In contrast to large companies, small and medium-sized companies (SMEs) appear to be significantly less affected: Only 18% of companies with fewer than 50 employees reported a seriattack.

As a reason for the correlation between company size and the frequency of attacks, Deloitte explained that large companies are more exposed globally and offer cybercriminals larger attack surfaces.“Another explanation for the supposedly lower level of concern among smaller companies is the partial lack of reporting of such incidents to the board of directors,” it said.

There is a need for action here, it said, pointing out that almost half of the companies lacked a clear cyber strategy. And 30% of the companies had not appointed a management team to adequately manage cyber issues. At least eight out of ten supervisory bodies have a risk policy that addresses cyber dangers.

Cyberattacks often have sericonsequences for the operational business. By far the most frequent consequence is a business interruption. This is the case for 42% of the companies affected by a cyberattack. Data leaks occurred in a quarter of the companies attacked, and product malfunctions and faulty services in 20%.