Study On The Security and Etrust in The Small Micro and Spanish Companies - English Version. by INTECO

Study on the security
and e-trust in the small micro and

Spanish companies
OBSERVATORIO DE LA SEGURIDAD DE LA INFORMACIÓN

Study on the security and e-confidence in the small micro and Spanish companies Página 1 de 142
INFORMATION SECURITY OBSERVATORY
Observatorio de la Seguridad de la Información - Information Security Observatory
Edition: December 2009
The “study on the security and e-trust in the small and micro companies” has been elaborated by
the work party of the Observatory of the Security of the Information of INTECO:
Pablo Pérez San-José (Coordinador)
Susana de la Source Rodríguez
Laura García Pérez
Javier Rey Perille
Héctor René Suárez Suárez
INTECO wishes to highlight the participation in the field work and research for this study of:
The present publication belongs to Institute National of Technologies of Communication (INTECO) and it is under one
license commercial Recognition 2,5 Spain de Creative Commons, and by it this allowed to copy, to distribute and to
communicate publicly this work under the following conditions:
• Recognition: The content of this report can be reproduced total partially or by third, mentioning his origin and making
reference expresses so much to INTECO as to its site Web: www.inteco.es. This recognition will not be able in any case of
suggesting that INTECO supports to this third or supports the use that does of its work.
• Use Non-Commercial: The original material and the derived works can be distributed, copied and exhibited while its use
does not have aims commercial.
When reusing or distributing the work, it must leave the terms of the license of this work well clear. Some of these conditions
it can not be applied if the INTECO permission is obtained like titling of the author rights. Nothing in this license reduces or it
restricts the moral rights of INTECO. http://creativecommons.org/licenses/by-nc/2.5/es/
The present document fulfils conditions of accessibility of format PDF (Portable Document Format). Thus, one is a
structured and labelled document, provided with alternatives to all no textual element, marked of language and order of
suitable reading.
In order to extend information on construction of accessible documents pdf can consult the guide available in the section
Accessibility > Formation > Manual and Guides of the page http://www.inteco.es/
TABLE OF CONTENTS
TABLE OF CONTENTS.......................................................................................................3
KEY POINTS .......................................................................................................................7
I Tools, good practices and policies of security .........................................................7
II Incidences of security: perception and real situation .............................................11
III Effects of the security incidences and reaction before the same ones ..................12
IV e-Confidence..........................................................................................................13
V Indicator Security Systems ....................................................................................13
VI Recommendations .................................................................................................14
1 INTRODUCTION AND OBJECTIVES ........................................................................16
1.1 Introduction ........................................................................................................16
1.1.1 Instituto Nacional de Tecnologías de la Comunicación (Spanish National

Institute of Communication Technologies, INTECO)..................................................16
1.1.2 Observatorio de la Seguridad de la Información (Information Security

Observatory)...............................................................................................................16
1.2 Study on the security and e-trust in the small and micro Spanish companies ...17
1.2.1 General Objective ..........................................................................................18
1.2.2 Specific objectives..........................................................................................18
2 METHODOLOGICAL DESIGN...................................................................................20
2.1 Characterization of investigation universal object ..............................................21
2.2 Phases of the investigation project ....................................................................22
2.2.1 Phase 1: Compilation and study of information..............................................22
2.2.2 Phase 2: Audit of security ..............................................................................23
2.2.3 Phase 3: Surveys to companies.....................................................................25
2.2.4 Phase 4: Elaboration of the report .................................................................28
3 TOOLS, GOOD PRACTICES AND SECURITY POLICIES IN THE SMALL AND

MICROCOMPANIES .........................................................................................................30
3.1 Security tools .....................................................................................................30
3.1.1 Implantation level of the security tools in the small and Spanish
microcompanies .........................................................................................................31
3.1.2 Reasons declared by the companies not to use the different tools from
security in its equipment .............................................................................................36
3.1.3 Personnel dedicated to the security of the information ..................................38
3.1.4 Annual evolution of the investment in security with respect to the cost in
computer science .......................................................................................................42
3.1.5 Product necessities and services of security in the small and Spanish
microcompanies .........................................................................................................44
3.2 Good practices of security .................................................................................45
3.2.1 Backup accomplishment ................................................................................46
3.2.2 Programs and operating systems update ......................................................50
3.3 Knowledge and adjustment to the norm on protection of data...........................52
3.4 Security plans and security ................................................................................59
4 SECURITY INCIDENCES: SMALL AND MICROCOMPANY PERCEPTION AND

REAL SITUATION OF ITS EQUIPMENT ..........................................................................66
4.1 Perception of the incidences of security by part of the companies ....................66
4.2 Real incidences detected in the computers of the small and micro Spanish
companies......................................................................................................................68
4.2.1 Evolution of the incidence of malware............................................................71
4.2.2 Typology of the detected malicious code .......................................................72
4.2.3 Diversification of the detected malicious code ...............................................74
4.2.4 Danger presented by malicious code and equipment risk .............................77
4.2.5 Factors of influence on the state of infection of the equipment......................79
5 SECURITY OF MOBILE AND WIRELESS COMMUNICATIONS IN THE SMALL AND

MICROCOMPANIES .........................................................................................................81
5.1 Security in advanced movable devices ..............................................................81
5.2 Security in the wireless connections ..................................................................84
6 CONSEQUENCES, REACTIONS AND ANSWERS BEFORE THE INCIDENCES OF

SECURITY IN THE SMALL AND MICROCOMPANIES....................................................87
6.1 Consequences of security incidents ..................................................................87
6.2 Reactions of the companies as opposed to the security incidences..................90
6.3 Answer of the companies as opposed to the security incidences......................92
7 E-CONFIDENCE IN SMALL AND MICROCOMPANIES............................................94
7.1 e-Confidence in the Information Society ............................................................96
7.1.1 e-Confidence in process with Public Administration ......................................96
7.1.2 e-Confidence in the electronic commerce......................................................98
7.1.3 e-Confidence in the electronic banking operations ......................................102
7.1.4 e-Confidence in the electronic signature and the shipment of personal data
104
7.2 Inhibitors to the development of the Information Society .................................107
8 INFORMATION SECURITY INDICATORS SYSTEM OF THE SMALL AND

MICROCOMPANIES .......................................................................................................110
8.1 Analysis of the information security indicators .................................................115
9 CONCLUSIONS .......................................................................................................117
9.1 Analysis SWOT ................................................................................................122
9.1.1 Strengths......................................................................................................122
9.1.2 Weaknesses.................................................................................................123
9.1.3 Opportunities................................................................................................124
9.1.4 Threats .........................................................................................................125
10 RECOMMENDATIONS........................................................................................126
10.1 Recommendations to the small and microcompanies......................................126
10.2 Recommendations to the manufacturers .........................................................128
10.3 Recommendation to the Public Administrations ..............................................129
10.4 Priority of the recommendations ......................................................................131
APPENDIX: BIBLIOGRAPHY..........................................................................................133
LIST OF FIGURE.............................................................................................................135
LIST OF TABLES ............................................................................................................140
KEY POINTS
Within the commitment of INTECO with the national enterprise weave, the Observatory of
the Security of the Information publishes Study on the security and e-confidence in the
small and Micro Spanish companies. The report makes a diagnosis of the situation of the
Spanish companies of less than 50 employees with respect to adoption of safety
measures of the information in its equipment and facilities, level of incidences happened
and, finally, degree of confidence of the companies towards the Technologies of the
Information and Communication.
In order to make the analysis, a methodology based on the accomplishment of surveys

the owners of companies and on the elaboration of audits of security has been followed in
line the equipment of the participant companies in the study. For the execution of the
audits it has been used iScan, a powerful tool developed by INTECO that analyzes the
systems and offers empirical information on the installed tools, the level of update of the
systems, and the degree of infection of the equipment.
The advantage that contributes the used methodology is that it allows to in line resist a
data based on the perception of the owner of the company on the security of the
information in his company with a real data based on the analysis of the effective level of
security of his equipment.
In the report the specific particularities of the microcompanies (those with less than 10
employees) and small companies are analyzed (those that they have between 10 and 49
employees).
With this report INTECO it continues the trajectory initiated in 2008 with the publication of
Study on incidences and necessities of security in the small and medium Spanish
companies and Study on the degree of adaptation of the Small and Medium Spanish
Companies to the Data Protection Act (LOPD) and the new Implementing Regulation
(RDLOPD).
Are next some of the key points of the diagnosis.
I Tools, good practices and policies of security
Installed tools of security in the equipment
The security level of the equipment at small and micro Spanish companies of less than 50
employees is acceptable. Tools of protection considered basic are being used of very
remarkable form: from the own declarations of the survey companies, a 97.8% of the
companies recognize to have installed antivirus in the corporative equipment, followed of
a 72.4% that declare to have firewall and a 66.8% that it admits to have some means of
control of access to the equipment.
In the three cases, the level of use of the measures on the part of the Spanish companies
is superior to the shown one international level, where the companies locate 17.8
percentage points behind the Spaniards in the antivirus use, 8.3 with respect to firewall
and the 22.9 in the case of the control of access to the equipment.
The solutions of security of more specific character installed in the equipment are present
in greater measurement in the small companies (of 10 to 49 employees) that in the micro
companies (those with less than 10 workers). Thus, the use of different privileges in each
equipment based on the user is applied by a 51.3% of the small companies, as opposed
to only a 30.2% in the case of the micro companies, and the use of tools that allow to
accede to the corporative network from the home is adopted by a 36.2% of companies of
between 10 and 49 workers, as opposed to a 20.3% of companies of up to 9 employees.
It seems that, independently of the size, the companies use measures of protection of
basic character, but the use of more specific tools of security grows between the
companies with more using.
The level of real installation of antivirus, according to the audits of security made thanks to
the tool iScan, sample that a 93.1% of the analyzed equipment indeed have an active tool
antivirus. Gap of 4.7 percentage points between the declared level of use (97.8%) and the
effective level of installation (93.1%) represent companies that create to have their
protected equipment with antivirus, when in fact it is not thus.
Tools of adopted security of the information at corporative level
Beyond the protection of the equipment of the company, a series of tools exists that,
adopted at corporative level, contribute to increase the security of the company. One
treats, for example, of the existence of techniques to assure the accomplishment backups
the data (available in an 82.4% of the participant companies in the study), the installation
of firewall in network (72.9%) or the adoption of systems for the prevention of intruders
(51.7%).
Existence of human resources in charge of the security of the information
In a 17.8% of the companies it exist personal dedicated to computer science questions, as

opposed to majority an 82.2% of companies that recognize that any employee in list with
these functions does not exist. The small Spanish company pleads for the subhiring of the
computer science services in external personnel to the company.
Between the companies that yes they have computer science personnel in group, near a
80% contemplates the existence of a person responsible for the computer science
security, either is an exclusive, or shared responsibility with other functions of
technological character.
Investment in technology conducted by the small and Spanish microcompany
Analyzing the investment made by the companies in computer science material, a 79.9%
think to have invested enough, as opposed to a 17.4% that it recognizes to have destined
few resources to this concept and a 2.7% that declares to have used more of the hoped
thing in the acquisition of technological material.
It seems that, in general, the companies are comfortable with the level of investment
conducted in TIC. But, how much has invested? For want of absolute data on investment,
that is not object of the present study, it was asked to them the participants on the level of
investment of the this year in relation to invested the preceding year. Only a 2.6% of the
companies have invested more than the previous year, and an additional 7.8% have
stayed in a constant level of investment. Majority, a micro Spanish company and 88.7%
small, recognizes to have destined fewer resources than the year previous to computer
science material.
Demands and necessities of the small Spanish company in security of the

