David against the cyber giant
Thesis on cybersecurity within Dutch SMEs
David against the cyber giant 2 Name : Rex van der Plas
Student no. : S1025708
supervisors : Prof. dr. B. van den Berg & Z. Homburger Second reader :Dr. Ir. V. Niculescu-Dinca
Email : rex_v_d_plas@hotmail.com Word count : 15.349
1 Executive summary
Small and Medium sized Enterprises (SMEs) play a vital role in the Dutch economy as SMEs contribute the majority of added value and employment to the Dutch economy (Mallens, 2018; Nederlands Comité voor Ondernemerschap, 2017). Cyber incidents are an increasing threat to SMEs as it can disrupt and damage the operation of any organisation.
There is a small number of academic literature on cybersecurity in smaller organisations (Osborn & Simpson, 2017). This thesis contributes to the dialogue on cybersecurity threats by exploring which cybersecurity threats Dutch SMEs face and how they deal with their cybersecurity. It is an exploratory study that uses an online survey combined with qualitative semi-structured interviews to answer the research question; What cybersecurity threats do Dutch SMEs face and how do they intend to mitigate these cybersecurity threats?
The Dutch National Coordinator for Counterterrorism and Safety (NCTV) established a threat matrix of which five cybersecurity threats were included in the survey to establish experience, mitigation rates, threat perception, knowledge, and availability of resources for mitigation of these cybersecurity threats.
This study found that 59 per cent of SMEs experience cybersecurity threats. Most of the threats that are experienced by SMEs are unintentional threats that are caused by human technical, or natural failur in contrast to intentional threats that are executed by an attacker. While studying SMEs of different sizes, it was found that smaller SMEs report less cyber incidents and have a lower availability of resources to mitigate cybersecurity threats.
The study shows that 77 percent of the SMEs in the survey implemented mitigations against cybersecurity threats and a majority of 71 percent of the SMEs mitigated three or more of the cybersecurity threats. The mitigation measures mentioned in the interview were a mix of deterrent, preventive and detection measures.
Three mitigation strategies against the cybersecurity threats were identified. A pure proactive mitigation strategy was implemented by 20 per cent of the SMEs. 57 per cent of the SMEs implemented a mitigation strategy that combined reactive as well as proactive mitigations and the remaining 23 per cent of eth SMEs had no mitigation strategy.
The study also investigated how the perception about cybersecurity threats influenced mitigation rates by SMEs. It was indicated that as the severity perception of a threat increases the more likely it is that an SME will mitigate the cybersecurity threat. An increase in threat
David against the cyber giant 4 perception was shown when SMEs experienced the cybersecurity threat before and/or has knowledge of the cybersecurity threat. A higher threat perception leads to higher mitigation rates. This study recommends developing programs that focus on the impact of cybersecurity threats., as these raise the threat perception.
David against the cyber giant 5
INDEX
1 EXECUTIVE SUMMARY 3 2 INTRODUCTION 6 3 THEORETICAL FRAMEWORK 9 3.1 CYBERSECURITY 9 3.2 CYBERSECURITY THREATS 113.3 MITIGATING AGAINST CYBERSECURITY THREATS 15
3.4 DOES ORGANISATIONAL SIZE INFLUENCE RESPONSE TO CYBERSECURITY THREATS? 17
4 DESIGN AND METHODOLOGY 19
4.1 RESEARCH OBJECTIVES 19
4.2 METHODOLOGY 20
4.2.1 Sample selection 22
4.2.2 Validity and limitations of the research 23
5 RESULTS 24
5.1 DESCRIPTION OF THE SAMPLE POPULATION 24
5.2 CYBERSECURITY THREATS TO DUTCH SMES 26
5.3 MITIGATION OF CYBERSECURITY THREATS BY DUTCH SMES 30
5.3.1 Strategies for mitigation of cybersecurity threats 31
5.3.2 Mitigation of cybersecurity threats 33
5.4 MITIGATION MEASURES 34
5.4.1 Enhancement of cybersecurity mitigation rates 41
5.5 CYBERSECURITY FOR SMES OF DIFFERENT SIZES 46
5.5.1 Cybersecurity threat experience for SMEs of different size 46 5.5.2 Mitigation rates of cybersecurity threat by SMEs of different size 47 5.5.3 The availability of resources for SMEs of different size 48
5.5.4 Threat Perception of SME of different size 49
5.5.5 Strategy and types of solutions implemented by SMEs of different size 50
6 CONCLUSIONS 51
6.1 CYBERSECURITY THREATS TO DUTCH SMES 51
6.2 MITIGATION OF CYBERSECURITY THREATS BY DUTCH SMES 53
6.3 CYBERSECURITY FOR SMES OF DIFFERENT SIZE 54
6.4 FURTHER RESEARCH AND SOCIETAL LESSONS 56
7 REFERENCES 57
8 APPENDIXES 59
8.1 APPENDIX A: FIGURES 59
8.2 APPENDIX B: SURVEY 62
David against the cyber giant 6
2 Introduction
Societies are increasingly dependent on ICT systems to function (Hubbard & Seiersen, 2016). Consequently, today's organisations and individuals are more exposed to cybersecurity threats (Choo, 2011; NCTV, 2018). Phishing, ransomware, hacking and other cyberattacks are increasingly part of news bulletins showing an uncreased media attention (Google Trends, 2018). In April 2018 Minister Grapperhaus of Justice and Safety stated in the Telegraaf, one of the Dutch newspapers, that cyberattacks are predominately directed against businesses (NU.nl, 2018). The heightened media attention demonstrates the relevance of cybersecurity threats. The increasing ICT footprint of enterprises results in a higher cybersecurity risk for enterprises (Sangani & Vijayakumar, 2012) because larger ICT systems have more potential points for an attacker to enter into the system of a company. It is becoming more important for enterprises to secure their ICT systems. Taking cybersecurity mitigation measures helps to secure business continuity, but how to obtain a sufficient level of cybersecurity is a hot topic in the Netherlands. The Dutch National Coordinator for Counterterrorism and Safety (NCTV) is the government body responsible for cybersecurity in the Netherlands. The NCTV defines cybersecurity as:
“Cybersecurity is the entirety of measures to prevent damage caused by disruption, outage or misuse of IT and repair should it occur. This damage could comprise impairing the availability, confidentiality or integrity of information systems and information services and information stored on them.”
Quote 1: (NCTV, 2018)
Cybersecurity also receives attention in the academic literature, but the main focus is on the bigger players like banks and other large enterprises (Osborn & Simpson, 2017). This higher amount of attention is remarkable as also smaller organisations are suffering from cybersecurity threats. A better understanding of how smaller organisations deal with cybersecurity threats is a relevant field for further research.
David against the cyber giant 7 In the Netherlands a large group of smaller organisations are the Dutch Small and Medium-sized Enterprises (SME) that make-up 99,8 per cent of all businesses in the Netherlands. SMEs are responsible for 71 per cent of jobs and 62 per cent of the added economic value in the Netherlands, see Figure 1 (Nederlands Comité voor Ondernemerschap, 2017). Proper and continuous operation of SMEs is therefore vital for the Dutch economy.
