More than 7 million employees targeted by hackers

35 per cent of small and medium-sized enterprises (SMEs) are afraid of the theft of their employees' personal data, according to a survey undertaken on behalf of ChronPESEL.pl and the National Debt Register under the patronage of the Personal Data Protection Office. The main reasons for these fears are the awareness of frequent attacks by cyber criminals, for whom companies are an attractive target due to the processing of large amounts of data. Micro, small and medium-sized enterprises employ 7.3 million people.

Surveyed entrepreneurs list the frequent successful attacks by cyber criminals on companies (59 per cent), the processing of large amounts of data (29 per cent) and the fact that they are an attractive target for personal data thieves (26 per cent) as the main reasons for being concerned about the theft of employees' personal data. However, it is interesting to compare these responses with the arguments indicated by the more numerous group of entrepreneurs (65 per cent) who are not afraid of such attacks. They list well-secured computers in first place (50 per cent), but in second place the fact that they do not process large amounts of personal data (39 per cent) and that they are not an attractive target for cybercriminals (35 per cent).

- We have the paradoxical situation that the same arguments are a reason for some entrepreneurs to worry about the security of their stored data and for others to sleep peacefully. This illusory sense of security is the greatest danger, because it leads to disregarding it and thus being inactive in taking care of the protection of stored data. Cybercriminals direct their attention to places where they can easily capture data, and companies in the SME sector do not have as effective safeguards as they think, comments Kamil Sztandera, an expert at ChronPESEL.pl.

Meanwhile, according to the Central Statistical Office, SME companies employ 7.3 million employees, which for cybercriminals means 7.3 million potential victims of attacks.

- Any data controller, whether it is a large business entity or a small one and whatever its business profile, can be a target for cyber criminals. The belief that one's attractiveness to hackers is low is dangerous in itself and can cause one to disregard one's tasks in the approach to the technical as well as organisational safeguards applied. Meanwhile, every controller processes the personal data of its employees, customers, contractors, which are very valuable to criminals," assesses the results of the study Konrad Komornicki, Deputy President of the Personal Data Protection Office.

And the data is in the computers

The attractiveness of personal data collected in micro, small and medium-sized companies to hackers is also due to the fact that the vast majority, 83 per cent, store them digitally. Of which half do so only electronically and 33 per cent do so in both paper and digital form. Although traditional documentation is increasingly becoming a thing of the past, 12 per cent of companies still collect sensitive employee information in this way.

Usually, SMEs process around six to seven pieces of essential employee information. Most commonly first and last name (86 per cent) and telephone number (80 per cent). Slightly less frequently, residential address and personal identification number (PESEL number) (75 per cent each). This is followed by e-mail address (70 per cent), bank account number (68 per cent), identity card (62 per cent) and health data about absences or past illnesses (43 per cent).

The size of the company has a decisive impact on where employee data are stored. 38 per cent of micro-entrepreneurs collect employee information in the owner's computer. Medium-sized companies, on the other hand, due to their more complex structure, in the accountant's computer (44 per cent). However, they are also increasingly using more advanced solutions, such as a virtual cloud (32 per cent), or an external server (29 per cent).

High confidence and lack of basic safety rules

Paradoxically, as many as 90 per cent of SMEs say that they protect employees' personal data correctly, and 54 per cent are strongly confident of doing so. Small (55 per cent) and micro companies (54 per cent) are the most confident, while medium-sized companies (47 per cent) are the least confident. Respondents also use varied security methods.

More than half (51 per cent) of SMEs leave access to important documents only to authorised persons. Unfortunately, it is less common for companies to use new technologies to ensure security. 40 per cent of entrepreneurs secure files and folders with passwords, 36 per cent have installed an alarm or burglar-proof door in their premises and 35 per cent have up-to-date versions of anti-virus software.

Less popular methods are keeping paper documents in safes or lockers and monitoring company computers (28 per cent each), or using a remote lock in case of a lost external drive (26 per cent). The least common methods mentioned by respondents are the obligation for employees to change their passwords regularly (21 per cent) and the default locking of USB ports (19 per cent).

- Only 35 per cent of micro-entrepreneurs have full versions of anti-virus software installed on their company computers. Medium-sized companies fare much better in this respect, with a percentage of 56 per cent. However, even this result does not inspire optimism. It shows that almost two-thirds (65 per cent) of the smallest, and more than two-fifths (44 per cent) of the largest SME entities do not observe the basic cyber security principle of regular software updates. As a result, their employees' personal data can be easy prey for hackers, warns Kamil Sztandera.