information
In a context characterized by a correct adoption of tools of security basic between the

small Spanish companies, a tendency to the outsourcing of the computer science services
and an investment in technological resources inferior to the one of the previous year, what
necessities of security the company faces?
A 76.3% consider the accomplishment of revisions of security necessary or very

necessary, whereas a 73.2% declare the own thing with respect to the availability of
services of solution of security incidents. Something less necessary, with a 66.5% of
declarations, is the formation specialized in security.
With respect to the referring necessities to the benefits of the tools, which values the small
one more and micro Spanish company is the quality and effectiveness of the product of
computer science security. A 66.6% of the participants in the study declare to value much
this benefit. Behind her, the quality of the after-sales service (62.2%), the facility in the
maintenance of the tool (59.7%) and the facility in the installation (44.4%) are also
positively valued aspects.
In this point, he is opportune to emphasize the work of Security Technologies Show-Room

for SME of INTECO, oriented to foment and to spread between micro Spanish companies
the use of the technologies of security of the information. The Security Technologies
Show-Room acts like support of mechanisms of early demand, approaching the
necessities of the company through diverse lines of work. Thus, it works elaborating a
product catalogue, solutions and services of security and carrying out awareness actions
on the necessity to implant safe surroundings of work.
Good practices in security of the information carried out by the small companies
and Micro Spanish companies
In order to guarantee a suitable level of security it is necessary, in addition to the suitable

tools, the pursuit of a series of good practices. In particular, the backup accomplishment
of the archives and the update of the programs are guidelines necessary to guarantee
enterprise surroundings surely. The data of the study show that the Spanish company
presents/displays a high level of fulfilment of both behaviours.
94.2% of the Spanish companies of less than 50 employees make backups, and the
percentage reaches 99.1% when we talked about only to the companies of between 10
and 49 workers. Without a doubt, one is a practice adopted by the practical totality of the
Spanish enterprise weave.
The frequency of backup accomplishment is daily in a 43.2% of the analyzed cases, and
weekly in a 30.4%.
The microcompanies of less than 10 employees show preference by the backup

accomplishment of manual form: a 51.3% execute it in this way, as opposed to 45.2% that
they affirm to do it of automated way. In the small companies of 10 to 49 employees the
preference is the inverse one: majority a 65.8% trust the copy accomplishment of
automatic form, as opposed to a 29.8% that it bets by the manual solution.
In the analysis of the declared level of update, 88.9% of the companies affirm that the
operating system and the tools of security with which they work find updated. The
information contributed by the security audit iScan reveals that, in fact, a 58.5% of the
analyzed equipment indeed is updated. A well-known discrepancy between level of
update of the perceived and real equipment exists.
Adaptation to the norm on protection of data
The data of the study show a really positive evolution of the Spanish company in the
fulfilment of the obligations anticipated in the norm on protection of data.
A 60.2% of the companies are conscious that its activity in which talks about to files with
personal data is subject to the norm on protection of data, as opposed to a 26.1% that
thinks not to be affected by the legislation and a 13.7% that does not know it.
The fulfilment of the obligation to register the files that contain personal data before the
Publication and document record department of the Spanish Agency of Protection of data
locates in an acceptable level, and experiences a very positive evolution with respect to
the situation of year 2008. Thus, 52.6% of the participant organizations in the study
declare to have notified their files, as opposed to a 33.7% that it admits the opposite. The
2008 data 1 showed a rate of fulfilment of 37%, as opposed to a declared breach of 47%.
The same tendency of positive evolution is appraised in the fulfilment of having of

information, whose observance is recognized by a 67.1% of the Spanish companies of
less than 50 employees (as opposed to 29% in 2008) and the fulfilment of having of
request of consent of the interested one, made by a 62.3% of the organizations (29% in
2008).
The data are positive, and in any case they confirm the progressive adoption of the norm
on protection of data on the part of the Spanish company.
Plans and policies of security
A 34.3% of the companies have plan of security at the moment of accomplishment of the
survey, or enters within their future expositions to restore one. To the effects of the study,
the establishment of a strategy is understood by security plan or calendar for the gradual
increase of the security level of the company (by means of the acquisition of solutions of
security, etc.) In spite of this data, reasonably positive, the adoption of this measurement
at international level exceeds the level shown by the Spanish companies.
One has also analyzed the existence of plans and policies that affect at the level of
security of the companies of more than ten workers. Most frequent it is the plan of
awareness, implanted in 24.6% of the companies, followed of the policy of use of
electronic mail (17.6%) and the plan of business continuity (11.9%). Also in these cases
the Spanish companies have an improvement opportunity to reach the degree of
implantation of these policies to international level.
Finally, 22.8% of the organizations with more than ten employees affirm that it has made
sometimes a security audit, with object to evaluate and to establish the improvement
actions to carry out.
II Incidences of security: perception and real situation
The chapter of the security incidences that take place in the enterprise scope defines by
two majority situations: spam and malware. To 63.2% of the survey companies it consists
to them that its company has received not wished electronic mail in some occasion, and
49.2% affirm the same with respect to the infection by virus.
1
INTECO (2008). Estudio sobre el grado de adaptación de las Pequeñas y Medianas Empresas españolas a la Ley
Orgánica de Protección de Datos (LOPD) y el nuevo Reglamento de Desarrollo RDLOPD. Available at
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_informes/Estudios_e_Informes_1/estudio_lopd_PYME
In the real analysis of the situation of security of the equipment it is obtained that, in the
date of accomplishment of the study, 48.4% of the reviewed equipment are it jeopardize
by some type of malicious code. In this case, the perception of the survey companies is
faithful to the reality of its equipment: 49.2% of employees whom it admits to have
undergone virus as opposed to 48.4% of equipment that indeed lodges malware 2 .
The more frequent categories of malware are the trojans (present in a 27.8% of the
reviewed equipment) and wished advertising software (identified in a 23.2% of the
computers). Does not treat, indeed, of the two categories of malicious code that more
benefits report their creators: first, the trojans, because usually they are related to the
fraud; and second, adware advertising, because it provides income by publicity. It is
logical to think that the hacker invest more efforts in creating and scattering this type of
malware. The first characteristic of malware detected in the equipment is, therefore, its
lucrative purpose.
One treats, in addition, of very heterogeneous malicious code: of the 1,381 located
malicious archives, 963 are variants unique. This data states the great volume of variants
that create the hackers with the objective to make difficult their detection and to prevent
therefore the effectiveness of the programs antivirus and solutions antimalware based on
the specimen recognition.
III Effects of the security incidences and reaction before the same ones
In opinion of the survey companies, the loss of working time is the consequence which in
greater measurement the companies face (a 54.9%), followed of connection
problems/networks (26.1%) and loss of archives and data (20.1%).
In fact, of the three considered variables, loss of time, money and image, only the loss of
time is considered that it has certain impact before an incidence. Thus, 73.8% of the
companies affirm that a security incidence does not have any impact on the image of its
company and a 69% think that lacks economic impact in the business.
Before a security incident, a 42.9% of the companies have reacted installing or updating a
security tool, and a 24.6% have begun to make backups of the archives. These data
confirm that, in the context of a problematic situation relative to the security of the
information, the companies act improving their measures and habits of security, and
leaving the service (only 5.4% show to let use services of Internet as a result of an
incidence). Internet he is not so internalized in the reality of the Spanish company that to
leave its use is not an option for the immense majority.
2
In fact, the data are not perfectly comparable because the survey question refers to whether virus has been "on occasion"
and audit data are applied to the timing of the scan, any type of malware.
How solve the small Spanish companies of less than 50 employees the security
incidents? In a 65.7% of the occasions, they resort to specialized services, or an expert in
security (25.5%), a technical service (23.3%) or a local supplier of computer science
systems (16.9%).
IV e-Confidence
The cleanest indicator of the confidence level that the Spanish companies show towards
the Society of the Information is the effective use of the existing on-line services. In this
sense, the data confirm that e-confidence of the Spanish companies of less than 50
employees enjoys good health: a 84.2% of the studied organizations use the electronic
bank; the communication via email or form Web is practiced by 59.9% of the companies;
57.2% recognize to make managements with the Public Administration; a nothing
despicable 50.2% of organizations affirms to use the electronic company/signature;
behind them, transactions in line of economic component that imply purchases to
suppliers, sales to clients or accomplishment of payments are carried out, respectively, by
41%, 40.6% and 41.5% of the participant companies in the study.
In many cases, the level of adoption of these services by the Spanish company surpasses
to the registered one between the European: so it is the case of the use of electronic
bank, the accomplishment of managements with the public administrations, the use of the
electronic company/signature, the accomplishment of purchases and, finally, the sales in
line.
The use more is extended between the companies of greater size (10 to 49 employees)
that between the microcompanies. The actions of formation and awareness that send
from the administrations and private sector would have to consider this circumstance to
select groups of impact to which to go.
In addition, the levels of confidence in each service very are elevated between the users,
in values that are located between the 75 and 90% in all the cases. In this case, the size
of the company does not affect at the time of determining a greater or smaller confidence.
V Indicator Security Systems
The analysis of the present study is completed with the calculation of a series of indicators
that offer, of systematic and segmented way, an integral vision of the state of the security
of the Spanish companies.
The calculation is made up of seven indicators classified in three groups, related to the
protection (indicating of tools, indicator of good practices and indicator of policies), the risk
and level of incidences (incidence meter of malware and indicator of equipment in risk
situation) and general indicators of security and e-confidence (indicating global aggregate
of security and indicator of e-confidence). All the indicators take values that are between 0
and 100 points.
In general, the global situation stays with considerable equipment in tools (76.1), an
accomplishment of good practices moderate (51.1) and one certainly goodable existence
of plans and policies (21). In the analysis of the incidences, one obtains a moderate
incidence in computers with malicious codes (48.4) and one relatively low number of
computers in risk situation (23.8). With respect to the general indicators of security and e-
confidence, the values are 54.4 and 73.2 respectively, being deduced that the situation of
security offered by the added indicator global is in optimal levels, and the subjective
perception with respect to the degree of confidence of security of the companies when
they use Internet enough is elevated.
VI Recommendations
Recommendations to the small and Micro Spanish companies
Its paper is decisive in the implantation of the security of the information like added
element that it contributes value to his enterprise activity. For it, the adoption of the
following ones sets out initiatives:
• To suitably use the measures and tools of security.
• To install software under license and to update the programs/operating systems.
• To establish procedures, plans and policies of security.
• To eradicate the false perception of security of the Spanish companies through the
information and the awareness.
• To implant Information Security Management Systems (ISMS).
• To provide to the employees formation in the matter of security of the information.
Recommendations to the manufacturers and suppliers of security solutions
The propose recommendations to the manufacturers and the suppliers of solutions are:
• To adapt products and solutions of security directed to the small companies to its
concrete necessities.
• To make the final prices and margins attractive of the intermediaries.
• To foment mechanisms to improve the relations with the Public Administrations.
• To extend and to improve the services pre-sale and post-sale.
Recommendations to the Public Administrations
The function of the Public Administrations will be decisive at the time of destining
financing, as well as in the coordination, harmonization and consolidation of scale
economies. One sets out the administrations to send the following initiatives:
• To promote and to advise in the implantation of Systems of Management of the

security of the Information.
• To sensitize to the companies through an approach of the proactive security based

on the risk.
• To orient actions in the subcontracted companies of benefit of services of

technologies of the information (IT).
• To offer information and advising to the companies in its plans of formation to the
employees.
• To continue fomenting e-confidence between the companies.
• To make a recurrent work of metric diagnosis and of the state of the security of the
information in the companies.
• To elaborate and to spread adapted information to the necessities of the

companies.
1 INTRODUCTION AND OBJECTIVES
1.1 Introduction
1.1.1 Instituto Nacional de Tecnologías de la Comunicación (Spanish National