Figure 1: Share of SMEs in the Dutch economy (Ondernemerschap, 2018)
The Dutch SME federation uses the definition of the European Commission to define SMEs. The European Commission defined three criteria to determine if a company is considered as an SME. First, an SME has less than 250 employees. Secondly, an SME has annual revenue of less than 50 million euro, and thirdly an SME has a balance sheet less than 43 million euro (MKB Servicedesk, 2018). When a company meets two of the three criteria, it is considered an SME (European Commission, 2015). This thesis will use this definition for SMEs as this is the standard in the European Union.
This thesis investigates the cybersecurity threats Dutch SMEs face and how SMEs of different sizes deal with these cybersecurity threats. A better understanding of how Dutch SMEs deal with cybersecurity threats to prevent disruption of this important economic force is beneficial for the Dutch society and this study will provide enhance insights for academia on cybersecurity in SMEs of different size.
99,8% 0,2% Percentage of total enterprises 62% 38% Percentage of total added value 71% 29% Percentage of total employment
David against the cyber giant 8
Scientific and Societal relevance
There is room for research into cybersecurity for SMEs as academic research mainly focused on cybersecurity in large organisations (Osborn & Simpson, 2017). It is relevant to investigate SMEs as some articles show that smaller organisations, like SMEs, have different hurdles compared to large-scale organisations when it comes to dealing with cybersecurity issues (Briney & Prince, 2002; Kurpjuhn, 2015; Osborn & Simpson, 2017; Sangani & Vijayakumar, 2012). This thesis is relevant to the academia, because it contributes to a better understanding of the cybersecurity threats faced by Dutch SMEs and how SMEs of different sizes deal with their cybersecurity.
The societal relevance of this research is underlined by the conclusion of the NCTV that Dutch organisations are not taking the measures needed to provide a basic level of cybersecurity (NCTV, 2018). The Dutch government has focused on awareness programs, like the Alertonline program that informs Dutch citizens about the need to take measures to protect themselves and the organisations they work for against cybersecurity threats (Çeta & Konings, 2017). An academic understanding of how SMEs implement cybersecurity measures can help the society and the government to develop programmes and policies to ensure that SMEs are more capable in dealing with cybersecurity
To achieve the objectives of this thesis a theoretical framework will be sketched out in the next chapter, followed by a chapter in which the research methodology will be explained and research questions will be formulated. In the last two chapters the research findings will be given and discussed.
David against the cyber giant 9
3 Theoretical framework
In this chapter a theoretical framework is provided for this thesis. First it is investigated how cybersecurity can be defined. Next threats to cybersecurity are discused in general and for Dutch SMEs specifically. Thereafter this chapter investigates what is known about the effects of organisational size and how this can be relevant to understand how Dutch SMEs deal with their cybersecurity.
3.1 Cybersecurity
Wolfers (1952) argued that security is the absence of threats to acquired values. Although many authors, like Baldwin (1997), have added upon Wolfers' definition, the link between security and threats is one that is still used. A threat is a potential occurrence that can result in an undesirable outcome. This includes intentional attacks by criminals or other attackers and unintentional natural occurrences such as floods or earthquakes, and accidental acts by employees (Stewart, Chapple, & Gibson, 2015). To understand what cybersecurity is, it is necessary to define the acquired values that need to be secured.
A starting point is the CIA triad which is based on the principals of Confidentiality, Integrity and Availability. The CIA triad is the basis for information security, the security of storage and processing of information. Confidentiality means that only authorised people can access or read specific information. Integrity means that only people who are authorised should be able to use and amend systems and data. Availability means that an authorised person should always have access to their system and data (Stewart et al., 2015).
The CIA triad focused on the data that needs to be secured irrespectively of the technology used. von Solms and van Niekerk (2013) argue that cybersecurity does not only include the security of data that is stored or transmitted using ICT, but it also includes the non-information assets that are vulnerable to threats. The difference and overlap of cybersecurity and information security are shown in figure 2.
David against the cyber giant 10 Figure 2 : The relationship between information security, information and communication security and cybersecurity (von Solms & van Niekerk, 2013)
Using Wolfers’ concept of security, cybersecurity can be defined as the absence of threats to the value of a secure ICT network that combines the security of the information stored on the system and processed by the system with the physical integrity and availability of the system (Stewart et al., 2015). The definition that is used in this thesis comes from the NCTV and combines both the CIA and ICT asset security definitions to define cybersecurity:
“Cybersecurity is the entirety of measures to prevent damage caused by disruption, outage or misuse of IT and repair it should it occur. This damage could comprise impairing the availability, confidentiality or integrity of information systems and information services and information stored on them.”
Quote 2:(NCTV, 2018)
This definition is used is because it has an academic similarity with the discussed theory, and because it is the definition used by the Dutch government and the Dutch SME association (mallens, 2015, 2018; NCTV, 2018). Using this definition ensures that the group under study and the research work with the same definition.
David against the cyber giant 11
3.2 Cybersecurity threats
The cybersecurity threats Dutch SMEs currently face are discussed in this paragraph. As mentioned in the previous paragraph, a cybersecurity threat is defined using the definition of the NCTV. A cybersecurity threat is a potential incident that disrupts, misuses or exploits a malfunction of information, information systems or information services (NCTV, 2018). Cybersecurity threats compromise one or more of the CIA's principals and/or are a physical threat to the ICT physical system.
Cybersecurity is a very dynamic field as ICT technologies evolve rapidly, the cybersecurity attack methods are changing regularly and threat actors change attack tactics and become more and more sophisticated. There are a many types of cybersecurity threats. (Choo, 2011). Defining a specific set of threats relevant to this study is therefore hard.
A starting point in the Netherlands is the annual status report on cybersecurity of the NCTV called “cybersecurity beeld Nederland “(CSBN). In the CSBN 2018, the NCTV published their latest threat matrix. The threat matrix maps the cybersecurity threats caused by defined threat actors and the risk levels for specific groups in the Dutch society. The threat matrix of the NCTV is shown in table 1
Table 1 shows that the risk level is situational as a specific cyber threat can have different risk levels dependent on the threat actor and organisation. Four groups are included in the threat matrix: the government, critical sectors, private organisations and members of the general public. The column private organisations is relevant for this thesis as this depicts the cybersecurity threats to companies, though not for SME specifically.
It is important to note that cybersecurity threats are defined by the NCTV in terms of attack effects and not in terms of attack methods (NCTV, 2018). The attack method describes the attack tool or the way the ICT system or the data is attacked, for example mailware or DDOS attack. The attack effect describes the way the ICT system or data is affected by the cybersecurity attack for example the impairment of the avalability of data in an ICT system.
