The webinar “Cybersecurity for SMEs – the EU Scenario and the Italian perspective” brought together representatives from European institutions, Italian SMEs, academia and cyber security practitioners. The meeting was the occasion to identify key cyber security issues pertaining the context of Small and Medium Enterprises and what are the challenges that they pose, both at EU and at national level. This was the first meeting of a series of initiatives that CYBER 4.0 will develop, with a dedicated focus on SMEs and cybersecurity

 

Representing 99% of businesses in EU, SMEs play a key role in the core production system of all national economies, plus they are often suppliers of solutions and services also to larger organizations, including national critical infrastructures.

Due to a generally lower level of security measures put in place by the SMEs though, they have become a preferred target of cybercriminals, who also leveraged on the additional challenges generated by the COVID pandemics and the mutated conditions of work.

The main threats that have been identified for SMEs, in order of percentage of SMEs that suffered the malicious events, are relevant to: Phishing (41%), Web-based Attacks (40%), Malware (39%), Insider (19%), DoS (12%), Social Engineering (11%) and stolen devices (7%).

Of particular relevance for SMEs, the so-called CEO fraud, where the criminals impersonate the top level management of the organization and order financial operations causing significant losses to the company.

 

The EU has been increasingly dedicating attention to these issues and developed a number of initiatives dedicated to cybersecurity in SMEs, in order to increase resources dedicated to cybersecurity, strengthen awareness of possible risks and enhance capacities to handle them.

A major player at EU level in this field will certainly be the newly established European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC), which just started operations in Bucharest and whose mission is to increase Europe’s cybersecurity capacities and competitiveness. It will work together with a Network of National Coordination Centres (NCCs) to build a strong cybersecurity community and to implement relevant parts of the Digital Europe and Horizon Europe programmes by allocating grants and carrying out procurements. Worth noticing, among its objectives there’s also to “Provide financial support and technical assistance to cybersecurity start ups and SMEs to connect them to potential markets and to attract investment”.

The action of the ECCC in the context of SMEs will be strongly based on the work that ENISA – The European Agency for Cybersecurity – has been doing in this field. Specifically, ENISA developed a series of initiatives dedicated to SMEs, including a report on the current situation (), a SecureSME online tool (https://www.enisa.europa.eu/securesme#/) and a guide for SMEs (https://www.enisa.europa.eu/publications/cybersecurity-guide-for-smes, Italian version here: https://www.enisa.europa.eu/publications/report-files/smes-leaflet-translations/enisa-cybersecurity-guide-for-smes_it.pdf).

 

The situation in Italy follows closely what highlighted at the EU level, where SMEs have been as well targeted by an increasing number of cyber-attacks. And challenges they have been facing are in line with what highlighted at European level. This is confirmed also by a survey conducted by the Confederation of Italian Industries, Regional Section for the Lazio provinces, which found major criticalities in the lack of competencies, in the protection of the network and in weak credentials handling.

Italy has beefed up the institutional measures to deal with cyber security at large, especially through the recent establishment of the National Cybersecurity Agency, and to specifically support SMEs in their need for strengthening competencies, also through the operationalization of CYBER 4.0, the national Cyber security Competence Center promoted by the Italian Ministry of Economic Development.

 

Several recommendations have been pointed out. Here follows a list of the key takeaways, which will be the basis of upcoming initiatives conducted by CYBER 4.0:

 

  • The level of maturity of SMEs is heterogeneous, and while it is possible to identify virtuous examples of organizations with a strong attention not only to end-point security, but also – and most importantly – to network security and protection of data, the vast majority of SMEs limit their spending for cybersecurity to basic solutions to protect only the end-point.

 

  • Challenges that SMEs have been facing refer certainly to technical issues, such as the use of legacy systems that don’t implement basic cybersecurity controls, but include also organizational issues, such as the lack of adequate staffing dealing with cybersecurity or – more generally – of resources, including finances.

 

  • Cybersecurity for SMEs, furthermore, seems to be lacking a specific focus in the legislative context of almost all EU countries, whereas national critical infrastructures have instead, almost everywhere, specific compliance obligations to also allocate a proper budget to implement essential cybersecurity controls.

 

  • The Recovery and Resilience Plan offers a unique opportunity to develop a consistent program to strengthen capacities of SMEs and create a comprehensive framework to facilitate cross-sector cooperation on cybersecurity matters, including the possibility to start a national ISAC (Information Sharing and Analysis Center) open to participation of SMEs.

 

  • Consideration should be given to the possibility of identifying targeted guidelines for SMEs, as well as proper risk management frameworks, which could take into account the needs and the resources available and could specify an affordable plan. In this context, one could also consider the possibility to define cybersecurity standards relevant to SMEs.

 

  • The use of the Italian National Framework for Cybersecurity and Data Protection seems to be a promising good practice for SMEs to assess their readiness level in the cybersecurity domain, and to identify the areas of critical interventions. CYBER 4.0 has the mandate to support SMEs in this task and a relevant program is being rolled out in this context.

 

  • The need of sound programs for building capacities of SMEs is compelling. Training initiatives should be promoted, tailored to the resources that SMEs can reasonably allocate to them and interventions should be segmented at least on three levels: a basic awareness provided to the largest possible audience; specialist courses developed for those that are operationally in charge of the IT infrastructure; organizational, legal and policy issues are included in training for the top management level. Once again, the funds provided in the National Recovery and Resilience Plan could give a decisive initial input to start a systematic deployment of such training programs.