SMEs security: Italy unveils the first Cyber Index

Pandemic, economic crisis, war. More and more critical issues involving “organic” reality are reflected in the digital operations of businesses. Cybercriminals have become much more astute in exploiting global trends to establish themselves in corporate networks, steal data, advance their campaigns and demand ransoms. Then, regarding SMEs, the landscape becomes even more complex to monitor, given their numbers, especially in Italy.

Indeed, it is well known how Small and Medium Enterprises represent the core of the economy in our country. About 99 per cent of Italy’s business fabric is based on SMEs. That as a whole, enables the growth and innovation of the entire nation. Especially in the pandemic phase, there has been a need to renew business processes and flows within SMEs, with a focus on digital transformation. Part of this transformation involved cybersecurity, which now requires everyone: citizens, businesses, and public agencies.

If you want to follow a supply chain context, it is good to network. It accompanies small and medium-sized companies on a defence path suitable to ensure protection without limiting productivity. It is in this scenario that the Cyber Index PMI, the first report promoted by Generali and Confindustria, with the scientific support of the Observatories of the School of Management of the Politecnico di Milano and with the collaboration of the National Cybersecurity Agency, presented in Rome.

Giving a national strategy for SMEs security

“ACN needs to put in place a national strategy. Italy is a country that knows how to network and face an emergency compactly. A challenge that Generali, with its partners, has been able to take up.” This is how Nathania Zevi, RAI journalist, introduced the day. As Giancarlo Fancel, Country Manager and CEO of Generali Italia, explained at the presentation of the report, “We want to contribute in a concrete way to spread the culture of cyber security among companies. To increase awareness of vulnerability to cyber risk and to emphasize the importance of adopting adequate protection solutions. In addition to innovative insurance tools, we are committed to ensuring that over time, Italian SMEs become increasingly aware of a crucial and challenging issue for our country, our economy and our society.”

Fancel was echoed by Bruno Frattasi, director general of the National Cybersecurity Agency, who said the SME Cyber Index was also designed to help companies set up appropriate defence measures “and estimate the so-called residual risk. The report presented today, to which ACN provided full support, photographs a well-known reality of the proliferation and exacerbation of digital pitfalls. This is why it is crucial to provide Italian companies with self-assessment tools.”

The opinion of Carlo Bonomi, president of Confindustria, is enlightening: “Italian industry has excellence in the IT sector. We import many technologies. So it is clear that part of the country is more than ready to act and react. Moreover, we need to better structure supply and demand. We have to focus heavily on training from university, where STEM subjects should be encouraged. Beyond human-specific subject matter expertise, we need to transfer expanded cyber expertise to all sectors. All the more so when technologies such as AI are emerging fast everywhere. An Italian strategic supply chain is as necessary as ever.”

cyber index
Overall, the SME Cyber Index Report highlights a situation of low awareness of cyber risks

The number of rising phenomenon

Remo Marini, Group Head of IT & Operations Risk & Security at Assicurazioni Generali, explained that SMEs struggle to strategically approach cyber solutions. The reason? “This is one of the least organized segments, from a security perspective, due to low budgets and lack of internal resources. And this leaves SMEs security uncovered and under potential checkmate. Business managers need to be made aware of the consequences of risks. Communicating is the winning key today because it helps them realize the exposed perimeter and what an attack can cause.”

After all, in four years, from 2018 to 2022, cyber-attacks have increased by 60 per cent globally. In Italy, the increase in 2022 alone was 169 per cent over the previous year. The manufacturing sector was particularly targeted, where a record +191.7% was reached. Spending on cybersecurity, given the premises, is steadily rising, having touched 1,590 million euros in 2022. Can this be enough?

Cyber Index: s challenge for Italian SMEs security

According to Agostino Santoni, Vice President of Confindustria for Digital, not only technology but also specialized resources are needed: “The buzzword is ecosystem. Certainly, it demonstrates how much awareness of cybersecurity risks is increasing. So much so that in the business sphere, it is now considered a strategic factor of competitiveness. It is an issue that the current phase of digital transition has made even more urgent. To manage the implementation of new processes, it must be addressed by working on human capital skills.”

What emerges from the SME Cyber Index report is an Italian scenario composed of four maturity levels. Overall, the 708 SMEs involved achieved an average Cyber Index value of 51 out of 100, with the sufficiency level being 60 out of 100. The SME Cyber Index results from the analysis of three dimensions: The strategic approach, the ability to understand the phenomenon and threats (identification), and the introduction of levers to mitigate the risk (implementation). The report shows that while there is growing attention on the subject, there needs to be a fundamental strategic approach. This should involve the definition of investments and formalization of responsibilities by the Italian corporate population, with an average score of 54 out of 100.

SMEs security had to be proactive

Although implementation levers are more developed, with a value of 56 out of 100, SMEs need help prioritizing. They need the right identification actions to approach the issue in a more reasonable and informed manner. The respondents, representative of the entire population of Italian SMEs, can be grouped into four levels of maturity. 14 per cent are considered mature, 31 per cent can be defined as aware, 35 per cent are informed, and 20 per cent can be defined as a novice.

“Overall, the SME Cyber Index Report highlights a situation of low awareness of cyber risks in a scenario where SMEs represent the engine of our country’s economy,” explained Alessandro Piva, Director of the Cybersecurity & Data Protection Observatory at Politecnico di Milano. “Difficulties in allocating funds and internalizing dedicated professional figures make it complex to identify threats and priorities for action. And often the approach to cyber risk is only of the artisan type.”

Fifty-eight per cent of SMEs manifest concrete attention through an allocated budget for cybersecurity. In terms of risk mitigation, 57 per cent have technological equipment for monitoring anomalies. 41 per cent plan countermeasures to limit business users’ exposure to cyber risks. 17 per cent of surveyed companies have already signed up for a dedicated insurance solution. While 29 per cent are unaware of cyber risk coverage options.

“We have been witnessing a relevant growth in cyber attacks for years, and never before has the cyber threat landscape, further exacerbated by the geopolitical context, made the need for businesses to identify possible sources of risk even more urgent,” Remo Marini further emphasizes. “There is a need to support SMEs by increasing their awareness of cyber risks, increasing their level of maturity and protection, and providing them with the insurance tools useful to mitigate the residual risk.”

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.