David against the cyber giant 12
Government Critical Private
organisations Members of the public Nation-state/
State-sponsored Information Espionage Sabotage Espionage Espionage manipulation Disruption manipulation System
Espionage
Criminals Disruption Disruption Information theft Information
manipulation System
manipulation manipulation System manipulation Information Disruption
Information theft Disruption System
manipulation System
manipulation Information theft
Terrorist Sabotage Sabotage
Hacktivists Disruption Disruption Disruption
Information
manipulation manipulation Information Information theft Information manipulation
Cyber vandals and
script kiddies
Disruption Disruption Disruption Information theft Information theft Information theft Information theft
Insiders Information theft Information theft Information theft Disruption Disruption Disruption
Unintentional
acts Breakdown/ failure Leak Breakdown/ failure Leak Breakdown/ failure Leak Leak
Legend Highest risk Medium risk Lower risk
Table 1: Threat matrix of the NCTV (NCTV, 2018)
Cybersecurity threats for Dutch SMEs
To get a better understanding of the cybersecurity threats for Dutch SMEs specifically, recent studies on cybersecurity threats for Dutch SMEs were used. A study in 2014, commissioned by the Dutch insurance company Interpolis, identified eight types of cybersecurity threats for SMEs. These cybersecurity threats were mainly defined in terms of cybersecurity attack methods like Malware infection, Attempt to hack, Phishing and DDoS attack, but also as threat effects like leaking information unprotected / vulnerable system, and threat of attack (Berg & Reijmer, 2015). A ranked distribution of occurrence of these cyber threats is shown Table 2.
David against the cyber giant 13
Threats Percentage of companies facing a specific threat
Phishing 37%
Malware infection 20%
DDoS attack 14%
Unprotected / vulnerable system 7%
Vulnerability website 5%
Threat of attack 4%
Leaking information 4%
Attempt to hack 4%
Remaining 7%
Table 2: Types of cybersecurity incidents in Dutch SMEs in 2014 (Berg & Reijmer, 2015)
A more recent study by Notté and Slot of the Hague University of Applied Sciences also looked into cybersecurity within Dutch SMEs. Between September 2016 and July 2017 800 directors of SMEs were asked to fill out questionnaires about cybersecurity aspects the SMEs faced. Notté and Slot (2018) identified seventeen different cybersecurity threats that occurred in SMEs during their study period. The results of this study are shown in Table 3.
Threat percentage of SMEs Threat percentage of SMEs
Malware 30% Identity fraud 3%
Ransomware 17% Internet extortion 3%
Phishing 10% Defacing 3%
Hacking 7% Skimming debit or credit card information from
the company 2%
Theft of data carriers 6% Unauthorised use of the company network 2%
Fraud / scams via
internet 5% Blackmailing via internet 2%
Denial of Service (DoS)
attack 5% Theft of data 1%
Slander 4% Espionage 0%
Destruction of data 4%
Table 3: Type of cybersecurity incidents in SMEs in 2017 (Notté & Slot, 2018)
Reviewing Tables 1, 2 and 3, it becomes clear that the concept of cybersecurity threat is used for the treat method as well as for threat-effect. The NCTV defines cyberthreat in terms of effects on the ICT system and the results of a cyber attack for the organisation. The studies of
David against the cyber giant 14 Notté & Slot and Berg and Reijmer use the definition cyberthreat for a mix of attacks methods and attack effects.
A cybersecurity threat defined in terms of attack effects describes how the ICT system of the data is affected by a cybersecurity attack irrespective of the attack method. A study based on attack effects focuses on the direct impact of the cybersecurity threat on the organisation. A cybersecurity threat defined in terms of an attack method describes how the organisation is attacked. The cause-and-effect between attack methods and attack effects is complex as a single attack method can cause multiple attack effects and a single attack effect can be caused by multiple attack methods. The complicating factor is that literature shows many attack methods and also that the methods can change rapidly (Choo, 2011). For example, Tables 2 and 3 compare the cybersecurity attack methods SMEs face for 2014 and 2017; phishing was the most important threat to SMEs in 2014 (37%), but it declined 27 percentage points in three years. Based on the literature discussed and because Dutch SMEs are the scope of the theis, it was decided to study cybersecurity threats defined in terms of attack effects. The NCTV identified zeven cybersecurity threats for all private organisations. The results of Notté and Slot (2018) show that for Dutch SMEs Espionage is zero per cent and both Information Theft and Information Manipulation are just 1%. So these three cyberthreats were excluded from this research. Sabotage was added in this research as Ransomware was the second most often reported threat attack method, resulting in Sabotage, in the study of Notte and Slot (2018). It was decided to use these five cybersecurity threats in this study as these will cover 98% of the cybersecurity threats for Dutch SMEs. The definitions used in this thesis as given by the NCTV are shown in table 4.
The definitions provided by the NCTV show a distinction between intentional threats and unintentional threats. Intentional threats requires a threat actor that initiates the cybersecurity threat, an unintentional cybersecurity threat is caused by a failure like an employee accidentally erasing files or a natural disaster. Disruption, Sabotage and Systems Manipulation are considered intentional cybersecurity threats. Breakdown/Failure and Leak are unintentional cybersecurity threat according to the NCTV definitions.
David against the cyber giant 15
Threat Definition
Disruption The intentional, temporary impairment of the availability of information, information systems or information services.
Sabotage The intentional, very long-term impairment of the availability of information, information systems or information services, possibly leading to destruction.
System manipulation Impairing information systems or information services; targeting the confidentiality or integrity of information systems or information services. These systems or services are then used to perpetrate other attacks.
Breakdown/failure Impairment of integrity or availability as a result of natural, technical or human failures.
Leak Impairment of confidentiality as a result of natural, technical or human failures.
Table 4: Threats included in the study as defined by the NCTV (NCTV, 2018).
3.3 Mitigating against cybersecurity threats
A mitigation is the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats (Stewart et al., 2015). A mitigation strategy is a set of mitigation measures to achieve a level of security. The recent literature about cybersecurity mitigation and mitigation strategies is discussed in this part of the theoretical framework.
SMEs can take relatively basic security measures to make them less vulnerable to potential cybersecurity threats (Kurpjuhn, 2015). However academic studies like Sangani and Vijayakumar (2012) and non-academic studies like that of veiligzakelijkinternetten.nl (2018) show that SMEs do not always take such elementary security protections, like installing an up-to-date anti-virus programs, making backups or using VPN connections. So why do SMEs not always take elementary security protection, while it is relatively easy to take such measures? Jeske and van Schaik (2017) state that the decision to mitigate a cyber threat is a trade-off between the potential costs of resources versus the potential cost of damage that a cybersecurity threat can cause. This trade-off determines whether mitigating measures are taken.
