Internet criminals often target large companies. According to a study, 45% of Swiss companies with more than 250 employees have already been the victim of an attack at least once.

This is shown by the Swiss-VR-Monitor, a semi-annual survey published on Monday by the board of directors association swissVR in cooperation with the auditing and consulting firm Deloitte Switzerland and the Lucerne University of Applied Sciences and Arts. For the study, 400 board members were surveyed on cyber resilience.

In contrast to large companies, small and medium-sized companies (SMEs) appear to be significantly less affected: Only 18% of companies with fewer than 50 employees reported a serious attack.

As a reason for the correlation between company size and the frequency of attacks, Deloitte explained that large companies are more exposed globally and offer cybercriminals larger attack surfaces. “Another explanation for the supposedly lower level of concern among smaller companies is the partial lack of reporting of such incidents to the board of directors,” it said.

There is a need for action here, it said, pointing out that almost half of the companies lacked a clear cyber strategy. And 30% of the companies had not appointed a management team to adequately manage cyber issues. At least eight out of ten supervisory bodies have a risk policy that addresses cyber dangers.

Cyberattacks often have serious consequences for the operational business. By far the most frequent consequence is a business interruption. This is the case for 42% of the companies affected by a cyberattack. Data leaks occurred in a quarter of the companies attacked, and product malfunctions and faulty services in 20%.

In addition to lost sales due to business interruptions, there are high consequential costs, for example for the recovery of data. Only 7% of the attacked companies experienced an outflow of assets. But the financial consequences should not be underestimated, Deloitte wrote.