ICT usage in enterprises, 2019
Digitalisation and security in Swedish enterprises
Statistical news from Statistics Sweden 2019-11-20 9.30
The hotel and restaurant industry, the construction industry, and transport and storage enterprises are the most modest implementers of the security measures to prevent data loss at the enterprise, and to avoid intrusion or attacks on the enterprise’s hardware or software.
The usage of digitally connected devices generates enormous amounts of data, which can often be of a sensitive and confidential nature. In its Digital Strategy, the Government has identified six important areas under the objective of digital security. One of these areas is high security requirements. This survey falls within this objective as it aims, in part, to identify and investigate measures related to ICT security, such as controls and procedures applied to ICT systems to ensure the integrity, authenticity, availability and confidentiality of data and systems.
The scope of ICT security and information security in Swedish enterprises can be examined by studying the types of problems enterprises have experienced that can be directly linked to ICT operations or ICT security. The survey results show that, among two percent of enterprises with 10 or more employees, confidential data at the enterprise was disclosed. Among eight percent of enterprises, data at the enterprise was destroyed or corrupted, and 33 percent of enterprises found that ICT services were unavailable at least once in 2018.
The results show that approximately 62 percent of large enterprises with 250 employees or more experienced unavailability of ICT services in 2018. The corresponding share among enterprises with between 10 and 49 employees was 31 percent. In a comparison of industries, the share that experienced unavailability of ICT services was largest in the ICT sector and in the sector for trade and repair of motor vehicles and motorcycles.
| Disclosure of confidential data | Destruction or corruption of data | Unavailability of ICT services | |
|---|---|---|---|
| Total | 2 | 8 | 33 |
| 10-49 employees | 1 | 7 | 31 |
| 50-249 employees | 3 | 9 | 44 |
| 250 employees or more | 8 | 15 | 62 |
| Manufacturing industry (NACE 10-33) | 1 | 9 | 34 |
| Energy and waste-disposal (NACE 35-39) | 1 | 7 | 40 |
| Construction industry (NACE 41-43) | 1 | 5 | 22 |
| Trade; repair establishments for motor vehicles (NACE 45-47) | 1 | 8 | 42 |
| Transportation and storage companies (NACE 49-53) | 1 | 5 | 22 |
| Hotels and restaurants (NACE 55-56) | 3 | 8 | 25 |
| Information and communication companies (NACE 58-63) | 2 | 8 | 44 |
| Real estate companies (NACE 68) | 4 | 8 | 39 |
| Other service companies (NACE 69-74 and 77-82 and 95.1) | 2 | 9 | 37 |
| ICT-sector (NACE 26.1-26.4, 26.8, 46.5, 58.2, 61-62, 63.1, 95.1) | 2 | 8 | 44 |
Operating systems and software updates – an important security measure
The survey examines the type of security measures that enterprises take to avoid data loss at the enterprise, intrusions or attacks against the enterprise, and hardware or software failures.
The most common security measure used by enterprises was operating systems and software updates. This measure was used by 90 percent of all enterprises. A comparison of industries shows that updates were used most in the ICT sector and the energy and recycling industry, 99 percent and 97 percent, respectively, of these enterprises used it in their digital functions. The measure was least common in the hotel and restaurant industry. In this industry, 78 percent of enterprises updated their software and operating systems.
Data backup to another geographical location or a cloud solution was also among the most frequently used measures. This type of measure was used by 83 percent of the enterprises.
| Password authentication | Keeping the software and operating systems up-to-date | User identification and authentication | Encryption techniques for data, documents or e-mails | Data backup to a separate location | Network access control | VPN | Maintaining log files for analysis after security incidents | ICT risk assessment | ICT security tests | |
|---|---|---|---|---|---|---|---|---|---|---|
| Total | 73 | 90 | 9 | 41 | 83 | 72 | 56 | 58 | 52 | 52 |
| Manufacturing industry (NACE 10-33) | 72 | 95 | 7 | 39 | 87 | 79 | 65 | 64 | 54 | 55 |
| Energy and waste-disposal (NACE 35-39) | 82 | 97 | 14 | 53 | 92 | 87 | 83 | 75 | 72 | 70 |
| Construction industry (NACE 41-43) | 65 | 88 | 7 | 23 | 72 | 57 | 35 | 39 | 33 | 38 |
| Trade; repair establishments for motor vehicles (NACE 45-47) | 78 | 93 | 11 | 47 | 86 | 81 | 69 | 70 | 61 | 60 |
| Transportation and storage companies (NACE 49-53) | 64 | 82 | 6 | 29 | 80 | 57 | 38 | 45 | 42 | 40 |
| Hotels and restaurants (NACE 55-56) | 67 | 78 | 6 | 28 | 71 | 55 | 29 | 33 | 29 | 32 |
| Information and communication companies (NACE 58-63) | 86 | 98 | 19 | 78 | 95 | 91 | 78 | 86 | 81 | 74 |
| Real estate companies (NACE 68) | 83 | 95 | 14 | 41 | 90 | 82 | 71 | 76 | 70 | 65 |
| Other service companies (NACE 69-74 and 77-82 and 95.1) | 78 | 92 | 10 | 54 | 87 | 78 | 62 | 64 | 60 | 56 |
| ICT-sector (NACE 26.1-26.4, 26.8, 46.5, 58.2, 61-62, 63.1, 95.1) | 85 | 99 | 19 | 78 | 95 | 93 | 79 | 86 | 82 | 76 |
User identification via biometric methods is not common practice
The measure that was used the least was user identification based on fingerprints, voice, facial structure or other physical characteristics. Nine percent of all enterprises reported that user identification via biometric methods was used in the enterprise’s IT systems. The use of this type of measure was most common in the ICT sector and least common in the transport and storage industry, in which 19 percent and 6 percent, respectively, of the enterprises used it in their digital functions.