Being resilient to cybersecurity threats entails that SMEs have sufficient measures in place to overcome the effect of cybersecurity threats (Stewart et al., 2015). Literature indicates that being aware of the threats is the first step in becoming more resilient to cybersecurity threats. (Çeta & Konings, 2017; Renaud, 2016; Sangani & Vijayakumar, 2012). For example, studies have shown that the increased of awareness in SMEs about phishing has been a key strategy against phishing (Ommen, 2014; Sangani & Vijayakumar, 2012). The management of SMEs tend to think that their business is not a target for cyber attacks. So, the first step for an SME to
David against the cyber giant 16 become more resilient to cybersecurity threats is to accept that, despite its small size, it is vulnerable to cybersecurity threats (Çeta & Konings, 2017; Renaud, 2016; Sangani & Vijayakumar, 2012).
An important motivator for taking cybersecurity measures is the perception of the severity of a cybersecurity threat. It is more likely that an organisation will take measures to mitigate a cybersecurity threat when the threat is perceived as more severe in terms of impact to the critical operations of an organisation. (van Schaik et al., 2017; Workman, Bommer, & Straub, 2008). A study done by van Schaik et al. (2017) under university students showed that factors like internet experience, lack of control, immediacy of consequences, catastrophic potential and severity increased the threat perception of cybersecurity threats.
A trade-off between potential cost of resources and potential damage of a cyber threat can only be made if the person making the decision to mitigate a cybersecurity threat knows the consequence of a cybersecurity threat. Jeske and van Schaik (2017) state that this knowledge is obtained by familiarity, defined by Jeske and van Schaik as previous experience, with both the cybersecurity threat and possible cybersecurity measures. The second factor that influences the decision to mitigate cybersecurity threats is knowlegde of the threats and measures. This means that the persons did not have experience with the cybersecurity threat or measures, but their decision to mitigate a cyber security threat was based obtained knowledge about the cybersecurity threat and/or measures (Jeske & van Schaik, 2017).
Sangani and Vijayakumar (2012) present a framework on how to mitigate cybersecurity attacks and provide a range of solutions that SMEs can implement against phishing, web application attack, insider attacks, wireless network breaches and best practices using WIFI hotspots. The strategy is basically to be aware of the threat and to take minimal mitigating measures, like using a VPN when using a WIFI connection that is shared with others, install patches, use firewall and install antivirus software that is up to date.
Renaud (2016) distinguishes four types of actions that an SME can take against the effects of cybersecurity attacks; deterrent measures focusing on resilience of the users, preventive measures, these are mostly technical measures such as firewalls, corrective measures, which entail investigation and mitigation of the risks that an SME faces, and detection measures, to seek evidence of an attack and activate corrective or preventive controls (Renaud, 2016;
David against the cyber giant 17 Sangani & Vijayakumar, 2012). These four kinds of measures can be used to identify differences in strategies that SMEs can develop to mitigate cybersecurity threats. For example, strategy elements could be to take only actions after a threat has affected the operation or to build resilience of the users by awareness, training and knowledge.
3.4 Does organisational size influence response to cybersecurity threats?
Academic literature concluded that the size of an organisation has an effect on the ability to implement changes due to differences in internal communication, structure and availability of resources for organisations of different size (Bloodgood, 2006, p. 243; Caplow, 1957).
The first factor to be considered when looking at the effect of organisational size is the effect of internal communication and structure on the response to cybersecurity threats. Bloodgood (2006) argues that an increase in organisational size affects the ability of an organisation to change as big organisations tend to have more bureaucratic administrations. The bureaucracy is needed to deal with the communication issues in the larger organisations but can form a barrier for change because of the difficulty to communicate and implement changes throughout the layers of the entire organisation. Caplow (1957) shows that a small organisation, defined as less than 100, does not need the bureaucracy, and as a result, can communicate more easily within the group and implement changes more easily. It can be expected such size dependency also influences the implementation of cybersecurity measures.
The second factor to consider is the effect of available resources within the SME to respond to cybersecurity threats. Sangani and Vijayakumar (2012) argue that SME’s lack the resources to implement costly and complex cybersecurity measures that the bigger companies can implement. SMEs lack the funds, technical expertise, knowledge and security architects for protecting their ICT systems. This lack of resources is in line with earlier research on resource management, done by Hannan and Freeman (1984). They found that the larger the organisation is, the more resources like time, finances and people can be allocated to specific goals within the organisation. Especially the lack of knowledge and technical expertise is something that tempers smaller organisation's ability to effectively mitigate cybersecurity threats (Cowley & Greitzer, 2016). Also, it can be expected that similar size dependencies are present for cybersecurity as implementation of cybersecurity can be costly and complex.
David against the cyber giant 18 The factors internal communication and availability of resources have an opposite dependency on size. A smaller organisation is expected to have a better communication, which makes implementation of changes to cybersecurity faster. The flip side of the coin is that a smaller organisation will have more difficulty implementing mitigation actions against cybersecurity threats due to lack of resources.
David against the cyber giant 19
4 Design and Methodology
As discussed in the introduction and theoretical framework there is room for further research on how SMEs deal with cybersecurity. In this chapter it is explained what and how this study intents to investigate cybersecurity in SMEs.
4.1 Research objectives
The primary objective of this research is to contribute to the knowledge on the cybersecurity threats that Dutch SMEs face and how Dutch SMEs deal with their cybersecurity. The main research question for this thesis is: Which cybersecurity threats do Dutch SMEs face and how do they intend to mitigate these cybersecurity threats?
To answer the main research question, three sub-questions needs to be answered: 1. What cybersecurity threats do SMEs face?
2. What mitigation strategies do SMEs implement to deal with these cybersecurity threats? 3. What role does the organisational size of an SME play regarding the type of solutions, the
amount of effort, and why SMEs mitigate cybersecurity threats?
The first sub-question focuses on the cybersecurity threats that Dutch SMEs experience, as it is essential to understand what kind of cybersecurity threats SMEs face and how often these cyberthreat are experienced. The second sub-question focuses on how the SMEs deal with the different potential threats. Mitigation measures to cybersecurity threats depend on the situational characteristics like the number of resources, mitigation rates of cybersecurity threats and threat perception of the SME. Insight into a selection of factors that influence the designated mitigation strategies by SMEs will contribute to answering the main research question. The last sub-question centres on what role the organisational size specifically has in relation to mitigating cybersecurity threats. This is investigated because earlier research (Kimberly, 1976, p. 571) showed that SMEs have specific characteristics related to their organisational size. It is important to know if such characteristics are also relevant for understanding the choices SMEs make by the selection of solutions to mitigate cybersecurity threats.
