Undoubtedly, cybersecurity must be one of the main aspects companies must look after. It is important in any company, big or small, because the damage caused internally can be huge, especially in companies with limited resources, since malicious attacks could mean the end of the business. Therefore, today we take a look at the situation of Spanish SMEs to see how they can improve in this regard.
A company of any size must protect themselves from rising cyber attacks. This will require them to take a number of important steps and to make changes in the way they work, which can be cumbersome but is also strictly necessary.
Within this current scenario, companies do not stand alone in their fight against cybercrime, since they are increasingly supported by national agencies and also at continental level, by adopting new measures like new laws or creating specialized agencies.
From now on, we will dive into the current situation of Spanish SMEs in terms of cybersecurity. To do so, we will rely on the study conducted by Google, Panorama actual de la Ciberseguridad en España. Retos y oportunidades para el sector público y privado.
The Spanish Administration and cybersecurity
Governments and European entities are implementing measures to curb the rise in cybercrime, both through laws and by creating organizations specifically dedicated to this purpose.
According to Google, Spanish political parties are increasingly considering the issue of cyber security during their election campaigns, with most making clear proposals on the subject.
Beyond election promises, there is a clear European and Spanish legal framework on cybersecurity, based on of the following laws and directives:
- Regulation (EU) 2019/881: takes the first steps towards the creation of the European Union Agency for Cybersecurity (ENISA) and the certification standard for ICT cybersecurity within the European Union.
- Royal Decree-Law 12/2018, on network and information systems security.
- The National Cyber Security Strategy from 2019.
One of the main challenges that experts face when regulating cybersecurity is the fact that cyberattacks can come from anywhere in the world, a major obstacle in terms of legal jurisdiction. Furthermore, identifying the origin of most attacks is still extremely complex.
Concerning the main specialized cybersecurity bodies, we have:
- El Centro Criptológico Nacional del Centro Nacional de Inteligencia (CCN-CERT), in charge of the Public Sector.
- El Instituto Nacional de Ciberseguridad de España (INCIBE-CERT), focusing on individuals and companies
- El Centro Nacional de Protección de Infraestructuras y Ciberseguridad (CNPIC), focused on utility companies (e.g., electricity, water, gas, etc.)
- El mando Conjunto de Ciberdefensa (ESPDEF-CERT), aimed at the Spanish army systems.
Although each agency has certain defined competencies, their coordination is key towards achieving an adequate level of cybersecurity in the country.
Most common cyber attacks to Spanish SMEs
Changing trends in cyber attacks
There is a shift in the tendency of cyber-attacks, from targeting large companies and multinationals to targeting SMEs. This means that the nature of these attacks are also changing. These are now carried out on a mass scale and have less technical complexity, since SMEs tend to have lower levels of readiness to face them.
Besides, fewer and fewer hackers are launching cyber attacks just for fun, as most of them are looking for a way to make money out of it. Another important aspect to highlight is that most cyber attacks require user interaction, so criminals take advantage of their limited knowledge or lack of skills in cybersecurity.
Regarding SMEs, most attacks are related to:
- System hijacking.
- Information leakage and cyber-scams.
What economic impacts do cyber attacks have on small businesses?
A cyber attack can cost around 75,000 euros on average. Nationwide, these amounted to 14 billion euros in losses, including big companies and SMEs.
For SMEs, the average cost of a cyber attack is 35,000 euros, which means that 60% of these businesses are shut down within 6 months. Nevertheless, cyber attacks are not just financial losses, they also lead to a decline in the company’s prestige, becoming more vulnerable in the eyes of customers and in the business environment.
Level of cyber security in Spanish SMEs
Throughout this report, some studies are used to find out the level of cyber security in Spanish SMEs, for example the American technology consultant BitSight, which states that Spanish companies are below the European average level in terms of cybersecurity measures. Information is also collected from “The Vodafone Cyber Ready Barometer 2018“, which describes Spain as “reactive” in cybersecurity, although there is much room for improvement.
Although these conclusions are useful for getting an overview of the level of digital security in Spanish society, they were not helpful for studying the SMEs, so a survey was carried out with 720 companies.
From these companies, the main protection measures they took against cyber attacks were
- Two-factor authentication.
- https protocol.
- Device update.
- Password change.
- SSL certificate (e-commerce).
- Two-factor authentication system for payments (e-commerce).
- Cloud storage.
A major area for improvement is the need for concrete rules on cybersecurity, as well as a specific policy, with well defined protocols for action.
How do workers behave when it comes to cybersecurity
We have previously talked about the need for involuntary collaboration by employees for a cyberattack to be successful. Therefore, we will need to analyse how they act against possible threats or determine their level of readiness.
The Google SME survey mentioned above draws the following conclusions:
- 30% of IT managers believe that workers are well aware.
- 60% of SMEs restrict access to sensitive information
- In the case of teleworking, in 48% use remote desktops and 44% use cloud technology.
- There is a clear lack of cyber security training for workers.
- As a result of these training gaps, many people would not know how to deal with an incident.
Digital signature and cyber security in SMEs
Once analysed the panorama of Spanish SMEs in terms of cybersecurity, it is clearly necessary to adopt measures to strengthen their protection level against digital threats.
It also helps to prevent fraudulent documents, since it’s extremely difficult to forge given its complex cryptographic procedure. Besides preventing identity theft, digital signatures protect users from any document alteration after being signed, providing undeniable evidence that will allow to revoke them if necessary. In this way, for example, changing the terms of a contract or agreement will be impossible once esigned, so we will never be affected if someone tries to do so.
Furthermore, it allows the use of cloud technology for its safekeeping, including digital certificates which are sometimes required. This will allow strong authentication measures for access, the so-called strong authentication.
In short, we are facing a situation in which small and medium-sized Spanish companies must be careful with regard to their own cybersecurity. This is an area in which they still have a lot of room for improvement. We hope that this development will speed up as a result of the current health crisis, which has led to an increase in cyber-attacks to levels that are still hard to quantify.
At Viafirma we offer 100% secure esignature and authentication solutions for SMEs, covering most of their cyber security needs while fully adapting to their requirements and processes.