A new study commissioned by the European Economic and Social Committee has found that most European companies are unprepared for the growing risk of cyberattacks.  Small and medium-sized companies (SMEs) are the most exposed, as they often cannot afford to invest adequately in cybersecurity.

Overall, the level of investment in cybersecurity is insufficient as 70% of European companies do not understand the extent of their exposure to cyber risks. Most businesses do not realise its importance until after experiencing a security breach.

According to the https://www.eesc.europa.eu/sites/default/files/files/qe-01-18-515-en-n.pdf  (survey), four out of five companies have experienced at least one cybersecurity incident over the past year. Finance, healthcare, retail, business services and information technology remain the sectors that are most often targeted by cyber-criminals.

Conducted by The Hague Centre for Strategic Studies, the study also found visible gap between EU countries in terms of knowledge, awareness and capacity to deal with cybersecurity. Estonia, France and United Kingdom lead by example.

The study lists numerous challenges, such as discrepancies in threat intelligence sharing polices, an absence of coordinated vulnerability disclosure (CVD) at EU level and lack of trust when it comes to sharing information between the public and private sector.

It also notes the challenges associated with implementing the General Data Protection Regulation (GDPR). Companies, for instance, are not sufficiently aware of and prepared for the GDPR entering into force, and lack the know-how and systems to fulfil its requirements. As a result, companies are concerned that non-compliance and subsequent penalties incorporated into the GDPR could have a negative impact on businesses.

A number of good practices outlined in the study included public-private partnerships and the creation of ‘cyber communities’ that bring different stakeholders together.