ICT security in enterprises
From Statistics Explained
- Data from February 2011. Most recent data: Further Eurostat information, Main tables and Database.
This article analyses recent statistical data on information and communication technologies (ICT) security in the European Union (EU). Results were obtained through a specific set of questions in the 2010 questionnaire of the Community survey on ICT usage and e-commerce in enterprises. In this context, ICT security refers to relevant incidents as well as measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of their data and ICT systems.
Main statistical findings
In January 2010, 27 % of enterprises in the EU-27 had a formally defined ICT security policy with a plan for regular review; the corresponding shares in Sweden, Norway and Denmark were over 40 %.
The highest percentage of enterprises with a formally defined ICT security policy addressing the risks of destruction or corruption of data due to an attack or some other unexpected incident was reported in Norway (42 %).
Voluntary training or use of generally available information was the approach most commonly reported by enterprises for making their staff aware of their obligations in relation to ICT security. The highest proportions of enterprises which have adopted this approach were registered in Cyprus and Finland with 77 % and 74 % respectively.
In the majority of EU-27 Member States, the disclosure of confidential data due to intrusion, pharming or phishing attacks was reported by 1 % or less of enterprises in 2009.
In January 2010, the use of strong password authentication was the most commonly reported procedure used by enterprises for internal ICT security, with the highest share registered in Italy (64 %).
By enterprise size, sector and country
The share of large enterprises that had a formally defined ICT security policy was three times more than the share of small ones.
The existence of an ICT security policy in an enterprise means that the enterprise is aware of the importance of its ICT and the related risks. The survey focus was on policies which were actually applied, hence regularly reviewed and accordingly adapted. In January 2010, almost three out of ten enterprises in the EU-27 had a formally defined ICT security policy with a plan for regular review.
Figure 1 shows that the share of large enterprises that had a formally defined ICT security policy was three times more than the share of small ones. The highest proportion of enterprises having such a policy (52 %) in the EU-27 was reported within the sector Information and communication activities (Figure 2). The lowest proportions — less than one out of four enterprises — were registered in the sectors Transportation and storage, Construction and Accommodation and Food service activities.
As Figure 3 shows, in January 2010, the highest proportions of enterprises having a formally defined ICT security policy with a plan for regular review were registered in Sweden and Norway (both 46 %) followed by Denmark (43 %). In more than half of the countries, Information and communication activities had the highest percentages of enterprises with an ICT security policy. The lowest percentage for enterprises with such a policy was reported in Accommodation and Food service activities in a majority of the countries. Less than 10 % of the enterprises in Romania, Hungary and Bulgaria reported that they had a formally defined ICT security policy. It should be noted that unreliable data for specific economic activities (highest/lowest) are not shown in Figure 3 but are included in the totals (EU-27 and All economic activities aggregates) of Figures 2 and 3.
Types of risks
The risk of destruction or corruption of data due to an attack or some other unexpected incident is the risk mostly addressed by enterprises’ ICT security policies.
The three types of risks addressed by enterprises having a formally defined ICT security policy with a plan for regular review correspond essentially to the core elements of the ICT security definition, i.e. integrity, confidentiality and availability of data and systems.
In January 2010, the highest percentage of enterprises which addressed the Type 1 risk was reported in Norway (42 %), followed by Denmark, Greece and Sweden with 38 % respectively.
Similarly, 37 % of enterprises in Norway had a formally defined ICT security policy which addressed the Type 2 risk, followed by Sweden and Slovakia with 35 % and 34 % respectively.
Slovakia reported the highest percentage of enterprises (35 %) which addressed the risk of unavailability of ICT services due to an attack from outside (Type 3).
Additionally, as Figure 4 shows, Slovakia reported the highest percentage of enterprises (34 %) having a formally defined ICT security policy which addressed all three types of risks, followed by Norway and Denmark with 30 % and 29 % respectively.
Approaches to risks
Voluntary training or use of generally available information was the approach reported by most of the enterprises to make staff aware of their ICT-related security obligations.
Enterprises adopt various approaches aiming at raising awareness of ICT security policy and the relevant risks. The three approaches adopted by enterprises differ in their obligatory character and the legally binding obligations for the staff concerned.