On the whole, the hotel and restaurant industry, the construction industry, and transport and storage enterprises make the least use of the surveyed information security and ICT security measures. However, in eight out of ten measures, the hotel and restaurant industry is the least frequent user.
High level of digital security requires the appropriate skills
Secure digitalisation places high demands in terms of security and more advanced competence in information security and ICT security. Expertise may be available within the enterprise among the employees, but it can also be hired externally. Enterprises may also opt to combine internal expertise with external expertise to ensure a high level of digital security at the enterprise.
Fifty-nine percent of all enterprises employed external expertise, such as consultants, to carry out the enterprise’s activities related to information security and ICT security. Such activities may include, for example, data backup, risk assessments, ICT security tests, ICT security training, or addressing incidents. Among the enterprises, 56 percent engaged their own employees for the same tasks.
External expertise was employed most in the energy and recycling industry, 70 percent, and in the manufacturing industry, 69 percent. Own employees were engaged most in the ICT sector, 90 percent, and in the energy and recycling industry, 74 percent.
| External suppliers | Own employees incl. those employed in parent or affiliate enterprises | |
|---|---|---|
| Total | 59 | 56 |
| Manufacturing industry (NACE 10-33) | 69 | 57 |
| Energy and waste-disposal (NACE 35-39) | 71 | 74 |
| Construction industry (NACE 41-43) | 55 | 38 |
| Trade; repair establishments for motor vehicles (NACE 45-47) | 59 | 68 |
| Transportation and storage companies (NACE 49-53) | 52 | 44 |
| Hotels and restaurants (NACE 55-56) | 53 | 39 |
| Information and communication companies (NACE 58-63) | 48 | 90 |
| Real estate companies (NACE 68) | 67 | 64 |
| Other service companies (NACE 69-74 and 77-82 and 95.1) | 65 | 61 |
| ICT-sector (NACE 26.1-26.4, 26.8, 46.5, 58.2, 61-62, 63.1, 95.1) | 48 | 90 |
Requirements for a high level of digital security and demands for more advanced expertise in information security and ICT security also mean that enterprises must work towards increased awareness of ICT security issues among employees.
The survey shows that 44 percent of all enterprises offer voluntary training to their employees or publish information internally, while 26 percent hold compulsory courses, or make compulsory reading materials available. Forty-nine percent of enterprises inform their employees about information security and ICT security in, for example, employment contracts.
Comparisons of individual industries show that the hotel and restaurant industry and the construction industry inform their employees the least about employees’ responsibility concerning information security and ICT security.
| Voluntary training or internally available information | Compulsory training courses or viewing compulsory material | By contract | |
|---|---|---|---|
| Total | 44 | 26 | 49 |
| Manufacturing industry (NACE 10-33) | 43 | 22 | 50 |
| Energy and waste-disposal (NACE 35-39) | 56 | 38 | 64 |
| Construction industry (NACE 41-43) | 25 | 11 | 35 |
| Trade; repair establishments for motor vehicles (NACE 45-47) | 54 | 34 | 51 |
| Transportation and storage companies (NACE 49-53) | 28 | 21 | 42 |
| Hotels and restaurants (NACE 55-56) | 28 | 15 | 38 |
| Information and communication companies (NACE 58-63) | 76 | 45 | 74 |
| Real estate companies (NACE 68) | 60 | 37 | 52 |
| Other service companies (NACE 69-74 and 77-82 and 95.1) | 55 | 34 | 60 |
| ICT-sector (NACE 26.1-26.4, 26.8, 46.5, 58.2, 61-62, 63.1, 95.1) | 75 | 46 | 74 |
Definitions and explanations
- Only results on enterprises with 10 or more employees are reported in the statistical news. More information about the statistics and results for additional study domains can be obtained from the Statistics Database on Statistics Sweden’s website.
The statistics are based on the survey ICT Usage and e-Commerce in Enterprises and is included in Sweden’s official statistics, carried out on behalf of Eurostat. - The population consists of enterprises with 0-9 employees, and 10 or more employees with operations under SNI 2007, in manufacturing (C), supply of electricity, gas, heat and cooling (D), water supply (E), construction (F), trade; repair of motor vehicles and motorcycles (G), transport and storage (H), accommodation and food service activities (I), information and communication (J), real estate activities (L), business services (M), rental, real estate services, travel services and other support services (N) and other service activities (S).
- The regional estimates are reported by national area according to NUTS 2 (pdf).
- For the Government’s digitalisation strategy, see Digital Security.
- Problems related to ICT operations or ICT security experienced by the enterprise in 2018 are defined as follows:
- Confidential data was disclosed due to, for example, intentional or unintentional acts by personnel, hardware or software failures, attacks, intrusions or manipulations.
- The data at the enterprise was destroyed or corrupted due to, for example, errors in hardware or software, malicious software, attacks, intrusion or manipulation.
- ICT services were unavailable due to, for example, hardware or software failure, attack, intrusion or tampering.
- Activities related to information security and ICT security refer to data backups, risk assessments, ICT security tests, ICT security training, addressing incidents.
- Governing documents include personnel training in ICT policy, information security policy, ICT use, ICT security measures, evaluation of ICT security measures, plans for updating information security or ICT security documents.
- For international comparisons, refer to Eurostat: Digital economy and society statistics – enterprises. Eurostat will publish these statistics on 19 December 2019.
Next publishing will be
2020-11-24 09:30.
Feel free to use the facts from this statistical news but remember to state Source: Statistics Sweden.