Institute of Communication Technologies, INTECO)
The National Institute of Communication Technologies (INTECO), a public entity set up by

the Ministry of Industry, Tourism and Trade, is a platform for the development of the
Knowledge Society through innovation and technology projects.
It has a twofold purpose: firstly, to contribute to the convergence of Spain with Europe in
the Information Society and secondly, to promote regional development at a world-wide
level from its base in Leon.
INTECO's mission is to promote and carry out innovation projects related to the
Information and Communication Technologies (ICT) sector and, in general, in the sphere
of the Information Society, projects that improve the position of Spain and increase its
competitiveness, extending its capabilities in both Europe and Latin America. Thus, the
Institute seeks to be an innovative development centre of public interest at a national level
that will become an initiative enriching and disseminating new technologies in Spain and
in harmony with Europe.
INTECO's social purpose is the management, guidance, promotion and dissemination of

technological projects within the framework of the Information Society. To achieve this,
INTECO undertakes actions that include, at least, the strategic lines of Technological
Security, Accessibility and Software Quality.
1.1.2 Observatorio de la Seguridad de la Información (Information Security

Observatory)
The Information Security Observatory is part of INTECO's strategic line of action in the
field of Technological Security. It came into being with the mission of providing a detailed
and systematic description of the level of security and confidence in the Information
Society, as well as to generate specialised knowledge on the subject. Consequently, it is
at the service of Spanish citizens, companies, and public administrations to describe,
analyse, guide and disseminate the culture of information security and e-confidence.
The Observatory has designed an Activities and Studies Plan in order to generate
specialised and useful knowledge on the subject of security for INTECO, as well as for
drawing up recommendations and proposals that define valid trends for future decision-
making by public authorities.
The plan of action includes research, analysis, study, advice and dissemination activities
that address the following strategies:
• Elaboration of studies and reports in the field of security on the Information and
Communication Technologies, with special emphasis on security on the Internet.
• Monitoring the main indicators and public policies related to information security
and confidence in the national and international spheres.
• Generation of a database enabling analysis and evaluation of security and

confidence as this change over time.
• Promotion of research projects in the field of ICT security.
• Dissemination of studies and reports published by other organisations and national

and international bodies, as well as information on the current national and
European situation in the field of security and confidence in the Information
Society.
• Providing advice to Public Administrations in the field of information security and

confidence as well as supporting the drafting, monitoring and evaluation of public
policy in this sphere.
1.2 Study on the security and e-trust in the small and micro Spanish companies
The use of the technologies on the part of the Spanish companies has been positioned as
propulsion element of the economic growth based on the increase of the competitiveness
and the productivity, with numerous initiatives coming from the public sector focused to
facilitate the access to the technologies on the part of the film stars of the Society of the
Information.
Is key the necessity to put the centre in the promotion of the TIC and therefore, of the
security of the information, that they are not already possible to be understood without the
other between the Spanish companies.
The study counts on two peculiarities that can turn it exclusive material of reference in
security of the information to national and international level:
• In the first place, the study allows making evolutionary readings with respect to
takings of data made by INTECO in 2008. In this way, evolution tendencies can be
appreciated.
• Secondly, the results of the study come from two sources differentiated and
comparable, allowing to know the level coincidence and/or discrepancy between
the perception of the companies (obtained to traverse of the surveys) and the real
situation security their equipment (extracted of the analyses of security practiced in
line). In epigraph 2 it is deepened in the followed methodology.
1.2.1 General Objective
The general mission of this study is the analysis, based on the perceptions of the owners
of companies, of the change in the situation of security of the information and e-
confidence between the small and microcompanies, at the same time that its resistance
with the real level of security and incidences that maintain their equipment.
All it, with the purpose of proposing recommendations of performance to the

organizations, the industry of security of the information and to the Public Administrations
to impel the knowledge and the pursuit of the main indicators and public policies related to
the Society of the Information in the matter of security of the information and e-confidence.
1.2.2 Specific objectives
The previous objective is operative detached in the following specific objectives that allow,
in addition, orienting the thematic structure of the present report.
Tools, good practices and policies of security in the companies
• To analyze the supply available and the state of implantation of existing products
of security in the companies, and to resist the results with the level of installation of
such in the international scope.
• To examine the existing differences in the equipment of security between the

Spanish companies based on its size.
• To know the barriers the installation the safety measures in the equipment the
small and microcompanies.
• To verify the existence of human resources in technological subjects and of

computer science security in the scope of the small Spanish company.
• To know the investment that the Spanish companies are carrying out in security of
the information.
• To verify the behaviour of the small and Micro Spanish companies in relation to the
adoption of good practices of security: backup accomplishment and update of the
programs and operating systems.
• To analyze the evolution of the knowledge and fulfilment of the norm of protection
of data.
• To identify the plans and policies of security adopted by the Spanish organizations,
and to resist the results with the level of adoption of such in the international
scope.
Incidences of security happened and reaction before them
• To know the frequency from which the users declare to suffer incidences of
security in the equipment of their organizations.
• To determine the level of general incidence of the malicious code or malware, to

define its categories and to quantify the gravity of such.
• To analyze the diversification of the malicious code, from the existence of unique
variants and of the number of detections in the equipment.
Security of the movable and wireless communications
• To determine the level of security that the organizations grant to their advanced
movable devices and wireless communications.
Consequences, reactions and answers before the security incidences
• To determine the consequences and the changes of habits adopted by the small
and Micro Spanish companies after the security incidences.
E-confidence of the companies
• To elaborate a diagnosis on the adoption of the Society of the Information between

the small and Micro Spanish companies, and to analyze its degree of e-
confidence.
• To know the circumstances that, potentially, can suppose a brake to the

development of the Society of the Information and to analyze to what extent the
security affects the use of new services.
2 METHODOLOGICAL DESIGN
In the definition of the methodology of the study, a formula has been considered that
allows obtaining data relative to the level of security and e-confidence of the small
Spanish companies from one double perspective: information based on the opinion of the
owner of the company and empirical information of the situation of security of the
equipment:
• Perception on the situation of the security of the information and level of e-

confidence of the owners of companies. A total of 2,206 small and
microcompanies have responded to the survey, in agreement with the criteria of
the simple random sampling in which p=q=0.5 and for a level of confidence of
95.5%, the error sample for n=2,206 is of ±2.1%.
• Level of real security of the existing computer science equipment in the

companies. For it, software is used iScan 3 , developed by INTECO, which
analyzes the systems and the incidences of security in the equipment thanks to
the joint use of 46 motors antivirus. This software settles in the equipment and it
analyzes, detecting them all malware resident in such and gathering in addition
data to the operating system, the state of its update and the installed tools of
security. The computer science program sends this information to INTECO, that it
deals with it anonymous and added way. The total number of remote analyses of
security has been 622.
This allows to analyze two parallel sources of information in the scope of the computer
science security, which produces the advantage to resist the perception on the corporative
security which they have asked and the real situation of the equipment of the companies,
not to facilitate the reading of the contents of the figures, in each one of them is mentioned
the used base of calculation.
This is the first occasion in which it is applied this methodology based on the resistance of
one double source in a referred study to small and Micro Spanish companies, which
contributes a great comparative advantage and it turns it referring national. Yes it has
been used previously in studies made on domestic equipment. In particular, Study on the
security of the information and e-confidence of the Spanish homes elaborated by the
Observatory of the Security of the Information of INTECO it quarterly offers information
relative to the level of security and e-confidence of the homes.
3
The software, owned by INTECO, is a simple and safe program that allows a comprehensive analysis of both the remote
and the security system of computers, always with absolute confidentiality and transparency. In section 2.2.2 is explained in
detail the operation of iScan
2.1 Characterization of investigation universal object
The universal object of the study is constituted by all Spanish company of up to 50

employees, differentiating between the microcompanies (less than 10 employees) and the
small companies (10-49 wage-earning).
For the definition of microcompanies and small companies the classification established
by the European Community has considered 4 .
Table 1: Classification of the companies according to the norm of the European Community
(in force since 1 of January of 2005)
Small Medium
Microcompany
company company
Number of employees Less than 10 Less than 50 Less than 250
Maxima invoicing (in million of euros) 2 10 50
Volume of annual business or balance
2 10 43
annual general (in million euros)
Source: Recommendation C.E. (6 of May of 2003)
The number of active companies in Spain to 1 of January of 2009, according to data of the
Enterprise Directory (DIRCE) 5 it is of 3.355.830, distributing by size according to sample
Figure 1. 94.8% have less than 10 employees, who are the denominated
microcompanies. 5.2% rest are companies of 10 or more using, classified in small (of 10
to 49 wage-earners), medium (of 50 to 199 wage-earning) and great companies (of the
200 or wage-earners).
By the little numerical weight which they have the companies of more than 50 employees
within the Spanish panorama enterprise (to see Figure 1), they are excluded from the
scope of the study.
4
European Commission (2003): Recommendation of 6 May 2003 concerning the definition of micro, small and medium
enterprises. Official Journal of the European Union L 124, pp. 36-41, 20 May 2003. More information is available at
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:124:0036:0041:ES:PDF
5
National Institute of Statistics (2009): Central Business Directory. Available at
http://www.ine.es/jaxiBD/menu.do?type=db&divi=dir&his=0&L=0
Figure 1: Distribution of companies in Spain according to number of employees (%)
0,1%
0,6%
80,3%
4,4% 94,8%
14,5%
Microcompanies Small Medium

Big From 0 to 2 employees
From 3 to 9 employees
Source: DIRCE 2009
2.2 Phases of the investigation project
The development of the study, with the described methodology, has been carried out in
four stages that have been developed of sequential form:
• Phase 1: Compilation and study of information.
• Phase 2: Audit of security.
• Phase 3: Surveys to companies.
• Phase 4: Elaboration of the report.
2.2.1 Phase 1: Compilation and study of information
This stage are boarded the present situation analysis of the Spanish company in relation
to the adoption of policies and good practices of security of the information. For it one has
been divided, of a side, the analyses conducted in the matter by INTECO and, of another
one, information elaborated by companies dedicated to the study of the technologies of
the information. From them conclusions that have contributed to create a profile of
knowledge of the present situation of the security in the small and microcompanies, the
risks and threats have been extracted which it faces, and the necessities and deficiencies
in the supply of services.
All the information consulted in the present study is property of the following
organizations:
• Asociación Empresas de • International Organization for
Tecnologías de la Información y Standardization (ISO) e
Comunicaciones de España International Electrotechnical
(AETIC) Commission (IEC)
• Asociación Española de • McAfee

Comercio Electrónico y Marketing
Relacional (AECEM) • McKinsey&Company
• Comisión Mercado de • MessageLabs

Telecoumicaciones (CMT)
• Ministerio de Industria, Turismo y
• Eurostat Comercio
• Everis • Organización de Cooperación y

