by | 17 Mar 2021

5 key figures on the cyber vulnerability of SMEs and public organisations

Covid-19 is not the only pandemic looming over us: we are also under the constant threat of a simultaneous and targeted cyber attack against 25,000 SMEs and public organisations. And given the poor level of cyber protection that French private and public companies possess, such an event could have the potential to paralyse France’s entire economy. Ozon has carried out the first large-scale internet attack surface detection study of 22,627 small and medium-sized enterprises and public organisations (between 10 and 250 employees). The results show “a very high level of cyber vulnerability, underpinned by some major security flaws” says Régis Rocroy, the founder of Ozon. The proof with five figures.

1 | 96% of the SMEs and public organisations analysed don’t use email security protection

Phishing, spear phishing, malware and ransomware: the email inboxes of SMEs and public sector organisations offer a treasure trove of unlocked gateways for computer hackers. The specialist study carried out by Ozon reveals that almost all private and public organisations have no security protection to detect and/or block cyber attacks on their employees’ emails. With the rising popularity of working from home and the increased stress caused by Covid-19 rises, there is a much greater risk of human error that could expose businesses or local governments to private data theft or ransom demands.

2 | 95% of websites have no specific protection against application cyber attacks

Attacks such as Cross-Site Scripting (XSS) and SQL injection (SQLi) exploit security flaws in websites, web services and web applications:
  • The first allows malicious programs to be installed in an attempt to steal sensitive customer data,
  • The second allows cybercriminals to directly access the database.
During its study, Ozon noticed that a very small minority of websites in France were protected against application-based cyber attacks. This lack of protection is even more critical considering that each site had an average of 63 common vulnerabilities and exposures (CVE): known and documented flaws for which security updates already exist.

3 | 80% of public organisations are vulnerable to cyber attacks

Eight out of ten public organisations are vulnerable to a cyber attack, compared to seven out of a private SMEs of a comparable size. And yet the consequences are just as devastating for an organisation in the public sector than the private: data theft, service downtime, financial loss, etc. The Covid pandemic has also led to more ransomware attacks on hospitals, since hackers know that such establishments will choose to pay up rather than risking long-term disruption.

4 | 79% of e-Commerce websites aren’t protected by a web application firewall (WAF)

An overwhelming majority of e-Commerce sites use a CMS, a content management system that serves as the foundation for the website. The most popular CMS release regular updates to improve features but they use a web application firewall for security. A WAF protects e-Commerce websites against cyber attacks such as SQL injections, XSS and any other threats to known software vulnerabilities. A sample of 1,508 e-Commerce websites found that only 21% are protected by a web application firewall. This lack of protection is even more critical considering that each site had an average of 68 common vulnerabilities and exposures (CVE).

5 | 74% of HTTPS protocol elements have security flaws

The SSL/TLS protocol, or HTTPS (HTTP/TLS), plays a key role in internet security. It was invented to guarantee the identity of a website and protect data transfer using encryption technology. But the HTTPS protocol does not offer fully comprehensive cover against cyber attacks: almost three quarters of SSL/TSL elements have cryptographic weaknesses or software vulnerabilities. The main vulnerabilities identified and the ways to exploit them have been well known since as early as 2013/2014… The SSL/TLS stack is a critical security component that must be regularly monitored, updated with the latest security patches and correctly configured to avoid using SSL/TLS v3, TLS 1.0 and TLS 1.1. Cybersecurity is a national concern for Thibaut Bechetoille, president of Croissance+ and co-director of Ozon: “The future growth of SMEs will hinge upon their ability to create a culture of digital trust with their customers and partners.” The first step is performing a free cyber threat evaluation with the SME CyberCheck tool!