Cybersecurity Monitor 2022Cybersecurity Monitor 2022: an increase in measures, a decrease in incidents, but still plenty of work to do
The Central Bureau of Statistics (CBS) released 4 augustes the Cybersecurity Monitor for the sixth year in a row. This publication is made partly at the request of the Ministry of Economic Affairs and Climate (EZK). This report provides insight into the current state of cyber resilience of companies and households in the Netherlands. Below, the Digital Trust Center zooms in on a selection of the most important findings for Dutch businesses. CBS surveyed companies of different sizes and self-employed people from five industries. The industries are healthcare, financial services, hospitality, ICT and manufacturing.
Overview of cybersecurity measures taken
(Large) companies are taking more measures against cyber threats
The published data on ICT security measures taken by industry show a positive picture. In general, a positive trend can be detected on each measure. However, it is clear that each measure measured separately is taken more often by large than by small companies (see figure below).
These differences are relatively small when using antivirus software, but become larger when using a 'more complicated' measure such as using VPN. Less than 30% of companies with 2 to 10 employees use VPN compared to 84% of companies with 250 or more employees in 2021. For all companies, it can be seen that logging in using 2FA is becoming more common. Medium-sized companies in particular are catching up there. In 2016, 29% of medium-sized companies used 2FA. This will increase to 62% by 2021.
Security measures by industry
Looking at the ICT security measures taken by industry, it can be seen that especially companies that are more involved in ICT (ICT sector), or companies that have a high stake in their data (Healthcare) score better than sectors where cybersecurity may be slightly less obvious, such as in the hospitality sector.
Overview of cybersecurity incidents
CBS distinguishes two forms of ICT security incidents: self-inflicted incidents (think of a malfunction or a data disclosure due to unintentional actions of own staff) and incidents resulting from an external attack (think of DDoS or phishing attacks).
Number of companies with cyber incidents decreases
The figures below show a decrease in the total number of ICT security incidents, both internal and external. This figure also shows that not all incidents involve costs; this is true for only half of all incidents.
Large companies have more frequent incidents than small companies
Large companies consistently have more incidents than small companies over the years. This applies to both internal and external incidents. A factor in this is that larger companies often have a larger and more complex IT infrastructure. This increases the likelihood of incidents caused by internal actions. In addition, large companies employ ICT specialists more often, which increases the chances of detecting cybersecurity incidents.
In this edition of the cybersecurity monitor, ransomware attacks were surveyed for the first time. For the year 2021, it shows that there were a total of 6,300 ransomware attacks on businesses (see figure below). Of these, 4,000 were among self-employed people. In percentage terms, large companies did suffer more frequently from ransomware (4% compared to 0.3% of self-employed workers).
On average, 11% of companies with 2 or more employees paid ransom. In about half of the cases, the ransom amounted to more than 50% of the turnover. This figure is mainly explained by small businesses, (read our article about cyberseucirty and revenue goals) which have a relatively low turnover. The impact of paying a ransom is high for these companies, especially when you take into account that paying a ransom does not always lead to the decryption of the company's data.