Desarrollo Económico (OCDE)
• Forrester Research
• Panda Software
• Fundetec
• PricewaterhouseCoopers
• Gartner
• Red.es
• IDC
• Sectoral e-Business Watch
• INTECO
• Telefónica
2.2.2 Phase 2: Audit of security
A total of 622 audits of security have been made in, at least, other so many small Micro
Spanish company and equipment. The phase of analysis and scanned online of the
computers was made between February and June of year 2009.
In order to carry out the analyses in line the program has been used iScan, a tool of
security analysis property of INTECO specialized in the detection of active measures of
security and, mainly, malicious code (malware).
In the analysis of the security parameters, the tool identifies vulnerabilities critics,
detects the installed solutions antivirus and analyzes the version of the operating system.
With regards to the analysis of malware, they iScan detects the different incidences of
security with 46 antivirus with the objective to assure a greater rate detection (especially
before the new threats of highly undetectable character). Like counterpoint, indeed with
the intention of diminishing the false positives 6 , a series of filters and later controls settles
down:
1) Filtrate and weights of solutions antivirus. In the selection of the solutions the
following factors have considered:
a. In the listing of solutions antimalware used by iScan exclude products

antivirus of perimeter, highly paranoid.
b. Some solutions are not considered either that share companies, stops of
this way to consider only a motor with he himself set of companies.
c. A subgroup with the 11 has been identified antivirus more reputed, with
better rate of detection in front of specimens detected by more than 10
antivirus.
So that a file is marked like malware, this one must be detected by 5 considered
products of the 46, considering that one of the 5 necessarily must belong more
to the subgroup of the 11 antivirus reputed.
2) Manual verification of a limited number of units. After one undercoat of

filtrate, all the files detected in the equipment analysed by rate of penetration are
ordered (number of equipment in which they have been sighted). The 40 sighted
files more are analyzed manually, with the aim to filter false positives again.
3) Comparison of the files marked as malicious with data bases of well-

known software and innocuous files. INTECO maintains a data base of
software of reliable manufacturers. All the units that continue being detected
after the two previous filtrate layers are compared with this data base to
eliminate more false positives. Similarly, the files are resisted with the American
National Software Reference Library 7 of the National Institute of Standards and
Technology (NIST). If one detected that some of the files indicated by iScan is in
this data base and it does not comprise of kit of hacking or cracking, the file is
not considered like malicious.
The establishment of these filters and controls is a very important measurement facing
assuring the reliability the study, but even so it does not eliminate completely problematic
of the false positives (problematic inherent the industry antivirus), nor the one of the false
negatives.
6
A "false positive" detection is erroneous, harmless as a malicious file.
7
National Institute of Standards and Technology: National Software Reference Library. Available at http://www.nsrl.nist.gov
Also, it must consider that when comparing all the files of the inspected equipment with
the data bases of malware well-known, is not possible to detect no not known specimen
that it is not in these bookstores. This specially is accused in the case of the worms and
virus. The worms usually include a polymorphic motor that gives rise to a file binarily
different in each replication from he himself. Consequently, it is very difficult that a
polymorphic worm is detected, because many of them will be unique for each infection
and therefore they will not be present in the data base of malware known. The case of the
virus is similar: many viruses infect other archives, giving rise to files with new fingerprints
that are not present in the data base.
Finally, they iScan does not provide information on if a certain malicious code are assets
in the system. The possibility (certainly infrequent, on the other hand) of a system could
occur that, even lodging malware, was in fact not infected. For example, the case of an
investigator who had a directory with malicious code to study, or the case that a malicious
code has been detected by a moved antivirus and to a folder of group of quarantine
without dazzling it 8 . One is a situation that does not seem very probable, but that malware
would be considered by they iScan.
Really, in spite of the strength of the tool they iScan and of the measures adopted by
INTECO to mitigate the incidence of false positives, they exist intrinsic limitations to the
used methodology that cause that the analysis is not infallible. Thus, despite the rigor and
robustness of the analysis, data have offered a margin of error that gives an overview of
the current problems facing the security industry when developing their antivirus software.
2.2.3 Phase 3: Surveys to companies
A total of 2,206 small and microcompanies have participated selected by means of a

stratified random sampling (number of employees, sector of activity and Independent
Community) with a proportional distribution sample according to the percentage of use of
Internet based on the data of the National Institute of Statistics (INE) 9 .
For the pick up of the sample the following techniques have been used:
• Telephone interview attended by computer - system CATI- for the presentation of

the study and the request of collaboration and participation.
• Page Web created for the diffusion and participation in the study.
8
In computing, dazzling/obfuscation refers to the deliberate act of non-destructive to make a change, either in the source
code of a computer program or machine code when the program is compiled or binary form, so it is not easy to understand
or read, i.e. specifically been unintelligible to hide its functionality.
9
National Institute of Statistics (2008): Survey on ICT usage and electronic commerce (EC) in companies from 2007 to
2008. Available at http://www.ine.es/jaxi/menu.do?type=pcaxis&path=%2Ft09/e02&file=inebase&L=0
• Contacts available of INTECO of participant companies in the diverse days of
awareness made by the Chambers of Commerce of each one of the provinces
where they were celebrated, directed to Spanish SME throughout Spanish
geography.
Sample
The work of field has been developed between February and July of 2009, taking care of
criteria of national representativeness based on the sector of activity
(Industry/Construction and Services), the independent community, the size of the
company and the percentage of use of Internet.
In relation to the number of employees, Figure 2 gathers the percentage distribution of the
number of participant companies.
Figure 2: Percentage distribution of the number of participant companies based on the

number of employees
6,1%
85,1% 14,9%
4,3%
2,2%
2,3%
Under 10 From 10 to 19 From 20 to 29 From 30 to 39 From 40 to 49
Source: INTECO
Since in the phase of security audit 622 companies have participated, and in the phase of
survey 2,206, a part of companies exists that have participated in the two phases and,
therefore, have contributed data based on opinion and the analysis of its equipment. One
is 527 companies, and it will be the sample that is considered when direct crossings
between perception and reality are analyzed.
Sampling error
Next the error levels appear sample by sector and number of employees. The calculation
of the error sample has been made in the assumption of p=q=0.5, for a level of confidence
of 95.5% (1.96 σ respect to μ).
The margin of error for this set of companies is of ± 2.1%, which confers the sufficient
representativeness to him to be able to draw conclusions at national level and by size of
the company (where the errors samples are, for such levels of usefulness and confidence,
of ± 2.3% for a sample of 1,877 organizations of less than 10 workers and of ± 5.5% on a
sample of 329 companies of between 10 and 49 employees).
Table 2: Levels of error sample by size of the participant companies in the study
Size Number Margin of Error

Less than 10 employees 1,877 ± 2,3%
Of 10 to 49 employees 329 ± 5,5%
TOTAL 2,206 ± 2,1%
Source: INTECO
In relation to the other variable used for the design sample, the Independent Community,
an objective sample was defined in which the distribution by layer implied errors inferior
samples to ±11%. In this way the number of surveys was distributed looking for the
proportionality with the number of employees and the enterprise sector.
Table 3: Distribution of the companies in the sample according to the different Independent
Communities
Independent communities Number of companies by CCAA Error sample

Andalucía y ciudades
220 6,7%
autónomas (Ceuta y Melilla)
Aragón 99 10,1%
Asturias (Principado de) 115 9,3%
Balears (Illes) 105 9,8%
Canarias 103 9,9%
Cantabria 87 10,7%
Castilla y León 130 8,8%
Castilla-La Mancha 102 9,9%
Cataluña 206 7,0%
Comunitat Valenciana 172 7,6%
Extremadura 98 10,1%
Galicia 148 8,2%
Madrid (Comunidad de) 236 6,5%
Murcia (Región de) 99 10,1%
Navarra (Comunidad Foral de) 89 10,6%
País Vasco 113 9,4%
Rioja (La) 84 10,9%
Source: INTECO
2.2.4 Phase 4: Elaboration of the report
In the elaboration of the present report the analysis and conclusions take shelter of the
investigation, along with the performance recommendations.
In order to make the comparative analyses at European and international level on the
state of the security of the small and Micro Spanish companies the following sources have
been used:
• For European analyses, it has been considered the report ICT usage by
Enterprise 10 , made by Eurostat in 2008. The results of the study are based on the
answers of 133,300 companies with at least 10 employees located in the Europe
of the 27 (UE 27), more Norway and Iceland. In the layer of companies between
10 and 49 employees polled to 67,303 companies. The used data of this study are
the corresponding ones to the Europe of 15 (UE 15 11 ) and of 27 (UE 27 12 ).
10
Eurostat (2008): ICT usage by enterprise 2008. Available at
http://epp.eurostat.eu/portal/page/portal/information_society/introduction
11
Germany, Austria, Belgium, Denmark, Spain, Finland, France, Greece, Italy, Ireland, Luxembourg, Netherlands, Portugal,
United Kingdom and Sweden.
• For international analysis, two information have been considered:
o The report Global State of Information Security Survey 13 (GSISS) made by

PricewaterhouseCoopers in collaboration with the magazines CIO and
CSO. In the study 7,097 participate CEOs, CFOs, CIOs, CSOs, Vice-
presidents, Directors of Technologies of the Information (in ahead IT) and
of security of the information and professionals of IT and security of 119
countries in 5 continents, with a margin of error of ±1.2%.
With the object of facilitating the comparability, the data have been used of
layer of companies of 1 to 100 employees, which supposes a base sample
of 2,217 respondents distributed geographically between companies
located in the five continents. Of them, 35.4% of the organizations are
located in Europe (a 5% of same the -119- they are Spanish) and in
America of the North (a 29.2% of the total).
o Barometer the International of Security in SMEs 14 made by Panda Security

in May of 2009. The results of the study are based on the answers of 2,565
companies of between 1 and 400 computers of all Spain, and 5,760
companies of diverse countries, with a margin of error of ±1.1%.
In addition, with the intention of having an only value that allows to know the level security
of the information of the small and Micro Spanish companies, a system of statistical
indicators has been designed specific that synthesizes the information and results of the
study in a series of statistical measures on security of the information (to see epigraph 8
INFORMATION SECURITY INDICATORS SYSTEM OF THE SMALL AND
MICROCOMPANIES). For the construction of this system it has been taken like reference
Small Business Information Security: The Fundamentals 15 elaborated by the NIST. In this
document the actions are enumerated that a small company must make to be protected.
12
Germany, Austria, Belgium, Bulgaria, Cyprus, Denmark, Slovakia, Slovenia, Spain, Estonia, Finland, France, Greece,
Holland, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Poland, Portugal, United Kingdom, Czech Republic,
Romania and Sweden.
13
PricewaterhouseCoopers (2008): The Global State of Information Security Survey (GSISS). Available at
http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005DE509/$File/PwCsurvey2008_cio_reprin
t.pdf
14
Panda Security (2009): Barómetro Internacional de Seguridad en PYMES. Available at
http://www.pandasecurity.com/NR/rdonlyres/9A6054F7-7C2F-4CFB-9A83-
315BA2072B35/0/01PF_Barometro_Seguridad_PYMEs_Ejemplo.pdf
15
National Institute of Standards and Technology (2009): Small Business Information Security: The Fundamentals.
Available at http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf
3 TOOLS, GOOD PRACTICES AND SECURITY
POLICIES IN THE SMALL AND MICROCOMPANIES
At the present time there is a generalized consensus almost in which the development of
any type of business and the use of the technologies of the information are not made
isolated and, therefore, are subject to interaction.
In addition, given the degree of implantation of these technologies in the small and Micro
Spanish companies, one becomes necessary to make this analysis that are centred in the
tools, good practices and policies of security that they adopt.
The analysis of the good practices of security is made taking as it bases the opinion of the
people in charge of the companies that have participated in the study, by means of the
declarations conducted by these on the opinion surveys.
In the case of the solutions, the report shows the resistance between the opinion of the
pollee one about the measures that create to have installed in at least one of the
computers located in the own company and those that indeed they are in the analyzed
equipment, according to the results offered by the tool iScan. This allows to identify the
degree of familiarisation of the people in charge of the small and microcompanies with the
equipment of its computers, and to offer an x-ray of the used tools of security in the
companies.
3.1 Security tools
In this epigraph the level of implantation of the tools, the declared reasons is examined
not to use them, the personnel whose competitions are the TIC and finally the investment
carried out in security.
The companies, conscious of the importance of their data and the information that lodge
their equipment, have tools and/or solutions of security to level equipment and level
organization. In the survey, therefore, the level of adoption of both types of measures is
analyzed:
• Tools of security in the equipment: the penetration of installed solutions of security

