Cyber threats to small and medium-sized enterprises are the focus of this cyber study, which HDI Insurance has published for the third year in a row. At the end of last year, the company surveyed around 1,500 IT and insurance decision-makers from small and medium-sized enterprises as well as the self-employed about their experiences with the threat of cybercrime. It’s always interesting to see how business owners, managers and other professionals view emerging threats, here’s the word;
With the studies from 2022 and 2023, the insurer can thus draw on more than 2,700 survey results. “Once again this year, we can draw important conclusions from the results,” says Christian Kussmann, Member of the Board of Management for Companies and Liberal Professions at HDI Insurance. For example, this concerns an increased focus of cybercriminals on small businesses, a renewed increase in risk perception, but also a rapidly decreasing awareness of cyber dangers among those affected after an attack.
Focus on SMEs – small companies follow suit
More and more small and medium-sized companies are experiencing cyber attacks. After around 40% in previous years, 53% of participants in the current survey said they had already experienced cyberattacks. Cybercriminals who target companies seem to have focused on medium-sized companies again last year, i.e. companies with 50 to 250 employees. This is suggested by the results of the HDI Cyber Study 2024. While last year’s study already showed a trend towards increased attacks on small businesses (10 to 49 employees), according to the survey of the new cyber study, medium-sized companies are now once again in the focus of cybercriminals.
However, the current trend is particularly pronounced with regard to small businesses: 56% of these companies already have experience with cyberattacks, according to the study. This means that the value has now risen to the same level as that of medium-sized companies. Two years ago, this rate was 37%, according to the HDI study. And according to the latest study, micro-enterprises (up to 9 employees) are also increasingly being attacked, even if they have not yet reached the level of larger companies at 39%. “The new cyber study clearly shows that small businesses, micro-enterprises and freelancers are also becoming increasingly interesting for attackers,” says HDI CEO Kussmann.
Risk perception back to “normal level”
The risk of a cyber attack on a small or medium-sized company in Germany is rated as high or rather high by 49% of the study participants. However, only 38% of those surveyed consider it likely that their own company will be affected. Compared to the previous year, both figures are each around 10 percentage points higher and thus at the same level as in the 2022 Cyber Study survey.
Compared to the values of two years ago, however, there is a tendency to be more aware of one’s own risk of loss. For example, 34% of those surveyed rated the probability of damage to their own company as higher than two years earlier at 27%. In the survey for the 2023 study, on the other hand, the figure was significantly lower at 23% of survey participants. “We therefore assume that the cyber threat to companies had temporarily faded into the background for many due to other current risks such as inflation and supply bottlenecks,” explains HDI Executive Board member Kussmann.
Loss experiences only slightly sustainable
You learn from harm. In principle, this also applies after an attack from cyberspace. However, this insight seems to have a limited shelf life. This is also suggested by the results of the HDI Cyber Study. For example, the summarized survey results of the 2023 and 2024 studies on cyber risk awareness show a remarkable development: Respondents’ assessment of the risk of attack and damage decreases significantly again relatively quickly after an attack on the company: For example, 57 percent of respondents whose company was attacked within 12 months prior to the survey estimate that the risk of attack for their own company as “high” or “very high”. Three years after a cyber attack, this figure has halved: only 27 percent of these respondents share this view.
The results on the risk of damage are similar: Of the companies attacked in the last 12 months, a total of 46 percent of those surveyed assess the risk that their company could be damaged in the event of a next cyberattack as “high” or “rather high”. However, the longer the attack took place, the less this concern becomes: after one to two years, only 39% still hold this view. And after three to five years, only 25% of those interviewed share this assessment. The lowest value is for companies that were not attacked in the 5 years prior to the survey. It’s just 22%.
Experience with cyber attacks is quickly displaced
The trend is even clearer when respondents are asked about the general risk of attack for SMEs: within 12 months of an attack, 65% of respondents rate the risk of an attack for an SME as “high” or “rather high”. However, if the attack occurred more than 12 months ago, only between 36 and 42% of respondents share this view. Apparently, the risks of a new attack are overshadowed and displaced by other issues after a short time. Christian Kussmann therefore concludes: “The negative experience of a cyber attack fades into the background relatively quickly. In my view, talking about “cyber forgetting” is not an exaggeration.”
Be the first to comment