Cybersecurity is increasingly in the spotlight as a result not only of more complex, large-scale attacks (such as those that have happened at Expresso, Vodafone or Gondomar Town Hall in the last two years) or those that affect people on a daily basis, such as "hello mom, hello dad" or the theft of personal data.
It's a situation that cuts across all spheres of society, not least the growing digitalization of activities, which means that companies and businesses from the most diverse sectors have to make changes to deal with a threat that seems to be unrelenting. That's why Expresso asked GfK Metris to carry out a survey on the perception of cybersecurity within Portuguese companies as the culmination of the "Security Council" project, which over the course of six months has promoted the discussion of issues related to our technological, military, legal, health, state and corporate security. And the results of the questions put to 255 respondents show that the concern is real, even if there are apparently not as many attacks as you might think.
Only 3% of those interviewed said that their company had been the target of a cyberattack in the last 12 months, with 38% of those affected pointing to phishing attacks (obtaining confidential information via links in emails) as the most frequent, followed by intrusions into Wi-Fi networks, DDoS (denial of service) and ransomware (encryption of files with a ransom demand to restore access), all with 13%.
Of the eight companies targeted by cyber-attacks in the last 12 months, around two thirds (63%) suffered no losses and the response to such attacks was mostly (50%) quick and effective, although 13% considered it to be slow and ineffective. On the other hand, 38% revealed that data and documentation were lost. Around two thirds of the companies surveyed have a clear person responsible for cybersecurity governance, most of whom (69%) report directly to a director or senior manager.
More than half (53%) of respondents say that their company has cybersecurity compliance concerns, or even obligations. However, they are unable to identify the standards applied by their company (50%).
The majority (55%) of those interviewed say that their company has a compliance officer who is specifically concerned with ensuring the existence and implementation of cybersecurity controls in order to guarantee compliance with legal and regulatory obligations.
In the field of awareness of cyber dangers, a third of the employees of the companies surveyed confirmed the existence of programs for preparation, with 34% carrying out cybersecurity tests at least once a year and 50% indicating a higher frequency.
Even with greater attention and awareness, there are still steps that institutions need to take. Not all companies make widespread use of strong authentication (41%), although 35% do. Even against this backdrop, passwords are changed at least once a year in 41% of cases and 24% even say they are changed monthly.
Most companies
has no policy on the professional use of personal devicesn half of respondents say their company has strict access controls to deal with sensitive data, with 20% saying they regularly audit data access and use and 7% encrypting all sensitive data.
Among the cybersecurity measures implemented, 79% cyber-protect their critical information systems and 43% already use the services of a company specializing in cybersecurity.
The high price of solutions on the market (31%) is cited as the main barrier to implementing new measures to strengthen cybersecurity in companies. Although the majority of those interviewed (55%) consider that their level of concern about cyber-attack threats has remained the same over the last 12 months, 40% say that this concern has increased.
As a result, 37% guarantee that their company will invest up to €30,000 in cybersecurity over the next 12 months, with only 2% putting the investment at between €30,000 and €200,000. 61% admit they don't know the amounts involved or what is being done in this field.
The interviewees had difficulty coming up with suggestions for improvement, with 28% saying there was nothing to improve and 23% not thinking it necessary to indicate resources and support that would contribute to this. However, in both cases, employee training (6% and 11% respectively) is the most mentioned aspect.
Only 18% of respondents believe that the company is not familiar with the cybercrime investigation process, but nearly two thirds (64%) say that the company has never collaborated with external entities during cybercrime investigations.
Half cannot identify the difficulties the company faces in investigating cybercrime, but among those who can, the difficulty in identifying the source of the attack is the most mentioned (19%), followed by insufficient access to legal tools, with 17% of responses, and 15% for the lack of internal skills and resources.
Identifying cyber-attacks is something that the interviewees admit to being able to do, with greater or lesser certainty. On a scale of 1 to 10 - which means "not at all able" and 10 "very able" - 20% give their ability an 8, with 7 getting 18% and 1 getting 2%. "I believe that there is still some ignorance that urgently needs to be overcome," concludes António Gomes, director general of GfK Metris, for whom "companies will necessarily have to incorporate cybersecurity measures as a productive cost factor, without which they cannot operate in the market, whatever the sector or industry."
This project is supported by sponsors, and all content is created, edited and produced by Expresso (see Code of Conduct), without external interference.
EXPRESS
Tiago Oliveira, Journalist