ICT security in enterprises

Data from March 2020

Planned article update: December 2022

Highlights
In 2019, 92 % of EU enterprises used at least one ICT security measure.

In 2018, 13 % of enterprises in the EU experienced problems due to ICT related security incidents at least once.

ICT security in enterprises, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra) and (isoc_cisce_ic)


This article analyses recent statistical data on information and communication technologies (ICT) security in the European Union (EU). Results were obtained through a specific set of questions in the 2019 questionnaire of the Community survey on ICT usage and e-commerce in enterprises. In this context, ICT security refers to relevant incidents as well as measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of their data and ICT systems.

Full article

ICT security in EU enterprises

Table 1: ICT security in enterprises, 2019 (% enterprises).png
Source: Eurostat (isoc_cisce_ra) and (isoc_cisce_ic)

In 2019, 92 % of EU enterprises with 10 or more persons employed used at least one measure in order to ensure integrity, authenticity, availability and confidentiality of data and ICT systems. One in three enterprises (33 %) reported having documents on measures, practices or procedures on ICT security. In one in four enterprises (24 %) these documents were defined or reviewed in the last 12 months. Around 61 % of EU enterprises made staff aware of their obligations in ICT security related issues. One in five enterprises (21 %) was insured against ICT security incidents. Finally, one in eight enterprises (13 %) experienced problems due to ICT related security incidents at least once in 2018. (Figure 1)

Figure 1: ICT security in enterprises, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra) and (isoc_cisce_ic)

ICT security measures

As shown in Figure 2, 92 % of EU enterprises used in 2019 any ICT security measure. The most common measure used was keeping the software or operating systems up-to-date (87 % of EU enterprises), followed by strong password authentication (76 %), data backup to a separate location or cloud (76 %) and network access control (65 %). Less than half of enterprises reported maintaining log files for analysis after security incidents (45 %) and use of Virtual Private Network (VPN) (42 %). Enterprises less frequently used encryption techniques for data, documents or e-mails (38 %), ICT security tests (35 %), ICT risk assessment (33 %) and user identification and authentication via biometric methods (10 %).

Figure 2: ICT security measures used by enterprises, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Figure 3 provides a closer look at the most and least used ICT security measures according to the enterprise size. The ICT security measure “keeping the software or operating systems up-to-date” was used by almost all large (97 %) and medium sized (94 %) enterprises and more than 8 in 10 small enterprises (85 %). Similar figures were reported for the second most popular ICT security measure – the strong password authentication, which was used by 93 % of the large enterprises, 85 % of the medium size enterprises and 74 % of small enterprises. Larger differences related to the enterprise size were observed in the share of enterprises using the least common ICT security measures. The ICT risk assessment was used by 70 % of large enterprises, while the share of small enterprises using this particular measure was two and a half times smaller (28 %). Regardless of the enterprise size, the user identification and authentication via biometric methods was the least used ICT security measure, although the share of large enterprises using this measure (22 %) was almost three times higher than the figure recorded for small enterprises (8 %).

Figure 3: Most and least used ICT security measures by enterprise size, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Documents on measures, practices or procedures on ICT security

As Figure 4 shows, 33 % of EU enterprises had documents on measures, practices or procedures on ICT security in 2019. More than a half of enterprises in Denmark (56 %), Ireland (54 %) and Sweden (52 %) reported having such documents, while shares higher than 40 % were registered also in Finland (44 %), Latvia (42 %), the Netherlands (42 %) and Croatia (41 %). On the other hand, less than 20 % of the enterprises had documents on measures, practices or procedures on ICT security in Bulgaria (18 %), Hungary (17 %), Romania (17 %) and Greece (15 %).

Figure 4: Enterprises with documents on measures, practices or procedures on ICT security, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Almost one quarter of the enterprises (24 %) in the EU have defined or reviewed their documents on measures, practices or procedures on ICT security during the last 12 months. For 6 % this was the case between 12 and 24 months ago and for another 2 % more than 24 months ago (Figure 5). The majority of large enterprises (57 %) reported having defined or reviewed their documents on ICT security within the last 12 months, while for medium sized and small enterprises this share was significantly lower with 38 % and 21 % respectively.