In January 2010, the approach most commonly reported by enterprises for making their staff aware of their obligations in relation to ICT security was voluntary training or generally available information (approach 3).
As Figure 5 shows, the highest proportions of enterprises adopting this approach were registered in Cyprus and Finland with 77 % and 74 % respectively.
The second favourite approach reported by enterprises for making staff aware of their obligations in relation to ICT security was through contractual agreements e.g. contracts of employment (approach 2). The share of enterprises reporting this approach was highest in Norway and Ireland with more than 4 out of 10 enterprises.
Italy reported the highest percentage of enterprises (39 %) which adopted compulsory training or presentations (approach 1) followed by Norway and Slovakia with 37 % and 33 % respectively.
Almost two thirds of EU-Member States reported a higher percentage of enterprises having used at least one of the approaches than the EU-27 average (48 %). Moreover, Cyprus (84 %) and Finland (80 %) reported the highest proportions of enterprises that have adopted at least one of the three specific approaches.
Figure 6 shows that approaches 3 and 2 are most commonly adopted by enterprises in the EU-27 in the sector Information and communication (58 % and 51 % respectively) followed by those in Professional and scientific activities (48 % and 42 % respectively).
Compulsory training and presentations (approach 1) was recorded mostly by enterprises in Repair of computers and communication equipment (39 %) and in Information and communication (35 %) activities.
In 2009, three out of 20 enterprises experienced an ICT-related security incident
ICT-related security incidents concern the core elements of information security, integrity, confidentiality and availability of the data and the IT systems.
In 2009, as Figure 7 shows, the incidents most commonly reported by enterprises were those resulting in unavailability of ICT services, destruction or corruption of data due to hardware or software failures (type 1), with shares above 20 % registered in Cyprus, Portugal and Finland (26 % of enterprises respectively), Denmark (24 %), Greece (23 %), the Czech Republic (22 %) and Slovakia (20 %).
In 2009, the highest proportion of enterprises reporting ICT incidents resulting in the destruction or corruption of data due to malicious software infection or unauthorised access (type 3) was registered in Slovakia (16 %), Portugal (14 %), Spain (11 %) and Greece (10 %).
The share of enterprises reporting unavailability of ICT services due to an attack from outside (type 2) was highest in Slovakia (11 %) and the Netherlands (7 %). In the majority of EU Member States, the disclosure of confidential data due to intrusion, pharming or phishing attacks was reported by 1 % or less of enterprises in 2009.
Internal security procedures
Offsite data backup and strong password authentication were the most common internal security procedures applied.
Identification refers to the ability to identify and distinguish between individual users. User identification is considered as common practice in enterprises and usually complemented by authentication procedures. In general, identification and authentication of users are part of the authorisation process. Authorisation defines access and usage rights related to specific information or services.
In January 2010, strong password authentication was the most commonly reported procedure used for internal ICT security, with the highest shares registered in Italy (64 %), Ireland (63 %) and Spain (61 %).
As Figure 8 shows, among all countries, the highest proportions of enterprises reporting the use of hardware tokens for user identification and authentication were registered in Croatia (49 %) and Slovenia (48 %).
At the same time, Italy (66 %), Ireland and Slovenia (both 64 %) reported the highest proportions of enterprises that had used at least one of these internal ICT security facilities.
Offsite data backup is part of the data protection strategy of sending critical data from the main site to another location by means of removable storage media, e.g. magnetic type, external hard-disks, or electronically via remote backup services.
As Figure 9 shows, the highest proportions of enterprises using offsite backup among all countries were registered in Denmark and Norway (both 76 %) followed by Sweden (69 %) and Iceland (73 %).
One out of four enterprises in the EU-27 had used logging activities for analyses of security incidents, with the highest proportions of enterprises registered in Finland, Norway (both 47 %), Sweden (42 %) and Belgium (40 %).
Data sources and availability
Data presented in this publication are based on the results of the 2010 Community survey on ‘ICT usage and eCommerce in enterprises’. Statistics were obtained from enterprise surveys conducted by national statistical authorities in 2010. The surveys' reference period was January 2010 or for some questions the year 2009.