David against the cyber giant 20
4.2 Methodology
To answer the main research question, an inductive qualitative research method was used. The cross-sectional study design was used as this is appropriate for exploring the prevalence of a phenomenon, situation, problem, attitude, or issue. This design takes a cross-section of the population studied and generates an overall picture at the period in time (Kumar, 2011). A review of cybersecurity literature was conducted to create a theoretical framework of cybersecurity threats and the threats posed to Dutch SMEs. A survey and in-depth interviews were designed based on this theoretical framework. The survey template used in this study is included in Appendix B. With the survey, data was collected on SMEs to answer the sub and central research questions. A company was included as an SME if it met the standard for SMEs as definded by the European Commission (European Commission, 2015). The survey was distributed by e-mail and social media posts on the platforms Linked-In and Facebook. Qualtrics survey software was used for data collection and the data was analysed using Excel. The objective was to collect data from at least 51 SMEs to have a sufficient sample size. The required sample size was met as the total number of respondents in the survey was 87. Only SMEs that met the criteria as defined by the European Commission were included in this study. The surveys were addressed to the directors of the SME because a study conducted in 2014, commissioned by the insurance company Interpolis, showed that in 55 per cent of cases the director of an SME is responsible for cybersecurity within the SME (Berg & Reijmer, 2015). In many cases, an SME does not have a single employee responsible for ICT (Kurpjuhn, 2015) Using directors as participants for the survey makes sense as they are responsible for the cybersecurity in the SME and they are also the unit of observation in other studies, for example the study of Notté and Slot (2018). Using the same unit of observation makes it possible to compare data between studies. This makes it possible to fit the findings in a broader academic discussion, which should always be the aim of research.
The online survey consisted of four parts. The first part collected general data on the company and survey participants. This line of questions was used to determine the role of the participant in the organisation and to determine if the organisation meets the criteria of a Dutch SME.
David against the cyber giant 21 The second part of the survey shifts the focus to general cybersecurity questions related to the organisation. The purpose of these questions is to establish the kind of cybersecurity threats the SMEs face and how they perceive the cybersecurity threats.
The third part of the survey consisted of four types of questions related to the specific cybersecurity threats in this study. First, the participant was asked if he or she has knowledge of a specific cybersecurity threat. Secondly the respondent was asked how he or she perceives the severity of the cybersecurity threat on a five-point scale ranging from one (no threat), to five (high threat). Thirdly the respondent was asked if the SME takes mitigation measures against the cybersecurity threat. Lastly it was asked if the SME had been the victim of the cybersecurity threat.
In the last part of the survey respondents were asked if there are sufficient resources available to mitigate the specific cybersecurity threats. The scale ranged from one (no resources available), to five (abundance of resources available). The types of resources they were asked to rate were time, knowledge, financial means, and technical means.
The answers to the first question aim to provide insights into the knowledge level within the organisation. The first research question on what cybersecurity threats SME face is investigated by the second question in part two of the survey and by the first and third question in part tree. The second research question on cybersecurity threat mitigation is investigated mainly by the third part of the survey. The last sub-question on effects of size of SME is investigated by the fourth part of the survey.
One of the aims of the research is to provide a context to understand why SMEs take specific cybersecurity measures. A drawback of an online survey methodology is that it is not possible to ask follow-up questions. To overcome this drawback, a selection of SMEs were called for a semi-structured telephone interview. SMEs were asked to participate in a telephone interview if they indicated in the survey that they mitigated at least three cybersecurity threats. In-depth questions were asked about why specific mitigating measures were taken. The interviews can be found in appendix B.
The survey investigates five cybersecurity threats to the private sector in the Netherlands, as defined in the threat matrix of the NCTV. The choice to use the NCTV cybersecurity threats was made because of the fact that the NCTV provide clear and recognised definitions of the
David against the cyber giant 22 threats. As the NCTV is the governing body for cybersecurity policy in the Netherlands using their definitions makes the results of the study useful for policy makers. Although the NCTV defined zeven threats in their threat matrix of the CSBN 2018 of the NCTV, it was decided to limit the number of threats in the survey to five, because the Dutch SME association advised keeping the survey as short as possible to increase the response rate. In their experience directors and owners of SMEs don’t complete surveys that are too long. As discussed in the theoretical framework the decision of what threats were included and what threats were excluded was based on the threat landscape SMEs encounter in their operations based on the studies of Berg and Reijmer (2015) and Notté and Slot (2018). The threats included in the survey were, Disruption, Sabotage, Systems manipulation, Breakdown and Failure and Leak.
4.2.1 Sample selection
As explained in the methodology section only companies that meet the European Commission's criteria of an SME were included in this study. The European Commission made a further sub classification for SMEs into Micro, Small and Medium-sized SME. The classification is based on revenue, total balance sheet and employee count. For this study only, the classification of the number of employees was used as the best proxy for the SME size as revenue, total balance Figure s are usually considered confidential by SMEs.
AMicro SME has less than ten employees, a Small SME less than 50 employees and a Medium SME less than 250 employees (European Commission, 2015). In addition to the three categories defined by the European Union, a fourth category is used in the study: One-person SMEs. A One-person SME is defined as a company registered with the Dutch Chamber of Commerce that has only one employee who is also the owner of the company. This category is added because a large part of businesses are One-person SMEs in the Dutch economy, they make up 75 per cent of businesses according to CBS data (CBS, 2018). Secondly, because One-person SMEs might have different experiences and behaviours as it comes to cybersecurity. Because of their large share and their unique characteristics, they are a separate category in this study. The four catogorys are shown in Table 5.
David against the cyber giant 23
Classification Maximum no. of employees
One-person SME 1
Micro SME 10
Small SME 50
Medium SME 250
Table 5: Classification of the SMEs based employees
Stratified sampling was used for the study to obtain a sufficient number of enterprises within each category of SME. The total sample is obtained by using the technique of snowballing. The choice for snowballing is based on the assumption that enterprises are not keen on sharing their security situation related information. A reference by another company that already completed the survey helps to persuade other enterprises to cooperate with the research.
4.2.2 Validity and limitations of the research
As discussed, this research aims to provide a better understanding of which cybersecurity threats Dutch SMEs face and how SMEs deal with their cybersecurity. The proposed method and sample selection have consequences for the internal and external validity of the research. Firstly, the research uses a limited sample size. For generalisable statistical research, a minimal sample size of around N=250 would be preferred. The decision to compromise for lower sample size was made for two reasons. Firstly, it is the goal of the research to uncover trends and guide further research on this topic, not to construct a generalisable theory. The second reason for the smaller sample size was efficiency. In order to perform the research in the available time frame, a larger sample was not practical as gathering more data from participants would take too much time. The smaller sample size is adequate for meeting the objective of the thesis.
The smaller N means that the generalisability and therefore the external validity is limited. Generalising beyond the Dutch context of the research is not possible as no SME outside the Netherlands is included in the sample. This is not a real limitation because the goal is to explore how Dutch SMEs deal with cybersecurity related issues. The findings of this research can be used as a starting point for further academic research. A section in the conclusion will be dedicated to recommending further research.
David against the cyber giant 24
5 Results
This chapter consists of four parts. The first part describes the sample population of the survey and how it relates to the actual population of Dutch SMEs. The second part gives an overview of the results on the cybersecurity threats that Dutch SMEs face. The third part discusses the results on cybersecurity threat mitigation strategies and how SME deal with these cybersecurity threats. The last part describes the effect of organisational size on the type of solutions and amount of effort put in by SMEs to mitigate cybersecurity threats.