Figure 5: Enterprises having defined or reviewed their document(s) on measures, practices or procedures on ICT security, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Enterprises make persons employed aware of their obligations in ICT security

In 2019, three out of five EU enterprises (61 %) made their employees aware of their obligations in ICT security related issues. Voluntary training or internally available information for instance on the intranet was the most common form used (42 % of enterprises), followed by contracts such as employment contracts (36 %) and by compulsory training courses or viewing compulsory material (22 %). As Figure 6 shows, the share of enterprises making persons employed aware of their obligations in ICT security by any measure was particularly high for large (90 %) and medium sized enterprises (77 %). Nevertheless, also the majority of small enterprises (57 %) reported making persons employed aware of their obligations in ICT security.

Figure 6: Enterprises making persons employed aware of their obligations in ICT security related issues, by size, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Among all EU Member States, the percentage of enterprises making persons employed aware of their obligation in ICT security ranged from 76 % in both Czechia and Ireland followed by Italy (73 %) and Denmark (70 %) to 47 % in Croatia and 33 % in Greece. In 22 Member States, the share of enterprises reported making persons employed aware of their obligations in ICT security related issues was higher than 50 % (Figure 7).

Figure 7: Enterprises making persons employed aware of their obligations in ICT security related issues by any measure, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Enterprises carrying out ICT security related activities by own employees or external suppliers

In 2019, the majority of EU enterprises (65 %) reported that the ICT security related activities were carried out by external suppliers, while 40 % of the enterprises reported that the ICT security related activities were carried out by own employees (including those employed in parent or affiliate enterprises). As shown in Figure 8, the pattern that ICT security related activities are relying predominantly on external suppliers was valid for both small and medium size enterprises. By contrast, the significant majority of large enterprises (83 %) reported the ICT security related activities being carried out by own employees.

Figure 8: ICT security related activities performed in enterprises by own employees and external suppliers, by size, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

The presentation of who performs the ICT security related activities according to the sector of economic activity of the enterprise provides a similar picture. In EU enterprises from almost all sectors, with the exception of information and communication, the ICT security related activities were carried out by external suppliers in 2019. On the contrary, the majority of enterprises (83 %) in information and communication reported in 2019 that ICT security related activities were carried out by own employees (Figure 9).

Figure 9: Provider of the ICT security related activities in the enterprise by economic activity, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ra)

Problems due to ICT related security incidents

In 2018, one in eight EU enterprises (13 %) experienced at least once problems due to ICT related security incidents. The most commonly reported problem caused by ICT security incidents was unavailability of ICT services, such as hardware or software failures (excl. mechanical failure and theft), denial of service attacks, ransomware attacks, affecting 10 % of enterprises. It was followed by destruction or corruption of data due to infection with malicious software, hardware or software failures or unauthorised intrusion (6 % of enterprises) and less frequently enterprises reported disclosure of confidential data (1 %), for instance due to intrusion, pharming or phishing attack, actions by own employees (intentionally or unintentionally). Large enterprises were more likely to be affected by problems due to ICT related incidents; 25 % of large enterprises experienced such problems during 2018, while this was the case for 18 % of medium size and 12 % of small enterprises (Figure 10).

Figure 10: Enterprises experienced at least once problems due to an ICT related security incident, EU-27, 2018 (% enterprises)
Source: Eurostat (isoc_cisce_ic)

Considering the economic activity breakdown, as shown in Figure 11, during 2018, almost one fifth of the enterprises in information and communication experienced problems due to ICT security incidents, while in transport and storage this was the case for more than 1 in 10 enterprises. Among all sectors, the most common problems were related to unavailability of ICT services ranging from 16 % in information and communication to 8 % in transport and storage. The share of enterprises affected by destruction and corruption of data due to ICT security incidents was highest in professional, scientific and technical activities, in real estate activities and in the accommodation sector (all 7 %).