in the computers of the company is moderate, and it is analyzed if the tools are
available in all the equipment or only in some.
• General safety measures of the company: in this case, one is solutions that are
adopted at level company and which they imply a certain organisational structure.
For that reason, the level of adoption of these measures is only analyzed between
the companies of greater size (of 10 to 49 employees).
3.1.1 Implantation level of the security tools in the small and Spanish
microcompanies
The analysis of the level of implantation of the tools and/or solutions that the
companies have in their computers it confirms how, in general, the small and Micro
Spanish companies they count on an ample fan of products and solutions of security. This
it is the case of the degree of installation which they have the tools associated to the
protection of navigation in Internet (antivirus, firewall personnel, anti-mail sweepings, the
tools of blockade of emergent windows), with superior declared rates of use, in all the
cases, to 54%. In the case of the programs antivirus the use is almost universal (97.8%).
Used measures less are the different programs of disc cleaning (43.6%), privileges in the
equipment depending on the user (33.4%), the tools that allow the access to the networks
of the companies from outside the offices (for example, those of virtual network private -
VPN-), used by 22.7% and the tools of disc coding (8.2%).
Figure 3: Level of implantation of the solutions of security in the computers of the

organization (%)
Antivirus / Anti-spy Programs 97,8% 2,2%
Personal firewall in computers 72,4% 27,6%
Media Access Control 66,8% 33,2%
Anti-spam programs 61,0% 39,0%
Pop Up blocking tools 54,4% 45,6%
Disk Cleanup Programs 43,6% 56,4%
Different computers privileges depending on user 33,4% 66,6%

Tools that allow access to your network from outside
22,7% 77,3%
the office (VPN)
Disk Encryption Tools 8,2% 91,8%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100
%
Yes No
n=2,206 Source: INTECO
Table 4 analyzes, for each measurement, if it is present in all the equipment of the
company or only in some. The tendency is, in general, to install the tool in all the
computers. It seems that, once made the decision, this one it is implemented of form
generalized in the equipment of the company. There are two measures (the tools that
allow the access to the network from outside the office and the use of different privileges
in the equipment depending on the user) where the level of partial adoption (that is to say,
only in certain equipment) is considerable.
Table 4: Implantation of the solutions of security according to the number of equipment in
which they are installed (%)
In all the Only in

Solutions equipment of certain
the company equipment
Programs of anti-spy antivirus/ 94,7 3,1
Fire-resistant personnel in the computers 67,7 4,8
Average of access control/authentication 61,3 5,5
Sweepings programs anti mail 57,0 4,0
Tools of blockade of emergent windows 50,1 4,3
Programs of disc cleaning 39,4 4,2
Different privileges in the equipment depending on the
26,5 6,8
user
Tools that allow access to their network from outside
14,3 8,4
the office
Tools of disc coding 5,2 3,0
The importance in the implantation of some of these solutions is left patent when they are
compared with the international situation 16 . Thus, in Spain the adoption of safety
measures predominates considered basic: antivirus, firewall and passwords. In the three
cases, the level of use of the measures on the part of the Spanish companies is superior
to the shown one international level, where the companies locate 17.8 percentage points
behind the Spaniards in the antivirus use, 8.3 with respect to firewall and the 22.9 points
in the case of the control of access to the equipment.
In the case of tools of security of more specific character the tendency is the opposite one:
more frequently they are adopted at international level that in the Spanish company. Thus,
for example, the programs of blockade of emergent windows are present in 61.1% of the
international company’s front to 54.4% of the Spaniards. The same it happens with the
tools of disc coding and with the tools that allow the access to network from outside the
office. In these cases, the Spanish company has growth margin to equal itself to the
international company.
16
It should be recalled that international data are, as was stated in the section on methodology provided by the GSISS on a
sample base of 2,217 companies with between one and one hundred employees, 119 of which are Spanish.
Figure 4: Comparative international of the level of implantation of the solutions of security
in the computers of the company (%)
Antivirus / Anti-spy Programs 80,0%

97,8%
Personal firewall in computers 64,1%

72,4%
Media access control (passwords) 43,9%

66,8%
Pop Up blocking tools 61,1%

54,4%
Tools that allow access to your network from outside 47,5%

the office (VPN) 22,7%
Disk Encryption Tools 40,7%

8,2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100
%
Spain International
Spain n=2,206, International n=2,217 Sources: INTECO (2009) and GSISS PwC (2008)
The longitudinal analysis of the presence of the tools and basic solutions of security
(antivirus, firewall, mechanisms of authentication) according to the size of the
organizations (Figure 5) shows a variable use of the same ones:
• The presence of programs antivirus between the companies one has stayed
constant throughout the period analyzed from 2006 to 2009, locating between 97%
and 97.7% in the microcompanies and 96.8% and 98.5% between the small
organizations.
• Firewall, they are one more a used tool between the small companies (75.4%) that
between those of so large minor (71.9%). Even so, the evolution of these solutions
shows since more between the microcompanies than between those of 10 to 49
workers have been implanted. Thus, between first, in 2006 they were present in
53.4% of the companies of less than 10 employees and in 2009 the percentage of
organizations is located in 71.9%. The percentage variation between the small
companies is of 9.1 points.
• Finally in the case of authentication mechanisms, whereas the microcompanies

have been an increase of 33.7 percentage points between 2006 and 2009,
between the companies of 10 to 49 employees the increase has been of 34.4
points (of a 42.2% of organizations that in 2006 had it implanted to a 76.6% in the
2009).
Figure 5: Annual evolution in the implantation of some tools and solutions of security in the
companies, according to size of the company (%)
100% 97,0% 97,7% 96,8% 98,5%

90%
76,6% 75,4%
80% 71,9%
65,1% 66,3%
70%
60% 53,4%
50%
40% 31,4%
30%
20%
10% 0,0%
0%
Authentication Firewall Antivirus Authentication Firewall Antivirus
Mechanisms
Micro enterprises Small enterprises
2006 2007 2008 2009
2009 n=2,206, 2006-2008 n= 23,762 Sources: INTECO (2009) and INE (2006-2008)
Although, since it has been reflected in the previous figure, the use of the programs
antivirus is the measurement but frequently adopted between the Spanish company, the
possibility of resisting this information with the real level of security of the computers
allows to verify the existing differences in the equipment of the small and participant
Micro Spanish companies in the study.
Figure 6: Use level of antivirus: declared data versus, real data (%)
100% 2,2% 6,9%

90%
80%
70%
60%
50% 97,8% 93,1%

40%
30%
20%
10%
0%
Declared Real
Antivirus No antivirus
Declared n=2,206, Real presence real n=622 Source: INTECO
Comparing the data declared by the companies in front the real presence of program
antivirus (Figure 6), it is obtained that a 93.1% of the companies indeed have installed the
tool, 97.8% as opposed to that they declared to use the measurement.
Still more, thanks to the information that contributes iScan is possible to make
comparative between declared installation and a real installation in the analyzed
equipment, that is to say, between which they declare the companies and what they really
have installed in his computers. In this way, an 86.9% of the companies have a correct
perception since they declare that they have antivirus and thus it is.
In opposite sense, then, it is possible to identify the percentage of companies that can be
before a potential risk. In this situation they are so much those that indeed declare not to
have it and the security audit sample that is thus (1.3%) as well as the companies that
think that its equipment has antivirus but in fact not have it installed (5.7%). All of them are
vulnerable before any attack of malware.
The companies with a greater organizational structure have the possibility of forming
tools and solutions in the scope of the companies, obtaining of this form that its level
of security improves. In addition they can equip to its systems with an extra configuration
to the implanted one in the own computers. One is tools like the systems of backups of
the data, those of prevention or detection of intruders or the firewall ones in network 17 .
An outstanding aspect is the implantation degree that has the backup systems of the data
and the firewall ones in network (Figure 7), with declared rates of use of 82.4% and
72.9%, respectively.
A second group of solutions widely adopted constitutes the systems of prevention of

intruders (51.7%), the security to traverse of Internet (44.4%), the management of
identities (33.7%) and the systems of detection of intruders (32.5%).
Finally the used measures less are the document coding and other systems of detection,
used by a 16.1% and 9.1% of the companies, respectively.
This figure in addition contrasts, for some of the analyzed tools, its use at international
level. In this type of measures, the reality is that the foreign company shows a greater
level of adoption than the Spanish, being therefore an area of improvement in this type of
tools in the enterprise scope. A possible explanation would be in the bases samples,
whereas in Spain is for the companies of 10 to 49 workers, in the international scope it is
between 1 and 100 employees.
17
Unlike the personal firewall that is installed as software on a computer, filtering communications between it and the rest of
the network, the firewall in network operates at the network level (level 3) of the protocol stack (TCP / IP) IP packet filter.
Figure 7: Comparative international of the implantation level of tools and/or solutions of
security in the companies (%)
Backup systems for data 82,4%
Network Firewall 80,1%

72,9%
Intrusion Prevention Systems / Filters 51,7%
Security through Internet 82,8%