5.1 Description of the sample population
A survey was used to collect data for this study. In total 87 owners and or directors of SMEs participated in the study and responded to the survey using different channels: 57 respondents used an anonymous link, 27 used a link on social media, five used a personal email link, and one person responded using a QR link that was distributed. The response rate is unknown as the method of snowballing was used to collect the data and no accurate record could be kept on the distribution of the survey.
A substantial number of participants did not answer all survey questions, leading to 29 incomplete surveys. A response was labelled as incomplete if it had ten or more unanswered questions. Incomplete responses to the surveys were excluded from the analysis. The results and analysis presented below are based on a total sample size of N= 58.
The composition of the sample population concerning size of the organization is summarised in Table 6. The SMEs have been classified in four groups based on their size: One-person SMEs, Micro SMEs with two to five employees, Small SMEs with six to 50 employees, and Middle SMEs with 51 to 250 employees. The sample of the survey included 17 per cent One-person SMEs, 45 per cent Micro SMEs, 29 per cent Small SMEs and nine per cent Medium SMEs.
Classification Number of employees Number in the sample Percentage
One-person SME 1 N=10 17%
Micro size SME 2 - 10 N=26 44%
Small size SME 11 - 50 N=17 29%
Medium size SME 51 – 250 N=5 9%
Total N=58 100%
David against the cyber giant 25 The composition of the survey population is compared to the composition of the total population of the Dutch SME sector to determine over- or underrepresentation of the size categories in this study. The data for the total population was obtained from the Dutch Central Statistical Office (CBS, 2018). The sample of the survey is significantly different from the Dutch SME population if the differences in percentage for an SME class is bigger than the 95 per cent confidence interval U, where P is the percentage in the survey sample and n is the sample size (n=58).
𝑢 = 1.96'𝑝(1 − 𝑝) 𝑛
The results are presented in Table 7. In this study One-person SMEs are underrepresented and Micro, Small and Medium SMEs are overrepresented compared to the total Dutch SME population. In this study, the data for the various SME classes have not been weighted to correct for this over or under-representation.
Classification Dutch SME population
(CBS, 2018) Survey population (p) confidence interval (u) Lower
bound Upper bound Population Difference
One-person SME 75% 17% 10% 7% 27% Significant
Micro SME 20% 44% 13% 32% 58% Significant
Small SME 4% 29% 12% 17% 41% Significant
Medium SME 1% 10% 7% 2% 16% Significant
Sample Size (N) N=1006525 N=58
Table 7: Comparison of the survey population and the population of all Dutch SME.
The second source of information were the in-depth interviews with a selected group of survey respondents. The objective of the in-depth interviews is to provide more context to why and how SMEs mitigate cybersecurity threats. Thirty-one survey participants indicated that they would be open for a such an interview. Only participants that indicated that they have taken mitigation measures against three or more of the threats were asked to participate in an interview. This was done to obtain more specific information on what measures SMEs take. Of the thirteen survey respondents selected, five responded positively and were interviewed. The characteristics of the respondents of the in-depth interviews are shown in Table 8.
David against the cyber giant 26
company Size classification Sector
SME A Middle SME Business Services / Other Services / IT / Free Professions / Miscellaneous
SME B Small SME Retail (food) / Retail (non-food) / Auto Repair / Hospitality & Leisure
SME C Small SME Business Services / Other Services / IT / Free Professions / Miscellaneous
SME D Small SME Industry, Manufacturing / Construction, Construction Installation
SME E Micro SME Industry, Manufacturing / Construction, Construction Installation
Table 8: Profile of the SMEs selected for the in-depth interviewed.
5.2 Cybersecurity threats to Dutch SMEs
Based on the literature study, five cybersecurity threats were deemed relevant to Dutch SMEs and included in the survey. To investigate the occurrence of these five cybersecurity threats, respondents were asked if their SME had actually experienced one or more cybersecurity threats.
Figure 3 shows the percentage of SMEs that actually experienced one or more of the five cybersecurity threats and for the SMEs that did not experience any of the five cybersecurity threats. The result shows that 59 per cent of the SMEs reported to have experienced one or more of the five cybersecurity threats and 41 per cent of the SMEs reported no experience with any of the cybersecurity threats.
Figure 3 : Percentage of SMEs that experienced one or more of the five cybersecurity threats or did not experience any threat. Next it was determined how often the Dutch SMEs reported to have experienced each of the five cybersecurity threats. Figure 4 shows the threat occurrence, defined as percentage of SMEs that experienced a specific cybersecurity threat for each of the cybersecurity threats surveyed. The results show that the threat of Breakdown and Failure was experienced by 49 per cent of the SMEs, which is significantly more often than any of the other cybersecurity threats. The
59% 41%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of SMEs
Percentage of SMEs that experienced cybersecurity threats
David against the cyber giant 27 threats of Disruption and Leak were experienced significantly more often than Sabotage and Systems manipulation.
Figure 4 : Percentage of Dutch SMEs that experienced a specific cybersecurity threat for each of the threats
The relative occurrence is the likelihood that a cybersecurity threat is experienced by the SME. Figure 5 shows the relative occurrence of the five cybersecurity threats. The relative occurrence can be used to prioritise mitigation actions as part of a cybersecurity mitigation strategy. For example, using the results from this study, a mitigation action against system manipulation could provide protection for 6% of the cybersecurity threat events, while a mitigation against Breakdown/Failure could provide protection in 50% of the cybersecurity threat events.
Breakdown/
Failure Leak Disruption Sabotage
System manipulation Threat experienced 49% 18% 16% 9% 6% Threat not experienced 51% 75% 76% 81% 80% No Answer 0% 7% 8% 10% 14% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Breakdown/ Failure Leak Disruption Sabotage System manipulation Percentage of SMEs
Percentage of SMEs that experienced a cybersecurity threat
David against the cyber giant 28 Figure 5 : The relative occurrence of cybersecurity threats for Dutch SME.
It is observed that the intentional cybersecurity threats (system manipulation, sabotage and disruption) have a lower relative occurrence than the unintentional threats (Leak and Breakdown/Failure); 31 per cent of the cybersecurity experienced threats were intentional attacks and 69 per cent was unintentional according the threat definitions by the NCTV. In the in-depth interviews, respondents were asked about their experience with the five cybersecurity threats and if they had experienced any other cybersecurity related incidents. The respondent of SME A reported that malware, received over the email, resulted in the loss of a day’s work. The attack method of the malware e-mail resulted in the attack effect Sabotage.
We have already seen many times that we have some problems with virus infections due to a virus mail. This happens because unknown attachments in e-mails are opened by our personnel. … The result was that we had to do a rollback to the previous day, causing a day's work lost.
Quote 1: SME A
The respondent of SME E reported a similar experience with ransomware. In this case Ransomware is the attack method and the attack effect is classified as Sabotage.
