommodation and food service activities, information and communication, real estate, professional, scientific and technical activities, administrative and support activities and repair of computers and communication equipment. Enterprises are broken down by size; small (10-49), medium (50-249) and large enterprises (250 or more persons employed).

ICT-related security incidents affect the ICT system of an enterprise and may cause different problems. Therefore, the following security risks were expected to be addressed by the enterprises' ICT security policies :

  • Destruction or corruption of data due to hardware or software failures refers to issues of data integrity caused by hardware or software failures, e.g. crashes of servers or hard disks due to hardware failures or crashes of servers due to software failures, e.g. erroneous updates.
  • Unavailability of ICT services due to attack from outside refers to attempts from outside to make an information system resource unavailable to its intended users. One aim of these attacks is to prevent an internet site or service from functioning efficiently, e.g. websites of banks, credit card payment gateways.
  • Disclosure of confidential data due to intrusion, pharming, phishing attacks refers to an attempt to get confidential information on persons, staff or clients, intellectual property or other confidential information. Intrusion is an attempt to bypass security controls on an information system by viruses, worms, Trojan horses etc. Phishing is a criminally fraudulent attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Pharming is an attack which redirects the traffic of a website to another, bogus website in order to acquire sensitive information.

Context

In the context of the survey in enterprises, ICT security refers prominently to policies including measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of data and ICT systems. The relevant statistics would be used in the context of the European Strategy for Cyber Security and the European Agenda on security that provide the overall strategic framework for the EU initiatives on cybersecurity and cybercrime. Trust and security are also a key pillar of the Digital Single Market Strategy.

From the legislative point of view, on 7th December 2015, the European Parliament and the Council reached an agreement on the Commission’s proposed measures to increase online security in the EU. The Network and Information Security (NIS) Directive is the first piece of European legislation on cybersecurity. Its provisions aim to make the online environment more trustworthy and, thus, to support the smooth functioning of the EU Digital Single Market Strategy. NIS includes common provisions across the Union, addressing national capabilities and preparedness, EU-level cooperation, take up of risk management practices and an information sharing culture in NIS and notification of IT-incidents.


See also

Further Eurostat information

Publications

Main tables

Database

ICT usage in enterprises (isoc_e)
ICT security (isoc_cisc)
Security policy: risks addressed and staff awareness (isoc_cisce_ra)
Security incidents and consequences (isoc_cisce_ic)

Dedicated section

Methodology / Metadata

Other information

  • Regulation (EC) No 808/2004 of 21 April 2004 concerning Community statistics on the information society
  • Regulation (EC) No 960/2008 of 30 September 2008 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EU) No 1023/2009 of 29 October 2009 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EU) No 821/2010 of 17 September 2010 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EU) No 937/2011 of 21 September 2011 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EU) No 1083/2012 of 19 November 2012 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EU) No 859/2013 of 5 September 2013 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EU) No 1196/2014 of 30 October 2014 implementing Regulation (EC) No 808/2004 concerning Community statistics on the information society
  • Regulation (EC) No 696/1993 of 15 March 1993 on the statistical units for the observation and analysis of the production system in the Community

External links