44,4%
Identity Management 33,7%
Intrusion detection System 53,3%

32,5%
Document encryption 44,4%

16,1%
Other steering systems 9,1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Spain International
Spain n=329, International n=2,217 Sources: INTECO (2009) and GSISS PwC (2009)
3.1.2 Reasons declared by the companies not to use the different tools from
security in its equipment
The small and Micro Spanish companies that have declared not to use the tools and/or
solutions in the equipment of their companies, it has been asked to them so that they do
not do it (Table 5). Therefore, the base of calculation in each case is constituted by the
number of companies that declare not to use each tool. It must consider that in some
cases the bases are reduced and present/display errors superior samples; by as much,
the data must be processed with caution.
In order to facilitate the reading of the table red outstanding in the percentage of
companies that mentions, in each situation is had, the reason more widely alleged. The
belief of not needing them and ignorance are the causes that more influence in his non-
use. Referring considerations to the price, the sensation of obstruction in the operation of
the equipment, the distrust and the sensation of inefficiency are considered in much
measured minor and of unequal form.
It surprises the level of ignorance between the companies of more or less habitual
solutions, like firewall, the programs of disc cleaning or the tools of disc coding. The same
it happens with the tools of blockade of emergent windows or the sweepings programs
anti mail.
The price, without being a high-priority reason in no for the tools, only exerts certain
influence for the non-use of programs of anti-spy/antivirus. Upon this case, it agrees to
remember that the calculation base is very small and therefore can weaken the validity of
the data.
Table 5: Reasons declared by the companies not to use the security tools and solutions in
the computers (%)
Reasons
They obstruct
%
It distrusts
It does not
It does not
It does not
Ineffective
answer
Companies
Others
know
Price
need
Solutions
that no
they use it
Anti-spy/antivirus programs 2,2% 52,1 14,6 6,3 4,2 0,0 8,3 12,5 2,1
Fire-resistant personnel in the
27,6% 57,7 1,6 3,8 0,5 0,0 3,8 30,4 2,1
computers
Tools of disc coding 31,8% 66,2 0,9 1,1 0,3 0,6 1,5 28,1 1,2
Average of access control
33,2% 71,5 1,4 1,2 1,5 0,5 4,6 18,6 0,7
authentication
Sweepings programs anti mail 39,0% 62,0 1,4 1,3 0,6 4,0 5,9 24,2 0,7
Tools of blockade of emergent
45,6% 69,4 0,6 1,4 0,8 0,5 2,8 24,1 0,5
windows
Programs of disc cleaning 56,4% 64,5 0,7 1,3 0,6 1,4 2,3 28,4 0,8
Different privileges in the
equipment depending on the 66,6% 75,4 0,5 1,1 0,7 0,7 2,6 18,0 1,1
user
Tools that allow access to their
77,3% 73,0 0,9 0,6 1,1 0,8 2,0 20,8 0,8
network from outside the office
The analysis in detail of the reasons not to implement the security solutions shows a great
disparity of criteria. Thus, 30.7% of the companies do not see it like a necessity (Figure 8).
Of the rest of declared reasons, they emphasize the lack of budget (30.1%) and the lack
of time (24.9%). In the opposite side they are 6.7% of companies that do not consider it
economically profitable and 7.5% that shows that it is not of interest for the direction of the
company.
Also, a 24.8% of the participant companies in the study affirm that they do not perceive
any barrier in the implantation of the measures.
Figure 8: Barriers for the implementation of safety measures on the part of the companies
(%)
No perceived as necessity 30,7%
Lack of budget 30,1%
Lack of time 24,9%
No barrier perceived 24,8%
Difficulties in finding appropriate solutions for my

9,3%
business
Lack of qualified personnel 8,7%
Do not interesting for Managing 7,5%
Do not consider cost-effective 6,7%
0% 10% 20% 30% 40% 50% 60% 70%
3.1.3 Personnel dedicated to the security of the information
The own size of the participant companies in this study is a conditioner at the time of
determining the convenience of needing personnel dedicated in exclusive right to
computer science aspects and, more specifically, professionals than assume the
competitions of a security director.
The companies not always have personnel suitably formed in technologies of the
information to confront with success guarantees the main risks of computer science
security.
In fact, therefore it is stated in the consultation made to the companies, where only 17.8%
of the same ones affirm to have personnel exclusively dedicated to the computer science
aspects of their company (Table 6).
Table 6: Distribution of companies by size according to the possession of personnel

dedicated in exclusive feature to the computer science aspects (%)
Size Yes No
Less than 10 15,3 84,7
From 10 to 49 31,6 68,4
Total Sample 17,8 82,2
Taking as it bases the number of organizations that yes have personnel with this profile
(n=392), 28.1% of them count between its group, in addition, with a person in charge in
exclusive right to direct to the computer science security and an additional 51% it does
without exclusive feature (that is to say, it arranges it with other functions).
Figure 9: Companies that have a person in charge to direct the computer science security
(%)
2,0%
28,1%
51,0%
18,9%
Yes, but combine with other activities No Yes, and has a exclusive dedidaction No answer
n=392 Source: INTECO
Other sources, as in the case of Panda Security 18 they indicate that 52% of the
companies in Spain have a security director (Figure 10), whereas at international level,
Germany is the country with greater percentage of organizations than they have this
profile (87%). In himself level that Spain locates France (52%), Italy (56%) and Benelux
(57%).
18
Op. cit. 14
Figure 10: Comparative international of companies that have a security director of the
information (%)
Germany 87,0%
China 76,0%
United Kingdom 67,0%
USA 65,0%
Benelux 57,0%
Italy 56,0%
France 52,0%
Spain 52,0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Spain n=2.565, International n=3.705 Source: Panda Security (2009)
The existence of a person in charge of computer science security affects a greater

implementation of tools of security in the equipment of the companies: the level of
adoption of safety measures is superior between the companies that have a security
director that between that they do not count on this figure.
Figure 11 analyzes comparative between companies with director and those without
security director. The tools in which more remarkable one is the difference are those that
allow access to the network from outside the office (a 44.2% of the companies with
security director use it, as opposed to only a 16.2% between the organizations without
director) and the use of different privileges (51.3% as opposed to 39.2%).
The only exception is the use of tools of blockade of emergent windows, where they are
plus the companies without security person in charge which they have adopted the
measurement.
Figure 11: Comparative between have/no to have a director of security at the time of having
implemented safety measure in the equipment (%)
Antivirus / anti-spyware 97,3%

98,4%
Anti-spam programs 67,6%
76,5%
Personal firewall in computers 79,7%

82,3%
Media access control / authentication 73,0%
82,3%
Disk Cleanup Programs 52,7%
58,4%
Tools popup blocking 67,6%

62,5%
Different privileges 39,2%
51,3%
disk encryption tools 12,2%
20,3%
16,2%
Tools to access the network outside the office 44,2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
With Security Director Without Security Dierctor
Companies with director n=310, Companies that do not have director n=74 Source: INTECO
Finally, the reasons declared by the companies are analyzed not to have computer
science personnel and/or directors of security.
Figure 12 reflects that in both cases, the main reason is the absence of interest (they
show 37.3% and 52.7% respectively). However, it is necessary to consider before being
able to make a comparative analysis of these reasons, that the number of companies that
have answered each one of the questions is different. Whereas the small and Micro
Spanish companies that they affirmed not to have personnel in exclusive right dedicated
to the computer science aspects were 82.2% (n=1,814), in the case of the security
director he was 18.9% of the organizations (n=74).
The impossibility to find personnel qualified that it can occupy both profiles is the second
reason indicated by the organizations. Thus they create 18.9% of the organizations, in the
case of not having personnel dedicated in exclusive right to the computer science aspects
and, 12.2% of which do not have a security director.
Finally, the companies indicate other reasons, like for example having an external supplier
that it takes care of the computer science aspects or the size reduced of the companies,
not to have of exclusive personnel (29.9%) or director of security (20.3%).
Figure 12: Reasons by which the companies affirm not to have personnel dedicated to the
computer science aspects and of director of computer science security
Do not have Security

52,7% 20,3% 12,2% 14,9%
Directoe
Do not have dedicated

staff devoted to informatic 37,3% 29,9% 18,9% 12,9% 1,0%
aspects
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
No interests Others Dismissed for lack of qualified personnel Dismissed as too expensive No answer
Companies that do not have exclusive personnel n=1,814, Companies that do not have a director n=74
Source: INTECO
3.1.4 Annual evolution of the investment in security with respect to the cost in
computer science
The importance that the small and microcompanies grants to the security of the
information resides not only in implantation of tools and solutions of security, but also in
the quantity and valuation of the investment made in computer science.
With respect to the analysis of the investment, 79.9% of the organizations consider the
investment in security conducted by their company in relation to the total cost in computer
science suitable. 17.4% of the organizations consider that they have invested little, and
only a 2.7% of the companies consider in 2009 that has invested more of the awaited
thing.
The longitudinal analysis 19 of the evolution of investment sample is similar to 2008

statistical (Figure 13).
19
INTECO (2008): Estudio sobre incidencias y necesidades de seguridad en las pequeñas y medianas empresas
españolas. Available at
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/estudio_seg_pymes_2
Figure 13: Annual evolution of the investment in security with respect to the cost in
computer science (%)
79,9%
I think I've just invested
79,3%
17,4%
I think I've invested little
15,5%
I think I´ve spent more 2,7%

than expected 5,2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2008 2009
2008 n=265, 2009 n=2,206 Source: INTECO
On the other hand and in relation to the acquisition of computer science material (products
and/or services), Table 7 sample that 88.7% of the companies declare to have invested
less than the previous year, as opposed to a 2.6% that they affirm to have invested more,
and a 7.8% that has invested just like the last year.
The analysis by size of company reflects that exists accusing a tendency slightly more to
invest more or just as the year last between the companies between 10 and 49
employees. On the contrary, the microcompanies tend to invest less than the previous
year in greater measurement than those of greater size.
Table 7: Distribution of companies by size according to the valuation conducted on the

acquisition of computer science material (%)
Invested less than Invested Invested just like It does not

Size
the previous one more the last year know
Less than 10 89,1 2,3 7,6 1,0
From 10 to 49 86,0 4,3 9,1 0,6
Total Sample 88,7 2,6 7,8 0,9
3.1.5 Product necessities and services of security in the small and Spanish
microcompanies
Companies need clear what the requirements to become a security product for positive
values.
It seems to exist, in general, a good consideration of the companies at the time of valuing
a security product (Figure 14). They are aspects like quality/effectiveness, the service
postsale, the facility of maintenance and the facility of installation which the company
values in greater measurement. In the case of the three first, 6 of each 10 companies
grant a positive valuation. Of the all of them valued aspect more effectiveness is the
quality/where participant Micro Spanish company and 66.6% small in the study prioritize
this characteristic on the rest.
The technical support and postsale very are valued by 62.1% of the organizations. This
characteristic is especially excellent for a small or microcompany that, since it has been
exposed, lacks, generally of personnel exclusively dedicated to the computer science
aspects of its company or even of director of computer science security.
Figure 14: Valuations that the companies make on the different aspects from a product of
computer science security (%)
Quality / Effectiveness 66,6% 26,9% 2,3%4,2%
After-sales service,
technical support and 62,1% 27,2% 6,1% 4,5%
warranty
Easy maintenance 59,7% 31,1% 5,3% 3,9%
Easy installation 44,4% 38,1% 12,8% 4,6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Highly appreciated Little appreciated Do not appreciated at all Don´t know
n= 2,206 Source: INTECO
Complementarily the small and Micro Spanish companies must, at the time of establishing
the importance that the security of the information has for them, of being decided not only
by the product investment, but also by other specialized services and solutions (Figure
15), emphasizing the audit and diagnosis of security (revisions of the security of the
computers of the company), considered “very necessary” or “necessary” by 76.3% of the
surveys companies. By behind the revisions of security, the service of solution of security
incidents is considered necessary or very necessary by a 73.2% of the companies. The
legal advising for the fulfilment of the LOPD is valued by 68.9% and finally the
formation/specialized by participant microcompany and information 66.5% small in the
study.
Figure 15: Valuations that make the companies on the necessity of specialized
services/security solutions (%)
Security Reviews 28,9% 47,4% 18,1% 5,7%
Advising for LOPD