6,1%
9,2%
16,3%
19,0% 50,0%
Relative Occurence of Cyberscecurity Threats
System Manipulation Sabotage
Disruption Leak
David against the cyber giant 29
… that was such a hostage program. You get many things on your screen and it locks up. You have to transfer a thousand euros, and then they unlock it again. We did not pay anything because we could turn to a backup we had made before the cyberattack.
Quote 2: SME E
Respondent of SME B reported experience with bots checking his webshop for product prices. Although this form of prize checking is legally allowed, according to SME B, the effect of all the bots on his website was that it got overloaded resulting in a disruption of service of the website for customers.
Our site was temporarily out of service on …, just an hour. We contacted the webshop builder about it, so he could look what happened that hour. He noticed that there were many bots on our site … checking our prices. So, the webshop builder explained there were too many bots, which makes the website slow. I worked with YYY, to delete almost everything. The consequence was that the customers could no longer pay. We had also to scrap the entire payment shop. This lasted half a day.
Quote 3: SME B
The interviews with SME C and D did not reveal a new cybersecurity threat either. If another cyberthreat was found in this small sample of interviews the selection of the five cybersecurity threats could be questioned. The interviews did not prove that the selection of cybersecurity threats selected for this study was too narrow.
The respondents of the survey reported only known breaches of their cybersecurity. The effect of undetected breaches is that our results show a lower occurrence rate than actual occurrence rate.
Three remarks can be made when the findings on what cybersecurity threats SMEs face are compared to the literature discussed in the theoretical framework. In the survey all of the five cybersecurity threats were reported to be experienced by Dutch SMEs and in the in-depth interviews no other additional cybersecurity threats were mentioned. The study findings establish that the selected cybersecurity threats are relevant and are adequate to describe the cybersecurity threats to Dutch SMEs. The fact that the five cybersecurity threats differ from the
David against the cyber giant 30 cybersecurity threats listed in the threat matrix for (all) private companies in the CSBN indicates that cybersecurity in Dutch SMEs is different from the cybersecurity for private companies(NCTV, 2018).
The NCTV threat matrix gives a classification of the risk of each threat (NCTV, 2018). The risk ratings are situational as the risk rating for the same cybersecurity threat is dependent on the threat actors and organisations. The results of this study provide information on how often the five cybersecurity threats are reported to occur in Dutch SMEs. The expected occurrence is an important part of a risk assessment, but not enough. Risk is usually defined as the likelihood of a threat to occur multiplied by the impact / harm caused (Stewart et al., 2015). Hence a complete comparison with the risk classifications of the threat matrix of the NCTV cannot be made.
In the in-depth interviews respondents were asked about the cybersecurity threats in terms of the attack-effect as defined by the NCTV. Most responded by describing the cybersceurity threats in terms of attack methods. The use of cybersecurity threat for both the attack method and attack effects is understandable but it also underlines that it is important to be aware of this potential confusion in the design of research on cybersecurity.
5.3 Mitigation of cybersecurity threats by Dutch SMEs
In the previous chapter it was established what cybersecurity threats SMEs face. This chapter addresses the second research question on the mitigation strategies that SMEs implement to deal with the cybersecurity threats they face. A cybersecurity threat is mitigated if the SME implements safeguards and countermeasures to eliminate vulnerabilities or block the threats (Stewart et al., 2015). This study surveyed whether SMEs mitigate cybersecurity threats for each of the threat but did not survey the effectiveness of such mitigations.
First it is demonstrated how SMEs respond to the experienced cybersecurity threats and on their mitigation strategies. Subsequently the responses to each of the five cybersecurity threats are presented and complemented with the results on mitigation action and strategies from the in-depth interviews. The third part shows the results to determine factors that influence the mitigation of cybersecurity threats by SMEs.
David against the cyber giant 31
5.3.1 Strategies for mitigation of cybersecurity threats
It was investigated how often Dutch SMEs mitigate the five cybersecurity threats. The respondents were asked to indicate if actions had been taken to mitigate cybersecurity threats for each of the five cybersecurity threats. Figure 6 shows the percentage of the Dutch SMEs in the study that mitigated none, one and more cybersecurity threats.
Figure 6 : Percentage of Dutch SMEs that mitigate one or more cybersecurity threats.
No mitigation action at all was taken by 23 per cent of the SMEs and 77 per cent of the SMEs mitigate one or more of the cybersecurity threats. The majority (71 percent) of the SMEs mitigates three or more cybersecurity threats.
The results on threat mitigation were analysed in more detail to investigate whether the surveyed SMEs follow a pro-active mitigation strategy or a reactive mitigations strategy. For this analysis two groups of SMEs are defined. Group A are all SMEs that reported to have not experienced any cybersecurity threat (N = 24) and group B are all SMEs that reported to have experienced one or more cybersecurity threats (N= 34). Figure 7 is a similar graph as Figure 6, but stratified for the two subgroups. The percentage of SMEs on the x-axis in Figure 7 is a percentage of the SMEs within the subgroup.
Number of threats mitigated 0 1 2 3 4 5
Percentage of SMEs 23% 2% 5% 19% 18% 33% 0% 5% 10% 15% 20% 25% 30% 35% 0 1 2 3 4 5 Percentage of of SMEs
Number of threats mitigated by the SME
Mitigation of cybersecurity threats
David against the cyber giant 32 Figure 7 : Percentage of Dutch SMEs that mitigate none, one or more cybersecurity threats stratified for the 2 groups that SMEs that did and did not experience one or more cybersecurity threats.
The results show that 50 per cent of the SMEs in Group A mitigated cybersecurity threats although they had not experienced any cybersecurity threat. These SMEs mitigated on average mitigated four threats, demonstratingpure proactive mitigation strategy.
The other 50 per cent of group A did not mitigate any of the five cyberthreats. The mitigation strategy is not pro-active, but it cannot be determined if there is a reactive strategy or no strategy to mitigate cybersecurity threats. This group is classified as “no mitigation strategy” in this study.
Group B consisted of three per cent SMEs with no mitigation strategy, six per cent SMEs that did not mitigate all threats experienced and 91 per cent that mitigated all cybersecurity threats experienced.
This 91 per cent of group B all demonstrated a reactive mitigation strategy by mitigation of all individual cybersecurity threats, but all showed also a proactive mitigation strategy by mitigating of one or more other threats not experienced. Analysing the 48 threats experienced and the 128 threats mitigations of this 91 per cent, it is found that 34 per cent of the threat mitigations are reactive and 62 per cent of the threat mitigations were proactive.
0% 10% 20% 30% 40% 50% 60% 0 1 2 3 4 5
Percentage of of SMEs in each category
Number of threats mitigated by the SME
Mitigation of Cybersecurity threats experience v.s. no experience
Threat experience No threat experience
Number of threats mitigated 0 1 2 3 4 5
SMEs without threat experience 50% 4% 0% 13% 13% 21% SMEs with threat experience 3% 0% 9% 24% 21% 42%
David against the cyber giant 33 Summarising the mitigation strategies of the Dutch SMEs surveyed, a pure proactive mitigation strategy is found in 20 per cent of the SMEs, 57 per cent of SMEs had a combination of a reactive mitigation strategy (38 per cent) and a proactive mitigation strategy (62 per cent) and no mitigation strategy was found for the remaining 23 per cent of the SMEs. In total 73 per cent of all cybersecurity mitigations taken by the SMEs surveyed were proactive and 27 per cent of the mitigations were reactive.
