In 2019, 93% of EU enterprises with 10 or more employees used at least one ICT security measure, control or procedure in order to ensure integrity, authenticity, availability and confidentiality of data.
One in three enterprises (34%) reported having documents on measures, practices or procedures on ICT security, according to Eurostat.
Some 62% of enterprises made staff aware of their obligations in ICT security-related issues. One in four enterprises (24%) was insured against ICT security incidents.
One in eight enterprises (12%) at least once experienced problems due to ICT related security incidents in 2018.
Almost all large enterprises used at least one ICT measure (99% employing 250 persons or more), whilst this share was slightly smaller for medium (97% of enterprises employing 50 to 249) and small enterprises (92% employing 10 to 49 persons).
A wider spread is observed among enterprises for having documents on measures, practices or procedures on ICT security, from 76% for large, through 54% for medium to 30% for small enterprises.
The vast majority (91%) of large enterprises made their employees aware of their obligations in ICT security-related issues, while 78% of medium and 58% of small enterprises did so in 2019.
Overall, large enterprises were more likely to experience problems due to ICT related security incidents, as almost a quarter (23%) experienced at least once problems due to such incidents in 2018, compared with one in six medium enterprises (17%) and one in ten small enterprises (11%).
In 2019, 40% of large, 33% of medium and 22% of small enterprises reported being insured against ICT security incidents.
In 2019, the most common ICT security measure used by EU enterprises was keeping their software or operating systems up-to-date (87%), followed by strong password authentication (77%), data backup to a separate location or cloud (76%) and network access control (64%).
Less than half of enterprises reported maintaining log files for analysis after security incidents (45%) and use of Virtual Private Network (VPN, 42%).
Enterprises less frequently used encryption techniques for data, documents or e-mails (38%), ICT security tests (36%), ICT risk assessment (34%) and user identification and authentication via biometric methods (10%).
Almost two-thirds of enterprises (62%) made their employees aware of their obligations in ICT security-related issues.
Voluntary training or internally available information for instance on the intranet was the most common form used (44% of enterprises), followed by contracts such as employment contracts (37%) and by compulsory training courses or viewing compulsory material (24%).
In 2018, one in eight enterprises (12%) experienced at least once problems due to ICT related security incidents.
The most commonly reported problem caused by ICT security incidents was unavailability of ICT services, such as hardware or software failures (excl. mechanical failure and theft), denial of service attacks, ransomware attacks, affecting 9% of enterprises.
It was followed by destruction or corruption of data due to infection with malicious software, hardware or software failures or unauthorised intrusion (5%) and less frequently enterprises (1%) reported disclosure of confidential data for instance due to intrusion, pharming or phishing attack.