While the risk of cyber attacks is growing, most European companies are still unprepared and unaware of the risk. This was highlighted in a recent study commissioned by the European Economic and Social Committee. Small and medium-sized companies (SMEs) are the most exposed, as they often cannot afford to invest adequately in cybersecurity. The level of investment in cybersecurity overall is insufficient. Most businesses do not realise its importance until after experiencing a security breach.
The risk is more common than might be thought. According to the Global State of Information Security Survey, four out of five companies have experienced at least one cybersecurity incident over the past year. Finance, healthcare, retail, business services and information technology remain the sectors that are most often targeted by cyber-criminals. Almost 70% of European companies do not understand the extent of their exposure to cyber risks.
Cybersecurity remains underfunded
Neither individual Members States nor private enterprises seem to be backing up their cybersecurity with appropriate resources. There is a visible gap between EU countries in terms of knowledge, awareness and capacity to deal with cybersecurity. Estonia, France and United Kingdom lead by example.
Moreover, an increasing shortage of ITC specialists is making it even more difficult to enhance cybersecurity levels. According to the study, by 2020 there will be over 750 000 vacancies for ITC experts.
Bottlenecks in public and private policies
Even though the European Union has launched numerous initiatives to improve cyber resilience and response, a fragmented regulatory environment remains one of the main obstacles to enhancing cybersecurity at EU level. The authors of the study list other challenges, such us discrepancies in threat intelligence sharing polices, an absence of coordinated vulnerability disclosure (CVD) at EU level and lack of trust when it comes to sharing information between the public and private sector.
The study also points out the challenges associated with implementing the General Data Protection Regulation (GDPR). Companies were not sufficiently aware of and prepared for the GDPR entering into force, and lack the know-how and systems to fulfil its requirements. As a result, companies are concerned that non-compliance and subsequent penalties incorporated into the GDPR could have a negative impact on businesses.
The study also presents a number of good practices in improving cybersecurity of private sector, such as public-private partnerships and 'cyber communities' that bring different stakeholders together.
The study was conducted by the Hague Centre for Strategic Studies at the request of the Employers' Group of the European Economic and Social Committee. The document can be downloaded under the following link.