Digital platforms in recent years, and overall during the Covid-19 pandemic, have become the privileged space where individuals can carry out their work, social and leisure activities. The digital environment is vast and, therefore, an ideal ground for cyberattacks that can be either indiscriminate or targeted, aimed at large and small organisations in both the public and private sectors. Therefore, Internet usage and its connected devices offer new opportunities for people and companies but, at the same time, create new risks. The range of potential attacks and attackers is wide and becoming more so by the day, up to the point that at the Davos World Economic Forum of 2021 cybersecurity was regarded as one of the greatest economic risks for the ongoing year. The new technologies, mobiles, smart devices connected to the Internet of Things and many artificial intelligence applications expose both private and public organisations to attackers, increasing the risks of, for example, shutdowns or subversion of industrial control systems. Furthermore, attacks are becoming worryingly more sophisticated and costly to detect.
The magnitude of the phenomenon evident by analysing the data on computer attacks that affect the electronic devices we use daily. According to a study carried out by Comparitech in the third quarter of 2019, 9.68% of computers and 3.04% of mobile devices in the EU were infected with malware. These are software intentionally designed to cause damage to a computer, server, client or computer network. Comparing the European data with that of the other major world economies, we can see how the European Union ranks first for the percentage of infected computers, ahead of China, Japan, the USA, South Korea and the UK. Instead, where mobile devices are concerned, the EU Member States are on average more protected than those of all the other geographical areas considered with the exception of Japan. Analysing the data of the EU MSs, we can see that those most targeted by cyberattacks on computers are France (15.09%) and Greece (14.59%). Instead, those most vulnerable on mobile devices are Romania (5.04%) and Italy (5.01%).
The Covid pandemic has created new opportunities for cyber criminals. According to the EU Commission, 40% of European workers have experienced forms of tele-working since the start of the pandemic, making home computers, which are generally less protected than office and company devices, the point of access to data and valuable digital activities. For example, in April 2020, the Swiss National Cybersecurity Centre received 350 reports of cyberattacks (phishing, fraudulent web sites, direct attacks on companies, etc.) compared to the usual 100-150. The pandemic and the increase in working from home were seen as a major cause of this, since individuals working at home do not enjoy the same level of protection as those in a working environment (e.g., specialised operators dealing with IT security and advanced detection systems).
The exponential growth of the problem must push European organisations, public and private, to increase their budget in IT security. The “NIS Investments” report released by ENISA in December 2020 shows how the average IT security spending of European organisations (in relation to the IT budget) is considerably lower than the average for US organisations. Looking at data released by ENISA, we can see that among European countries, the French organisations allocate the largest share of their IT budget to security. The MS with the worst performance (among those considered in the ENISA analysis) is Belgium with only 1.2% of the average IT budget devoted to cybersecurity. The average budget invested by businesses for NIS Directive implementation projects is approximately €175,000, with 42.7% of affected organisations allocating between €100,000 and €250,000. The sectors in which the largest share of the IT security budget is invested are in banking and financial services (5.6%), pharmaceuticals (5.5%) and software publishing and internet services (4.7%). The sectors registering the worst performance are also two of the most important – education (2%) and transport (1%). Transport, in particular with the spread of self-driving vehicles, could become increasingly targeted by cybercriminal attacks.
The Commission is very aware of the need for further investments in the sector. For this reason, it has included cybersecurity among the problems that MSs will have to solve through the use of funds from the Next Generation EU. As well as the reinforcements financed under Next Generation EU, other programmes are focusing on making the Union more resilient and addressing challenges that have been heightened by the pandemic and its consequences. These include boosting the Union’s cyber-defences and supporting the digital transition by equipping the Digital Europe Programme with a total budget of €8.2 billion.
Read our Cybersecurity Policy Brief here.