28,7% 40,2% 21,0% 10,1%
compliance
Service security
23,5% 49,7% 21,0% 5,8%
incidents solution
Training / information
18,9% 47,6% 28,4% 5,1%
security specialist
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Very necessary Necessary Little necessary Don´t know
3.2 Good practices of security
After the suitable use of the tools, developed in epigraph previous, that the companies
have to their disposition is the development of good practices that allow to guarantee and
to complete the state of security of the companies.
In the small and Micro Spanish companies, like in the homes, they are the good practices
which in the case of an incidence can define the attitude which they must have to resolve
it, without causing a serious problem that can have significance in its daily activity.
This it is the case of the use on the part of the companies of programs with original
license. Its importance is in which they are only that guarantees a correct operation
without anomalies in the installation processes, doing of this more difficult form entrance
in the system and/or the equipment of virus or malicious software. Although at level of
Spain according to Business Software Alliance (BSA) 20 the index of software without
20
IDC (2008): Sixth Annual Global Software Piracy Study: Spain Press Release. Available at:
http://global.bsa.org/globalpiracy2008/pr/pr_spain.pdf
license is located in 42%, in the present study 85.7% of the organizations affirm to have
he himself in original format and a 7.3% do not know it.
In this epigraph an analysis of a pair of good practices of security is made as they are the
backups and the update of the programs and systems. The importance of both is in which
they are to disposition of the organizations and its beginning would allow equipping them
with a greater level of security.
3.2.1 Backup accomplishment
The backup accomplishment is a habitual task partly of the companies before the fear to
the loss of vital information for the business, although still it is necessary to instruct to the
employees on the necessity that certain copies of sensible information are stored outside
the habitual facilities of work, with the purpose of avoiding the complete loss of data in
case that an incidence of greater force takes place.
The importance of this practice resides in the diversity of risks that he can affect to the
systems and computers of the companies, as it were shown in Study on safety measures
in educative platforms 21 , made by INTECO in 2009. In him they were used as reference
the threats and the dimensions, or aspects of security, documented in the Magerit
methodology 22 , to identify the map of risks of the organizations. This type of map
differentiates between the natural and industrial disasters (for example, fire, information
storage support degradation) and the human errors or failures (for example, configuration
or oversight errors).
Before this panorama, the organizations must not only resort to as much virtual solutions
of security as physical commented in epigraph previous but also that they must make
backups.
Although at global level, 94.2% of the companies carry out this practice, the analysis by
size of company reflects that it is one more a practice made by the small organizations
(99.1%), that by the microcompanies (93.3%).
21
INTECO (2009): Estudio sobre medidas de seguridad en plataformas educativas. Available at:
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/Estudio_plataformas_educativa
22
Magerit (2006): Methodology for Information Systems Risk Analysis and Management. Ministerio de Administraciones
Públicas, version 2.0. Available at: http://www.csi.map.es/csi/pdf/magerit_v2/metodo_v11_final.pdf
Figure 16: Companies by size that make backups (%)
1,0% 1,2% 0,3%

100% 0,6%
4,8% 5,5%
90%
80%
70%
60%
50% 99,1%
94,2% 93,3%
40%
30%
20%
10%
0%
Total Under 10 From 10 to 49
Yes No Don´t know
Once confirmed that the companies make this practice, the following step is to know the
frequency with which it is made (Figure 17). For the calculation of the percentage the total
of organizations has considered that yes make backups (n=2,077, a 94.2% of the total of
companies analyzed in the study).
43.2% of the organizations make backups of daily way, whereas 3.6% make once every
trimester. He is interesting to also verify that 30.4% once carry out this practice to the
week and at least a 13.8% once a month.
Figure 17: Frequency with which the companies make backups (%)
2,2% 1,1%
5,7%
3,6%
13,8%
43,2%
30,4%
Daily Once a week Once a month Once each trimester Others Don´t know No answer
In relation to the used system to make copies (Table 8), between the participant
companies a unique and majority method does not exist. 48.4% of the total of companies
that make backups, make by means of some automatic system front to a 48% that it
makes it of manual form. It emphasizes the behaviour of the small companies, since
65.8% of the same ones bet of clearer way by the automatic method front to a 29.8% that
it confesses to make it manually.
Table 8: Type of configuration at the time of making backups, according to the size of
company (%)
Size Automatic Manual It does not know

Less than 10 45,2 51,3 3,5
From 10 to 49 65,8 29,8 4,4
Total Sample 48,4 48,0 3,6
As far as the used support to store copies, it is observed that the hardware predominate
widely (CD, DVD, tape, external hard disk), with a 77.9%. A 6.4% use a centralized
servant of the own company, whereas a 4.6% use a servant located in a remote location,
dividing in an external servant to the company in a 4.1% and a remote servant of the own
company in a 0.5%.
Table 9: Place where the companies store backups, according to size of the company (%)
Servant of External
It does
the servant of Remote
Employees Hardware Others not
centralized the servant
answer
company company
Less than 10 78,6 6,2 3,7 0,5 2,1 0,9
From 10 to 49 74,2 7,7 6,4 0,9 1,2 2,1
Total Sample 77,9 6,4 4,1 0,5 2,0 1,1
Although a reduced percentage of companies affirms to use the servants of the company
to store backups, this does not mean that mainly the organizations do not count on this
resource. Of this way, 29.4% of the companies affirm to have one as opposed to a 68.5%
that it indicates that does not have it. The analysis by size of the company sample that
more than half of the small companies, that is to say, of between ten and forty and nine
employees, has servants.
Table 10: Servers availability, according to the size of the company (%)
It does not It does not

Employees Yes No
know answer
Less than 10 25,3 72,4 2,3 0,0
From 10 to 49 52,9 46,2 0,6 0,3
Total Sample 29,4 68,5 2,0 0,1
For the companies it is so important to have servants as to equip with equipment from
security the rooms where these lodge. The implanted measurement more is the systems
of detection and fire extinguishing: 40.5% of the companies affirm to have them.
Nevertheless, in general terms, and as one is in Figure 18, the organizations do not
consider the equipment of the rooms with security systems.
Figure 18: Companies that have security systems in the room where lodge the servant (%)
Fire detection and fire

40,5% 52,1% 4,6% 2,8%
suppression
Physical access control 38,1% 57,2% 2,2%2,6%
False floor and false

33,4% 58,9% 4,9% 2,8%
ceiling
Independent Air
33,4% 61,5% 2,5%2,6%
Conditioning
Moisture Detectors 10,6% 82,0% 4,3% 3,1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No Don´t know No answer
3.2.2 Programs and operating systems update
Another mechanism which they have the companies to guarantee the security of his
equipment is to be up-to-date with the updates of its programs. The importance is in which
not to have them it can suppose that they badly take place from failures (for example, in
the installation of programs) to an operation of the added hardware that need, or finally
the possibility of being threatened the systems by vulnerabilities 23 .
Of this form, the companies must become aware and take control of the updates of their
operating system and its solutions of security so that their equipment indeed is protected.
As well as the threats change constantly, also is precise to update the software of security
in a periodic base to count on the patches that protect the equipment of those new
threats.
The participant companies in the study are conscious of this since 88.9% of them say to
have updated their operating system and its tools of security as opposed to a 6.7% of
organizations that they affirm not to have updated it (Figure 19).
The real data, based on the analysis of security of iScan, offers a different reality slightly.
It is certain that in most of the analyzed equipment the operating system was updated, but
23
Vulnerability (field of Information Security): weakness or failure of design, programming or configuration or
communications systems, which could be exploited to obtain unauthorized access, or malfunction. In particular so called
design flaws in programs that can be used by a third party to access or attack a user's computer.
the percentage is not of 88.9% (as they affirm the owners of companies in the survey) but
of 58.5%.
Figure 19: State of update of the operating system and the tools of security of the
companies: declared data versus, real data (%)
100% 4,8% 4,4%

6,7%
90%
80%
36,7%
70%
60%
50%
88,9%
40%
30% 58,5%
20%
10%
0%
Real Declared
Updated Not Updated Don´t Know/No answer
Declared n=2,206, Real n=622 Source: INTECO
It exists, therefore, a percentage of companies that thinks that it has its updated
equipment when, in fact, it is not thus.
A 53.7% of the companies have a correct perception already that declares that they have
the operating system and the updated programs and thus is. Consequently, a group of
companies exists that can be before a potential risk, this is, as much those that think that
their equipment is updated but in fact they are not it (31.1%), like that think that its
equipment is not updated and really is not it (3.8%).
The used mechanism to update its operating system is by means of the automation.
83.9% resort to this form, as opposed to a 12% that it makes it manually.
Between those companies that make it of manual form, 39.2% of the companies declare
to update the programs of their computers to less once a month (Table 11) and an 18.3%
do weekly. 42.1% declare to make these updates with a smaller regularity (quarterly or
annual).
In the small companies the frequency of more habitual update is the one of monthly
character (41.0%), presenting/displaying a clear quarterly or annual difference if so much
with making it weekly (25.6%) or with a less periodic update is compared, that is to say,
(33.3%). However for the microcompanies the used frequency more is the one of
character superior to the month (43.9%), followed by the monthly one that is made by
38.8% of the organizations.
Table 11: Manual update frequency on the part of the companies of its programs, according
to size of the company (%)
Employees With less regularity Monthly Weekly Never

Less than 10 43,9 38,8 16,8 0,5
From 10 to 49 33,3 41,0 25,6 0,0
Total Sample 42,1 39,2 18,3 0,4
Between those organizations that indicates that they do not make updates (n=148), the
main reason declared by 48% for the same ones is that does not report any advantage to
them to update them, followed by 39.8% that they affirm to not know how the updates are
made, a 11.1% that indicates that it had a bad experience when in the past it made an
update and this one had opposite effects to wished in its equipment and rest, a 1.2% of
the small ones and microcompanies, it does not answer.
Other alleged reasons not to make updates are that they have had bad experiences with
them, since they caused effects non-wished (11.1%), and a 39.8% do not know how to
make the updates.
3.3 Knowledge and adjustment to the norm on protection of data
The companies, in their quality of agents who handle and treat personal character data,
are forced to guarantee the fundamental right to the protection of the personal data which
they have. The norm does not contemplate exceptions by size, invoicing or sector of
activity, so that any company is including in the scope of application of the legislation,
whenever it works with files with personal data.
For that reason, he is excellent to analyze in what measurement the companies know and
fulfil the Spanish norm on protection of data, constituted by the Statutory law of Protection
of Data (in ahead LOPD) and their Regulation of Development (in ahead, RDLOPD).
The departure point to the analysis constitutes the level of knowledge of the norm
between the small and Micro Spanish companies, and more concretely, to what extent the
organizations consider that the legislation of protection of data she affects to them or no.
Global level, 60.2% of the companies recognize to be affected by the norm of protection of
data, as opposed to a 26.1% that it thinks that is not it. An additional 13.7% of the
organizations do not know if the norm is to them of application.
Differences based on the size of the companies exist: thus, the companies of 10 to 49
employees have one more a guessed right perception of the reality (75.6% are known
subject to the norm, as opposed to 17.1% that it creates not to be it and a 7.3% that does
not know it), whereas the microcompanies tend to show to minor knowledge level (57.5%
are considered affected by the norm on protection of data, 27.7% do not feel affected and
a 14.9% are not pronounced).
Table 12: Companies that are considered affected by the norm of protection of data
according to the size of the company (%)
Employees Yes No It does not know

