Executive summary of the Study on security and e-trust

in the small and micro Spanish companies

OBSERVATORIO DE LA SEGURIDAD DE LA INFORMACIÓN

INFORMATION SECURITY OBSERVATORY
Objectives and Methodology

STUDY OBJECTIVES STUDY METHODOLOGY

9 To Contrast the security perception Study online

of the small and micro Spanish
companies with the real computer
situation.
Opinion Remote
audit
9 To analyze the grade of e-trust and
iScan
security between the companies.
Surveys Equipment
9 To guide initiatives public and to small and scan
improve the security and generate micro companies
an trust environment to the
Information Society 9 n = 2.206 (February - July 2009) 9 622 equipment
9 Margin of error ±2,1% (February-July 2009)
confidence level of 95.5% 9 Margin of error ±4,0%
confidence level of 95.5%

Perception vs. Reality

2
Technical Specification

Universe
Spanish companies less than 50 employees,
differentiating between the micro-enterprises (less than 10
employees) and the small companies (10- 49 employees).
Sample
2.206 organizations y 622 equipments
Sampling Distribution
Stratified random sampling (number of employees, sector
of activity and autonomous communities) with
proportional according to the percentage of use of internet
Capture de information
A Webpage created to the study diffusion and
participation + online interviews + Equipment online
analysis
Field Work
From February to July 2009
Sampling error
According to random sampling criteria
p=q=0,5 confidence level of 95.5%,
an margin of error of ±2,1% for n= 2.206 it’s established

3
Content

™ Tools, best practices and security

policies
™ Security Incidences
™ Security of the mobile and wireless
communications
™ Security incidences response
™ Small and micro companies e-trust
™ Security information indicators and
metrics

http://observatorio.inteco.es

4
Main Results

¾ Tools, Best Practices and security policies. Companies realize the importance of
their data and information located on their systems, have tools and/or
solutions to the team level and organizational level.
¾ The most used tools are antivirus programs (97.8%), firewalls (72.4%), access
control tools (66.8%) and anti spam programs (61%).

¾ The main measurements at organizational level are the establishment of data

backup system (82.4%), network firewalls (72.9%) Intrusion detection system
(51.7%).

¾ Best practices: Data backup (94.2%) and the upgrade of operations systems and
programs (88.9%).

¾ Plan and policies: Security Plan (34.3%), security awareness plan (17.6%) and
business continuity plan (11.9%).

5
Main Results

¾ Security Incidences. The 48.4% of analyzed equipment during June of 2009 had
malware, mainly Trojans and adware, characterized by their high level of
diversification and heterogeneity.

¾ Confirmation of the real business ignorance about what happens on their

computers in relation to the presence of viruses (42.9% believe having suffered
while the audit has not identified any), Trojans (the real presence - 27.8% -
exceeds the perceived level -21.7% -) and spyware (15.1% of businesses believe
they have when it is actually present in 1.4% of equipment).

¾ Security incidences response. The 77.4% claim to have suffered a security

incident, which has led to 54.9% loss of working time. Even so, 69% of
companies said that there is no monetary impact on the business.

¾ Knowledge and compliance with regulations on data protection. 60.2% of companies

recognize being affected by this legislation. Furthermore 80% were affected by
the fact known to have personal data files.

¾ The e-confidence of the Spanish companies. 90.3% of small claims that Spanish
companies will give them confidence to perform online banking transactions

6
Sizes and safety habits

Implementation of security solutions based on the number of computers that are installed (%)

7
Sizes and safety habits

Reasons reported by companies for not using the tools and security solutions for equipment (%)

8
Security incidents
Incidencias de seguridad
Annual evolution of the level of impact on business equipment after conducting the safety audit (%)

100% iScan
90%

80%
51,6%
70% 60,0%

60%

50%

40%

30%
48,4%
20% 40,0%

10%

0%
2008 2009
Host malware No Host malware

2008 n=265; 2009 n= 622

9
Security incidents

Categories of unique variants of malicious code (%)

iScan

1,8% 2,9%
0,7%

35,1%

32,6%

26,9%

Trojans Adware Tools Spyware Worms Others

Number of unique malware variants n = 963

10
Security incidents

Number of detections of each unique malware variant, May 2009

1000
iScan
900

800
678
700

600

500

400

300
231
200

100 36
7 5 2
0
1 detection 2 detection 3 detection 4 detection 5 detection 6 detection

11
Security incidents

Classification of computers based on risk level, May 2009 (%)

iScan

31,4%

51,6%

11,9%

5,1%

Without risk Low Medium High

n=622

12
Consequences and response to incidents

Security incidents reported by enterprises (%)