Figure 11: Enterprises experienced at least once problems due to an ICT related security incident by economic activity, EU-27, 2018 (% enterprises)
Source: Eurostat (isoc_cisce_ic)

Insurance against ICT security incidents

In 2019, 21 % of the enterprises in the EU reported having insurance against ICT security incidents. The highest share was recorded in Denmark, where more than half of the enterprises (56 %) were insured against ICT security incidents. Furthermore, at least one third of the enterprises in Ireland (39 %), France (39 %), Sweden (39 %) and Spain (33 %) reported having insurance against ICT security incidents. By contrast, in Lithuania, Hungary, Slovenia and Bulgaria less than 5 % of the enterprises reported having insurance against ICT security incidents in 2019 (Figure 12).

Figure 12: Enterprises having insurance against ICT security incidents, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ic)

As shown in Figure 13, the percentage of enterprises that reported being insured against ICT security incidents varied depending on the enterprise size. The share of medium size enterprises with insurance against ICT security incidents (28 %) was 8 percentage points higher than small enterprises (20 %). The highest share of enterprises having insurance against ICT security incidents in 2019 was recorded for large enterprises (35 %), which could be partially explained by the fact that large enterprises were more likely to be affected by problems resulting from ICT security incidents.

Figure 13: Enterprises having insurance against ICT security incidents, by size, EU-27, 2019 (% enterprises)
Source: Eurostat (isoc_cisce_ic)

Source data for tables and graphs

Data sources

Source: Data presented in this article are based on the results of the 2019 Community survey on 'ICT usage and e-commerce in enterprises'. Statistics were obtained from surveys in enterprises conducted by National Statistical Authorities in the first months of 2019.

Sample: In 2019, some 153 500 enterprises, with 10 or more persons employed, out of 1.48 million in EU-27 were surveyed. Out of these 1.48 million enterprises, approximately 83 % were enterprises with 10-49 persons employed, 14 % with 50-249 and 3 % with 250 or more.

Main concepts:

The observation statistical unit is the enterprise, as defined in the Regulation 696/1993 of 15 March 1993. The survey covered enterprises with at least 10 persons employed. Economic activities correspond to the classification NACE Revision 2. The sectors covered are manufacturing, electricity, gas and steam, water supply, construction, wholesale and retail trades, repair of motor vehicles and motorcycles, transportation and storage, accommodation and food service activities, information and communication, real estate, professional, scientific and technical activities, administrative and support activities and repair of computers and communication equipment. Enterprises are broken down by size; small (10-49), medium (50-249) and large enterprises (250 or more persons employed).

Context

In the context of the survey in enterprises, ICT security refers prominently to measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of data and ICT systems. The relevant statistics would be used in the context of the European Strategy for Cyber Security that provides the overall strategic framework for the EU initiatives on cybersecurity and cybercrime. Trust and security were a key pillar of the Digital Single Market Strategy and are also an important element of Europe fit for digital age.

From the legislative point of view, on 7th December 2015, the European Parliament and the Council reached an agreement on the Commission’s proposed measures to increase online security in the EU. The Network and Information Security (NIS) Directive is the first piece of European legislation on cybersecurity that was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. NIS includes common provisions across the Union, addressing national capabilities and preparedness, EU-level cooperation, take up of risk management practices and an information sharing culture in NIS and notification of IT-incidents. Moreover, on 13th September 2017 the Commission adopted a cybersecurity package. The Cybersecurity Act, which has now entered into force, lay at the core of the package.

Direct access to
Other articles
Tables
Database
Dedicated section
Publications
Methodology
Legislation
Visualisations
External links






ICT usage in enterprises (isoc_e)
ICT security (isoc_cisc)
Security policy: measures, risks and staff awareness (isoc_cisce_ra)
Security incidents and consequences (isoc_cisce_ic)