According to Eurostat, by 2024, 93% of EU companies will have implemented at least one measure to ensure the integrity, availability and confidentiality of their data and ICT systems.
The most common security measure used by businesses was strong password authentication (84%), followed by offsite backup (79%) and network access control (65%). The least common measure was biometric authentication (18%).
At the national level, the highest percentage of companies using at least three ICT security measures was recorded in Finland (93%), followed by Denmark (90%), the Netherlands and Germany (both 87%). In contrast, companies in Greece (52%), Bulgaria and Romania (both 53%) reported the lowest percentage.
More specifically, in 2024, 92.76% of EU companies with 10 or more employees or the self-employed will have used at least one measure. More than 1 in 3 companies (35.50%) stated that they have documents that establish measures, practices or procedures for ICT security. In one in five companies (21.82%), these documents have been defined or revised in the last 12 months. 59.97% of EU companies have informed their staff about their IT security obligations. Finally, 1 in 5 companies (21.54%) reported impacts due to ICT security incidents in 2023.
By 2024, 92.76% of EU businesses will have used at least one ICT security measure. The most common measure was strong password authentication (83.69%), followed by offsite or cloud backup (79.23%) and network access control (65.43%). Less than half of the companies said they use virtual private networks (VPN) (49.64%) or keep logs for analysis after security incidents (45.16%). Less frequently, companies use a combination of two or more authentication mechanisms (39.84%), encryption techniques for data, documents or email (39.72%), ICT security tests (34.64%), ICT risk assessments (34.10%) or authentication. through biometric methods (18.27%).
The measure “strong authentication via password” was used by almost all large companies (96.78%), by 90.66% of medium-sized companies and by more than 8 out of 10 small companies (82.03%). Similar figures were reported for the second most popular ICT security measure – off-site backup, which was used by 94.95% of large companies, 88.48% of medium-sized companies and 77.09% of small companies . Significant differences related to company size were observed in the use of less common ICT security measures.
ICT risk assessment was used by 75.62% of large companies, while the percentage for small companies was more than twice as low (29.35%). Regardless of company size, biometric authentication was the least used ICT security measure, although the percentage of large companies using it (38.55%) was significantly higher than that of and small businesses (16.44%).
By 2024, 35.50% of EU companies had documents setting out ICT security measures, practices or procedures. Percentages above 50% were recorded in Finland (59.41%), Denmark (59.11%) and Portugal (54.29%). On the contrary, less than 20% of the companies had such documents in Greece (18.28%), Hungary (13.75%) and Bulgaria (13.67%).
Almost 3 in 5 EU companies (59.97%) have informed their employees about their obligations regarding ICT security. The most common form was voluntary training or internal information, for example via the intranet (42.59 %), followed by contracts such as employment contracts (34.25 %) and compulsory training courses or attending compulsory material (24.51%).
In 2023, more than 1 in 5 EU companies (21.54%) experienced ICT security incidents, which led to consequences such as the unavailability of ICT services, the destruction or corruption of data or the leakage of confidential information. ICT security incidents can be caused by malicious attacks inside or outside the enterprise, or by non-malicious causes, such as hardware or software failures or inadvertent actions by the employees themselves. In 2023, companies most often reported losses due to non-malicious incidents. The most common consequence was the unavailability of ICT services due to hardware or software failure (17.97%).
In contrast, the unavailability of ICT services due to an external attack (for example, ransomware or Denial of Service attacks) was reported by 3.43% of companies. Data destruction or corruption due to hardware or software failure was reported by 3.87% of companies, while malware infection or unauthorized access led to data destruction or corruption in 1, 89% of companies. Leakage of confidential data through hacking, phishing attacks, or intentional employee actions (1.57%) or unintentional employee actions (1.15%) were reported less frequently.
Taking economic activity into account, in 2023 more than one in four companies in the IT and communications, professional, scientific and technical activities, electricity, natural gas, air conditioning and water supply and real estate sectors experienced incidents of ICT security. In the construction and transport sectors, this was the case for less than one in five companies.