Rising cyber awareness among Italian companies but still more to do

Despite an increase in cyber awareness and the use of cyber insurance among Italian companies, more needs to be done in both mitigation and training to thwart the rising risk of cyberattacks, according to the results of a new survey.

A study conducted by the University of Verona and Italian tech company Riesko in collaboration with the Italian association of risk and insurance managers (Anra) canvassed 274 Italian companies on four fundamental areas: cyber risk awareness, risk assessment, prevention and mitigation measures, and risk governance.

In the last two years, the rapid adoption of digital processes and remote working have made many business assets and processes more vulnerable. Organisations have increasingly found themselves dealing with a massive increase in cyberattacks.

According to the latest report from Clusit, the Italian association for IT security, in the first half of 2021 Italy recorded 36 million malicious events, a 180% increase compared to the same period of the previous year. This trend is in contrast with last year, where these numbers were only reached at the end of the year.

Yet despite these statistics, just slightly more than half of respondents have a mitigation plan in place, while only 49% have adopted a structured training programme around cyber risk.

The University of Verona survey showed that among Italian companies there is a good level of awareness of IT risks: 72% of respondents said they have a good knowledge of cyber risk and IT security, and a similar percentage (70%) claimed to have a good understanding of the impact that IT security can have on business continuity. When we go into more detail on the standards, companies are less secure: only 45% claimed to have a good knowledge of the ISO/IEC 270001 and 270002 security standards, the NIST cybersecurity framework, or the ISA/IEC 624432 guidelines.

The survey also probed the knowledge and dissemination of insurance solutions. It emerged that 64% of Italian companies use third-party IT security solutions and services, and 58% affirmed that they have a good knowledge of the insurance products available on the market for cyber risk.

Almost three quarters (74%) of companies consider cyber risk a key issue and classified it mainly as IT and technology systems risk (45%), operational risk (22%) or strategic risk (14%). The greatest vulnerabilities reside in laptops (74%), web servers (69%) and personal devices connected to the corporate network (67%). The main cause of cyber breaches are human errors, followed by the use of obsolete programs and operating systems, and inadequate access control. Despite this, only 49% of companies adopt structured training processes for cyber risk, and 70% allocate less than 15% of the total budget dedicated to corporate training to it.

In the last year, companies have been victims of malware (43%), online fraud and phishing (40%), and hacker attacks such as denial of service and credential theft (20%).

When asked to rank the consequences of a cyberattack, data loss was cited by 17%, followed by service interruption (14%) and reputational damage (8%).

Despite the increasing spread of cyber risk and the awareness of the risk involved, only 55% of Italian companies have a formal mitigation plan, and among these 64% adopt solutions offered by external providers, without adequate internal support.

The companies surveyed were 58% large, 22% small and the remaining 20% medium-sized. The predominant sector was finance and insurance (32%), followed by IT and electronics (24%), manufacturing (9%), commercial activities (7%), and public administration (6%).

Back to top button