The Cyber Risk Self-Assessment project is underway. The initiative promoted by Unindustria, in particular by the IT, Security and Communications sections, was presented by Dr. Gianfilippo D’Agostino, vice president of Unindustria with responsibility for digital transformation, during the Presidency Council on 24 September.
The project goal is to assess the level of safety and exposure of SMEs to cyber risks, establish their needs in general terms and increase their awareness and skills to protect corporate assets.
SMEs are the cornerstone of the national and European economy, but can also be a weak link in terms of security, as they can be attacked from many sides. With the increased use of IT tools by all types of SMEs, the digitization of services and production processes, the scope of attack becomes wider, the exposure to IT risks and cyber risks grows so it becomes essential for every company to guarantee adequate levels of IT security.
Consequently, in order to safeguard Company’s business, know-how, reputation, digital services and data security of its Customers, it becomes necessary and urgent to have full awareness of the current level of cybersecurity of the company, in order to achieve an adequate level of protection in line with international standards.
The working group was opened and coordinated by Poste Italiane, which worked with companies and universities, obtaining the “scientific collaboration” of the National Cybersecurity Laboratory of CINI as well as of the Rome Biomedical Campus. Other companies associated with Unindustria also contributed to the project, such as: ENEL, TIM, Almaviva, BT, GFX, Teleconsys, Technologie e Comunicazioni – Automatic Control.
To date, the main activity has involved the preparation and dissemination of a self-assessment tool for companies. The approach used in the analysis methodology consists of three operational phases:
1. CYBER SECURITY SURVEY:
Filling of a checklist by the SME, in anonymous mode.
2. CLUSTERING AND ASSESSMENT SECURITY STATUS:
Categorization in three levels of maturity and assessment of the risk level (critical – sensitive but not organized – advanced) of the SME, through the analysis of the results of the survey, with immediate result in «risk radar» mode.
3. DATA ANALYSIS AND ACTION PLAN:
Data analysis and focus on SME issues, in order to provide support and targeted intervention plans, aimed at raising the level of security.
The test was performed on a sample of 117 companies from the three sections of Unindustria (IT, Security and Communication), which worked on preparing the test, to verify its initial effectiveness.
The feedback was positive and now the goal is to extend the filling of the test also to the other associates, evaluating the possibility of making it available also to the outside.
The outcome that emerges in the four types of company dimensions (micro-enterprise – small enterprise – medium-sized enterprise – large enterprise) is that the level of security rises with the increasing of the size of the company and at the same time as the size of the company increases the variability decreases, that is, while in micro-enterprises there are both extremely risky and extremely protected companies, in large enterprises the safety range is 59-97% (more stable and, therefore, less variable).
The micro-enterprises prove to have an important gap with respect to large companies, which are more mature in terms of security than cyber risks.
16 Ottobre 2019