Email Spam 63,2% 34,6% 2,2%

Virus 49,2% 48,8% 2,0%

Technical Failure 22,8% 70,9% 6,3%

Trojans 21,7% 68,9% 9,4%

Spyware 15,1% 74,9% 10,0%

Phishing or telematic fraud 4,7% 83,5% 11,8%

Lost / stolen information 4,6% 87,4% 8,0%

Distributed denial of service (DDoS) 1,5% 81,9% 16,6%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Si No No Sabe

n=2.206

13
Consequences and response to incidents

Reactions after suffering a security incident: change in security habits ( %)

Installed / upgraded
42,9%
software / tools

Beginning to use backup

24,6%
tools

Change passwords 20,7%

Consulting an expert and

14,1%
hiring an audit

Ceasing to use Internet

5,4%
services

Others 4,0%

No change in my habits 30,9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

n=1.708

14
Consequences and response to incidents

Method used to resolve incidents (%)

They are solved by the

29,1%
company staff

It is located outside a
25,5%
security expert

Contact a technical
23,3%
service

Contact the local supplier

16,9%
of computer systems

Contact an acquaintance
3,7%
with knowledge

Others 1,2%

Does nothing 0,3%

0% 10% 20% 30% 40% 50% 60% 70% 80%

n=1.708

15
The e-confidence of small and micro-Spanish

Use of electronic services via the Internet by businesses (%)

Use of electronic banking 84,2% 15,8%

Send by a-mail Web form 59,9% 40,1%

Manage with the Administration 57,2% 42,8%

Use of electronic signature 50,2% 49,8%

Payments through Internet 41,5% 58,5%

Purchases from suppliers 41,0% 59,0%

Customer sold 40,6% 59,4%

Use of electronic invoice 8,0% 92,0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Si No

n=2.206

16
The e-confidence of small and micro-Spanish

European Comparison by the use of services through the Internet by businesses (%)

93,3%

84,0%

83,4%
100%

73,9%
90%

71,2%

70,9%
80%
70% 62,3%
49,2%
43,2%
60%
50%

31,9%

28,0%
25,8%

25,7%
40%

21,9%

21,6%
20,9%

19,9%
16,9%

15,1%
30%
11,6%

9,8%

9,8%
9,4%
20%
5,5%
10%
0%
España UE 15 UE 27

Use of electronic banking Making efforts with the Public Administration

Use of electronic signature Sold realization
Sales realization Use of electronic invoice
Use the web as a sales channel Allow Internet payment

Spain n=329, Europe n=67.303

17
The e-confidence of small and micro-Spanish

Level of business confidence when making arrangements with the Public Service over the Internet,
according to company size

n=1.261

18
System safety indicators

System of indicators of information security (0-100 points)

100
90
80 76,1
73,2
70
60 54,4
51,1
48,4
50
40
30 23,8
21,0
20
10
0
Tools Security Politicans Global of E-confidence Malware Equipment at
indicator behaviour and plans security indicator incidents high risk
indicator indicator indicator indicator indicator

Protection Indicators Incident / risk Indicators

PROTECTION INDICATORS INCIDENT/RISK INDICATORS

19
Finals Thoughts

9 The company size is a constraint when implementing the tools and security solutions.
Small businesses have a higher percentage installation of almost all tools.
9 We show that among businessman there is special concern about the availability of its
information technology infrastructure and supports it.
9 Small and micro Spanish have the perception that safety is a purely technological.
Should therefore improve in order to increase their levels of security and confidence.
9 They have also become aware of the risks that may exist, since a large percentage
believe they are not susceptible to a security incident to be considered "uninteresting"
for potential attackers.
9 Confusion and lack real business of what happens on their computers in the field of
security incidents.
9 Security tools are necessary but not sufficient, and can cause a false sense of security.
9 It is important that everyone involved join efforts to prevent security problems will check
the development of the Information Society.

20
DAFO Analysis
STRENGTHS
9 Good technological capacity
9 High level of implementation of certain
Internal security tools.
9 High level of use of electronic
Analysis signatures and other Internet services.
9 Increased level of awareness and
adaptation in the field of data protection.
9 High level of e-trust.
OPPORTUNITIES
9 High level of commitment of the Public
Administration and business
External associations.
Analysis 9 Approach manufacturers of security
products to the market for information
security in enterprises.
9 Level of outsourcing of IT functions.
WEAKNESSES
9 Existence of vulnerabilities, risks
and impacts significant.
9 False sense of security.
9 Focusing on the technological
dimension.
9 Slow progress in some areas.
THREATS
9 Slow progress in security that might
cause a loss of competitiveness.
9 The mobile and wireless devices as
potential security gaps for
enterprises.
21
 http://www.inteco.es

http://observatorio.inteco.es