IT Security in SMEs: Guidelines published by UNICRI

The UNICRI published in September a new study about the security of Italian small and medium enterprises (SMEs), which are a very attractive target for crooks.

UNICRI (United Nations Interregional Crime and Justice Research Institute) published in September 2015 a new study about the IT security of Italian small and medium enterprises (SMEs). This research is focused on the first semester of 2015 and constitutes the first update following the release of the study entitled "Cybercrime and the risks for the economy and enterprises at the European Union and Italian levels", which was published in December 2014 also by UNICRI.

IT security for SMEs represents one of the most pressing challenges for both the economies of Italy and Europe. SMEs make up 99.8% of European and 99.9% of Italian enterprises, respectively. In the European Union (EU), 86.8 million people are employed within this sector making SMEs the backbone of the Italian and European economies. While at the same time, they also represent a major point of weakness in terms of security.

SMEs are a very attractive target for cyber criminals; nevertheless, decision makers working in these enterprises still often underestimate the threat posed by cybercrime. No matter the nature of an SME's business, every company is seen as a lucrative target. Various types of information, be it intellectual property, commercial data and contact lists, personal data, account credentials, and more can be sold on the black market to individuals intent on committing fraud, spreading malware and facilitating other crimes. At the corporate level, damage is not only caused via a simple, one-off or indiscriminate attack. Instead, many attacks have long-term consequences. We are now witnessing an increase in targeted attacks that have the aim of appropriating sensitive data, deleting data altogether, or stealing copyrighted material.

Cyber crime is of a stronger nature and more widespread than one might imagine. In fact, most cyber attacks are still not being detected and/or reported. Losses due to cyber crime for an individual company can reach up to several million euros. Due to large-scale cyber attacks in 2014, approximately one billion records were compromised – affecting, on average, one in every three Internet users. Many of these records were totally unencrypted and thus easy to exploit.

The number of ransomware attacks is more than doubled in 2014 – rising from an estimated 4.1 million attacks in 2013, to 8.8 million in 2014. From a psychological point of view, ransomware represents a very profitable form of attack because if a victim has not performed regular backups of their data, they are normally willing to pay the ransom in order to be allowed to retrieve it.

About mobile, Alcatel-Lucent's Motive Security Labs has estimated that more than 16 million mobile devices around the world have been infected with malware for the purpose of carrying out industrial and personnel espionage, to steal information and to attack companies, private, banks and government. In 2014 alone, mobile device infections increased by 25% (an increase of 5% compared to 2013).

The presence of money or data which can be stolen, and the ease with which violating a target can take place, are the main factors that cyber criminals consider when carrying out their activities. Unfortunately, SMEs meet both these requirements. Nowadays, digital information security and proper use of the web and computer tools must be considered a priority by each individual citizen, and especially by companies. In this scenario it is necessary to put in place a number of proactive measures to increase awareness in the field.

Considering the growing trend regarding this type of threat, it is more important than ever to develop efficient preventative security systems.

In the event of a security breach, many companies do not even realize they have been attacked. Moreover, when devising a cyber security strategy, enterprises often do not know what can be done in order to protect themselves from cyber threats, and erroneously believe that defensive actions are expensive and solely technical in nature.

A framework for assistance in the implementation of IT security systems is a major aspect that is lacking in the Italian SME sector. Technical elements, such as antivirus software and firewalls, etc. are in use, but the formulation of a structured policy needs to be taken into account in order to build a base that can be adapted and re-implemented over time according to the evolution of cyber threats. In response to this environment and the analysis of existing gaps, a suggested plan of action has been the creation of a framework of comprehensive, identifiable guidelines that are adaptable to the various types of SMEs present within Italy.

Accordingly a set of guidelines was drafted, and subsequently submitted to and validated by IT security experts from leading companies, such as Fastweb, IBM, Kaspersky and Microsoft. Additionally, the guidelines were also reviewed by three IT managers from three different enterprises who were interviewed within the previous study on SMEs. Cyber crime poses a severe risk to all types of enterprises present throughout Italy. Preventing these risks requires implementing initiatives based on both education and awareness. Action in this field is not only required on behalf of SMEs, but also needs to be taken into account at the national level.