In 2010, 149 900 enterprises out of 1.6 million in the EU-27 were surveyed.
Data in some tables are shown as ":" and refer to not available, unreliable or confidential. Unreliable data are included in the calculation of European aggregates.
Main concepts: The observation statistical unit is the enterprise, as defined in the Regulation 696/1993 of 15 March 1993. The survey covered enterprises with at least 10 persons employed.
Economic activities correspond to the classification NACE Revision 2. The sectors covered are manufacturing, electricity, gas and steam, water supply, construction, wholesale and retail trades, repair of motor vehicles and motorcycles, transportation and storage, accommodation and food service activities, information and communication, real estate, professional, scientific and technical activities, administrative and support activities and repair of computers and communication equipment. Enterprises are broken down by size: small (10-49), medium (50-249) and large enterprises (250 or more persons employed).
ICT-related security incidents affect the ICT system of an enterprise and may cause different problems. The following security incidents were covered in the survey:
- Unavailability of ICT services, destruction or corruption of data due to hardware or software failures refers to issues of data integrity caused by hardware or software failures, e.g. crashes of servers or hard disks due to hardware failures or crashes of servers due to software failures, e.g. erroneous updates.
- Unavailability of ICT services due to attack from outside refers to attempts from outside to make an information system resource unavailable to its intended users. One aim of these attacks is to prevent an internet site or service from functioning efficiently, e.g. websites of banks, credit card payment gateways.
- Destruction or corruption of data due to malicious software infection or unauthorised access.
- Disclosure of confidential data due to intrusion, pharming, phishing attacks refers to an attempt to get confidential information on persons, staff or clients, intellectual property or other confidential information. Intrusion is an attempt to bypass security controls on an information system by viruses, worms, Trojan horses etc. Phishing is a criminally fraudulent attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Pharming is an attack which redirects the traffic of a website to another, bogus website in order to acquire sensitive information.
User identification refers to the ability to identify and distinguish between individual users.
Authentication means to assure the identity of a certain user. Authentication and identification of users are applied in the context of authorisation, to define access and usage rights related to specific information or services. Authentication can be done with the help of passwords, or with additional devices, such as smart cards, hardware tokens or identity cards. Strong password authentication means a minimum length of 8 mixed characters, a maximum duration of 6 months, encrypted transmission and storage. A hardware token is a physical device that authorises the access of the owner of the token to a computer or a network. Hardware tokens provide an extra level of assurance in addition to the personal identification number (PIN), which authorises users as the owner of that particular device; the device generates a number which uniquely identifies the user to the service, and allows logging in. Additionally, an enterprise’s ICT security information system may include the logging of applications or user activities. The logs can be used for analysis in case of security incidents in order to take appropriate action to prevent these kinds of incidents in future or to quantify any damage. Intrusion detection is a process with the purpose of detecting intrusions or attempts of intrusion into a computer or network to compromise confidentiality, integrity or availability by observation of system, application and user activity as well as network traffic.
Information and communication technologies (ICT) have been one of the main drivers of changes within European Union society and businesses for more than a decade. Statistics on the resulting 'information society' monitor three aspects:
- the completion of a single European information space
- innovation and investment in ICT research;
- achieving an inclusive European information society.
These aspects correspond with the main aims of i2010 – a European Information Society for growth and employment. This is a strategic framework for the information society and a key element of the renewed Lisbon Strategy, and it offers a comprehensive strategy for the ICT and media sector.
Further Eurostat information
- ICT security in enterprises, 2010 - Statistics in focus 7/2011
- Information Society, see:
- Information society statistics (t_isoc)
- Computers and the Internet in households and enterprises (t_isoc_ci)
- Information Society, see:
- Computers and the Internet in households and enterprises (isoc_ci)
- Special module 2010: Internet Security (isoc_ci_sc)
- Enterprises - ICT security policy, incidents and measures taken (isoc_ci_sce)
- Special module 2010: Internet Security (isoc_ci_sc)
Methodology / Metadata
- Computers and the Internet in households and enterprises (ESMS metadata file - isoc_ci_esms)
- Regulation 696/93 of 15 March 1993 on the statistical units for the observation and analysis of the production system in the Community