Report on SME cybersecurity standards

Report on SME cybersecurity standards

The ENISA Report “Cybersecurity for SMEs”, provides insights on the relationship of European SMEs with digital tools and the challenges faced. For example, the majority of the European SMEs that participated in the survey, use various information services as part of their daily business operations (e.g.Teleworking, e-banking, email and communication services) and 85% of the organisations have identified cybersecurity as a key concern.

Small and Medium-sized Enterprises (SMEs) are the backbone of the EU’s economy. They represent 99% of all businesses in the EU and employ around 100 million people. They also account for more than half of Europe’s GDP and play a key role in adding value to all sectors of the EU economy. They serve both as enablers for the digital transformation and as a core element of the EU social fabric.

Contrary to a concept that cyber-attacks occur only to large organisations, all enterprises can be attacked regardless of their size and stored information.Within this report, seven categories of major challenges for SMEs have been identified:

  • low cybersecurity awareness of the personnel,
  • inadequate protection of critical and sensitive information,
  • lack of budget,
  • lack of ICT cybersecurity specialists,
  • lack of suitable cybersecurity guidelines specific to SMEs,
  • shadow IT, i.e. shift of work in ICT environment out of SME’s control,
  • low management support.

The ENISA Report concludes with recommendations and guidance at a company, national and European level. On the other hand, as part of the CONCORDIA project Task T4.3, a methodology for cybersecurity planning and investment has been proposed, as a way to further assist and guide SMEs regarding cybersecurity.

Purpose of this report

A team comprising of members from Task 4.3 (Economics) and Task 5. 3. (Certification and Standardisation), took the recommendations of the ENISA reports and sought out to investigate if such guidelines, templates and standards exist and whether they are in line with the relevant results of the CONCORDIA project.