From the results we can establish with certainty the proactiveness of the mitigations taken. However, for the mitigations classified as reactive it is uncertain that these have been taken after the cybersecurity threats were experienced or that the cybersecurity threat occurred despite the mitigation.
5.3.2 Mitigation of cybersecurity threats
The next analysis addresses how often Dutch SMEs respond to the specific cybersecurity threats. The mitigation rate of a cybersecurity threat can be defined as the percentage of SMEs that mitigates a specific cybersecurity threat. The results are shown in Figure 8. The Figure maps the percentage of SMEs that have taken mitigation measures against a specific cybersecurity threat for each of the threats surveyed. Breakdown and Failure is mitigated most frequently by 72 per cent of the SMEs, while 67 per cent took mitigating measures for disruption, 66 per cent took measures against leaks, 60 per cent took mitigating measures for sabotage, and only 43 present of the SMEs mitigated system manipulation, which is statistically significantly lower than the other mitigation rates.
David against the cyber giant 34 Figure 8: Percentage of Dutch SMEs that mitigated cybersecurity threats for each of the threats surveyed.
5.4 Mitigation measures
The next section describes the mitigation measures for each of the five cybersecurity threats that were reported by the five SMEs that were interviewed. Participants of the interviews were asked to specify which measures were taken to mitigate the threats that were part of this study. The mitigation measures were analysed using the four types of security measures as described by Renaud (2016) in the theoretical framework: deterrent, preventive, corrective and detection measures.
Breakdown and Failure
For Breakdown and Failure, the participants were asked if they took measures against the impairment of integrity or availability of their ICT systems as a result of natural, technical or human failures. The five SMEs interviewed all reported to make daily, or even more frequently, back-ups of their systems to prevent the loss of data in case of a breakdown or failure. All five SMEs had an offsite back-up system either through basic systems like Dropbox, Google Drive
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Breakdown/ Failure Disruption Leak Sabotage System manipulation Percentage of SMEs
Mitigation measures taken per cybersecurity threats
Takes measures Takes no measures No answer
Breakdown/
Failure Disruption Leak Sabotage
System manipulation
Takes measures 72% 67% 66% 60% 43%
Takes no measures 23% 26% 31% 33% 33%
David against the cyber giant 35 or more sophisticated tailormade solutions. Tailored made systems made backups to dedicated servers and were controlled using an SLA agreement. Three SMEs had implemented backup generators to ensure backups of the servers could be made. The SMEs that used more sophisticated systems did this for two reasons, either they were obliged to do this as they worked with privacy sensitive data or they had clients demanding a high security standard.
We have emergency power generators that ensure that the server can run for a certain amount of time, so that a full backup can be done every night ... We have an external party that is responsible for a certain uptime via an SLA guarantee. We also have the SLA and security measures checked by a third party.
Quote 1 : SME A
A back-up is regularly made and there are also emergency power generators to ensure that a back-up can be made. To be secure, all data that we have stored is also stored in a different location than our own location. So, if something happens at our location, nothing is actually lost.
Quote 2 : SME D
SME E also had a tailor-made system because a client required them to have a higher level cybersecurity.
There is a device that will provide power for another five minutes to the computers in case of a power failure. It gives ensures all things are saved. Furthermore, we have automatic backup of all programsthat is stored on our network, which is not a cloud solution. A cloud solution was not allowed as I had a client that was in the government; we were told by the security service that a cloud solution was not safe.
Quote 3: SME E
Next to backups and the use of third-party servers no other measures were mentioned. For the cybersecurity threat of breakdown and failure the interviewed SMEs only reported to take technical preventive measures such as back-up systems and emergency power generators. The systems were maintained in-house or by third parties based on a service level agreement.
David against the cyber giant 36 The threat of Breakdown and Failure is the impairment of integrity or availability as a result of natural, technical or human failures. Making backups is a strategy to recover the data that is potentially lost or corrupted and adding backup generators ensures that a backup can be made. Interestingly no SME mentioned other measures that focused on the mitigation of possible human error or having an insurance against events that were beyond the control of the organisation.
Disruption
The next cybersecurity threat that was addressed in the interviews was disruption. The participants in the interview were asked what measures they took against the intentional, temporary impairment of the availability of information, information systems or information services. The five SMEs that participated in the interviews reported to adopt a variety of measures, but they all shared that these measures were advised to them by a cybersecurity company.
For the technical part (cybersecurity related) we make agreements on the basis of the SLA. This guarantees that certain updates are carried out on servers and on software platforms. Ensuring there are no exploits that can be used for a long time. … looking at a customer portal we are advised to use a DMZ zone to ensure that we do not give free access to the complete system. ... (concerning password management) we have a two-stage check, a new password is not issued directly by telephone but there is an extra layer to confirm that it is someone from our organization that requests a new password.
Quote 4: SME A
The network is secured. So that means it's pretty hard to come into our network here when you're not local. I think that we have covered most of it, because the data is safe. The network here is safe as we use a firewall. I do not know to what extent I can go into detail, but it is a bit safer than a standard home network. The security planning is of course, outsourced. We did not do that ourselves.
David against the cyber giant 37
We have a firewall and we have our own dedicated network. Also, people cannot install new software on the system without consent. No one can put other programs on it or any other downloaded things, that is not possible. ... The servers for medical data and other data are segmented. It is stored on a separate server where unauthorized people from inside the company cannot access it. We actually have that implemented in the past twelve months. We mapped “who really needs what? “to make sure they only have access to the needed data.
Quote 6: SME E
Only SME B did not report to have help from a vendor specialised in cybersecurity. They relied on their webpage builder to support them with the cybersecurity threat of disruption.
To mitigate the cybersecurity threat of Disruption, the interviewed SMEs adopt a mix of measures in general; technical measures like firewalls and the back-up systems described as discussed before, detection measures like virus scanners, malware detection programs, DDOS testing and deterrent measures focusing on the user like, password management and informed their personnel about the importance of keeping a standard for identity access management.
Sabotage
For the cybersecurity threat of Sabotage, respondents were asked what measures they took to mitigate the intentional, very long-term impairment of the availability of information, information systems or information services, possibly leading to destruction. Four SMEs reported to mainly rely on their preventive measures of backups so that in case they were affected by for example a ransomware attack they could perform a rollback. SMEs A and E indicated to have detection measures installed in the form of specific ransomware detection software. This was provided and maintained by a third-party vendor. SME A also implemented deterrent measures as they addressed virus e-mails as part of the awareness program they implemented within their organisation.