Less than 10 57,5 27,7 14,9
From 10 to 49 75,6 17,1 7,3
Total Sample 60,2 26,1 13,7
The data confirms a positive evolution in the level of knowledge of the norm. In 2008, only
34% of the companies affirmed to know the LOPD and a reduced 14% declared to be to
as much of the existence of the RDLOPD 24 . It seems that the actions of awareness
impelled by the Spanish Agency of Protection of Data and INTECO, among other actors,
are reaching their objectives.
If the analysis is limited the companies that indeed have files with personal character data,
the level of guessed right knowledge is still greater: thus, between the companies that
have files with personal data almost a 80% are known affected by the norm, so and as it
shows Figure 20.
24
Survey data are the degree of adaptation of Spanish Small and Medium Enterprises to the Organic Law on Data
Protection (LOPD) and the new Regulation on Development (RDLOPD), published by INTECO in August 2008. Available at:
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/estudio_lopd_pymes
Figure 20: Companies that have files those include personal character data on which they
are considered affected by the LOPD (%)
100%
11,0% 8,3%
90%
80%
33,3%
70%
60%
50% 79,7%
40%
30% 55,7%
20%
10%
12,1%
0%
No files available Files available
Consider not affected Consider affected Don´t know
Don’t have it n= 706, Have it n= 1,294 Source: INTECO
Next, the fulfilment of some dispositions gathered in the norm is analyzed on protection of
data. In particular, data are offered on the following obligations:
• Notification of files before the Publication and document record department of the
Spanish Agency of Protection of Data.
• To have request of the consent.
• To have information.
52.6% of companies they have notified the existence of its files with personal
character data before the Publication and document record department of the
Spanish Agency of Protection of Data. A 33.7% admit that they have not done it and a
13.7% recognize not to know it.
Also in this case the evolution is positive, if it is compared with the percentage registered
in 2008 25 . In only a year the proportion of companies that fulfil and fail to fulfil has
invested: in the present reading, majority a 52.6% fulfil the norm; the previous year, the
proportion of companies that had not declared their files before the AEPD surpassed to
that yes they had done it (47.0% as opposed to 37.0%).
25
Op. cit. 1
Figure 21: Annual evolution of companies that they affirm to have declared the files with
personal character data in the Agency of Protection of Data (%)
52,6%
Yes
37,0%
33,7%
No
47,0%
13,7%
Don´t know/Don´t answer
16,0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2008 2009
2008 n=250, 2009 n=1,294 Source: INTECO
Figure 22 confirms that the size of the company influences in a greater rate of fulfilment of
the obligation to notify: 60.9% of the companies of 10 to 49 employees do it, as opposed
to a 50.9% in the case of the microcompanies.
Figure 22: Companies by size that have files and have notified the existence of such before
the Publication and document record department of the Spanish Agency of Protection of
Data (%)
100%
13,7% 13,7% 13,5%
90%
80%
25,6%
70% 33,7% 35,4%
60%
50%
40%
30% 60,9%
52,6% 50,9%
20%
10%
0%
Total Under 10 From 10 to 49
Yes No Don´t know/Don't answer
Article 6 of the LOPD gathers the obligation to solicit consent of the affected one in
order to come to the treatment of the data. The RDLOPD, in the section 1ª of Chapter II,
deepens in the obligation, establishing that the treatment person in charge will have to
obtain the consent of the interested one for the treatment of his safe personal character
data in those assumptions in that he himself is not indispensable in accordance with the
arranged thing in the laws.
62.3% of the participant companies in the study recognize to ask for this type of consent
to the holders of the data, as opposed to a 25.4% that it does not do it.
Once again, the data reflect a positive evolution comparing them with the obtained ones in
the 2008 study, where the percentage of organizations that fulfilled having of consent of
the affected one was of only a 29%.
Figure 23: Annual evolution of the level of fulfilment of the companies that have files of
having of request of consent to the holders of the data (%)
100% 1,0% 1,5%

10,8%
90%
80%
25,4%
70%
70,0%
60%
50%
40%
30% 62,3%
20%
29,0%
10%
0%
2008 2009
Yes No Don´t know Don´t answer
2008 n = 250, 2009 n = 1,294 Source: INTECO
Article 5 of the LOPD recognizes straight of information in the collection of the data,
arranging that interested to that they are asked for the personal data will have previously
to be informed into express, precise and unequivocal way of a series of circumstances,
that they have to do with the existence of the file and purpose of he himself, of the identity
of the person in charge of the treatment, and the possibility of exercise of its rights of
access, rectification, cancellation and opposition (right ARC).
On the other hand, the section 2ª of chapter II of the RDLOPD develops the rule indicating
that to have of information it will have to be carried out through means that allow credit its
fulfilment. That is to say, it is not valid if one inquires to the interested one of verbal form
without it is registered of some way.
67.1% of the companies affirm to fulfil to have of information to the holders of the rights,
which supposes an increase of 38.1 percentage points with respect to the reading of the
previous year.
Figure 24: Annual evolution of the level of fulfilment of the companies with files with
personal character data of having of information to the holders of the data (%)
100% 2,0% 1,5%

9,2%
90%
80% 22,2%
70%
69,0%
60%
50%
40%
67,1%
30%
20%
29,0%
10%
0%
2008 2009
Yes No Don´t know Don´t answer
2008 n=250, 2009 n=1,294 Source: INTECO
The diagnosis, from the analysis made until now, is very positive: the small and Micro
Spanish company is conscious to be subject to the norm on protection of data and fulfils
of majority form the obligation of inscription of files before the registry of the AEPD, the
obligation of consent request and the obligation of information to the holders of the rights.
In addition, in all the cases, the evolution experienced from 2008 is very positive,
confirming the effectiveness of the activities of beginning awareness and formation to the
date.
An area within the protection of data exists in which the small Spanish company still has
improvement margin: the revision of the fulfilment of the statutory law of Protection of Data
in the carried out audits of security by the companies. Biennial recognized in the RDLOPD
all the companies are an obligation that have files of level of high security, and obligatory
from year 2008 (it can explain still reduced fulfilment level).
Of the total of companies with more than 10 employees only 15.8% reviewed the fulfilment
of the norm on protection of data in the made audits of security. The data is in line with the
fulfilment at international level, where a 13.5% carry out this practice according to data of
the GSISS 26 (in this case, one is companies of between 1 and 100 workers).
In spite of the moderate level of accomplishment of this type of audits in Spain in 2009,
the evolution marks a positive tendency: in 2008, only a 6% of the small Spanish
companies affirmed to carry out these revisions 27 .
Figure 25: Comparative international of companies that have reviewed the norm of
protection of data in the made audits of security (%)
70%
60%
50%
40%
30%
20% 15,8%
12,8% 13,5%
10% 6,0%
0%
Spain International
2008 2009
2008 (Spain n=250, International n=161), 2009 (Spain n=329, International n=197)
Sources: INTECO (2008-2009) and GSISS-PwC (2008-2009)
In conclusion, the general balance sheet is positive: the small Spanish company every
time is adopting plus the norm on protection of data.
In addition, a positive predisposition on the part of the companies exists to carry out the
fulfilment of the effective legislation: participant micro Spanish company and 68.9% small
in the study value like necessary or very necessary to receive advising to guarantee the
adoption. A 10.1% do not know if this consultant's office would be of value. Rest, 21% of
the organizations, considers it little necessary (Figure 15).
From these data, it is necessary that the administrations continue making efforts to
awareness and to facilitate guidelines of aid to the enterprise group. In this sense, some
outstanding initiatives are enumerated next:
26
Op. cit. 13
27
Op. cit. 13
• The Guide for companies: like adapting to the norm on protection of data 28 ,
elaborated by published INTECO and in February of 2009, it offers basic
guidelines for the implementation of the norm, establishing the general frame
defined in LOPD and RDLOPD and detailing to the dispositions and obligations
that affect the companies.
• The Spanish Agency of Data Protection (AEPD) has published in 2008 two
interesting guides, Guide of protection of data for the person in charge of files 29
and Guide of security of data 2008 30 . First it approaches the fundamental aspects
of the obligations that affect the people in charge of files, and second it intends to
facilitate the adoption of the measures including in the RDLOPD.
• In www.inteco.es a catalogue of business consultants is available, that include a

relation of professionals specialized in offering solutions of security and protection
of data to SMEs. One is a non-exhaustive listing, but it can constitute a datum
point for the companies that need a support to adapt to the norm on protection of
data.
3.4 Security plans and security
The disposition of plans and policies of security on the part of the small and Micro Spanish
companies is another one of the practices that allow having them a strategy to the
progressive increase of the security level.
The best form than the companies must to guarantee the implantation of these plans and
policies are the use of an Information Security Management System (ISMS). Constructed
on the principles of norm ISO 27001, through ISMS the organizations know the risks
which are put under their information and they manage them by means of a defined,
documented and well-known systematic by all the members of the organization, who is
reviewed and improved constantly.
A 34.3% of the companies have plan of security at the moment of accomplishment of the
survey, or enters within their future expositions to restore one. To the effects of the study,
the one establishment is understood by security plan strategy or calendar for the
gradual increase of the security level of its company (by means of the acquisition of
solutions of security, etc.).
28
INTECO (2009): Guía para empresas: como adaptarse a la normativa sobre protección de datos. Available at
http://www.inteco.es/Seguridad/Observatorio/manuales_es/GuiaManual_LOPD_pymes
29
Agencia Española de Protección de Datos (2008): Guía de protección de datos para el responsable de ficheros. Available
at: https://www.agpd.es/portalweb/canaldocumentacion/publicaciones/common/pdfs/guia_responsable_ficheros.pdf
30
Agencia Española de Protección de Datos (2008): Guía de seguridad de datos. Available at:
https://www.agpd.es/portalweb/canaldocumentacion/publicaciones/common/pdfs/guia_seguridad_datos_2008.pdf
Figure 26: Disposition of a strategy for the increase of the security level (%)
11,9%
1,5%
53,8%
15,2% 11,6%
2,1%
19,2%
Plan information security and physical security Information Security Plan

Security Plan None, but my approach is within
None, and there are not in my approaches Don´t know/Don´t answer
Significant differences exist when these results with the international analysis are
compared. The Spanish companies are underneath as far as the restoration of these
strategies to increase the level of security of the organization.
Figure 27: Comparative international on the existence of a strategy for the increase of the
security level of the information and future expositions (%)
100% 0,0%
11,9%
90%
80% 36,1%
70%
60% 53,8%
23,5%
50%
40%
30%
19,1%
20% 40,4%
10%
13,7%
0%
Spain International
Yes Is in my approaches No Don´t know/Don´t answer
Spain n=329, International n=2,217 Sources: INTECO (2009) and GSISS-PwC (2009)
According to a recent study elaborated by McAfee 31 , the companies tend to outsource the
functions more and more TIC. 19.2% of the organizations who consider resolute their
security therefore do it. This can cause a false sensation of security like consequence to
think that the aspects developed and controlled in the policies already are implemented in
the companies in charge to manage their security.
To have procedures that facilitate guidelines of accomplishment of security

controls it is a good carried out practice by the companies. 48% of the organizations of
more than ten employees have techniques that normalize the backup accomplishment
and a 30.7% have methods of authorization of the shipments or data transfers. In the case
of having them, he is more frequent not to have the procedure in writing.
Figure 28: Typology of existing security controls in the companies (%)
How to back up data 35,9% 12,1% 47,5% 4,4% 0,1%
How to authorize the remittance or transfer data 20,1% 10,6% 60,2% 7,0% 2,1%
How to register a user on the system and which

16,7% 12,4% 64,5% 6,2% 0,2%
permission to be assigned
How to protect communications 13,4% 7,3% 73,2% 5,9% 0,2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100
%
Yes, but do not have a written procedure Yes, and I have written procedure
No Don´t know
Don´t answer
The annual evolution (2008/2009) shows a positive change in most of the procedures,
being most significant, with an increase of 16.6 percentage points, the case of having
accomplishment techniques of the backup of the data.
31
McAfee (2008): Does size matter? The security challenge of the SMB. Santa Clara, USA. Available at:
http://www.mcafee.com/us/local_content/reports/does_size_matter_en_v2.pdf
Figure 29: Annual evolution of the type of security controls (%)
48,0%
How to back up data
31,4%
How to authorize the 30,7%

remittance or transfer
20,5%
data
How to register a user on 29,1%

the system and which
permission to be assigned 24,9%
How to protect 20,7%

communications 42,7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2008 2009
n 2008=265, n 2009=2,206 Source: INTECO
46.5% of the organizations form the accesses of their employees to the information
establishing defined profiles and/or groups. Also 43.5% of the participant organizations
affirm that all the employees do not have access to all the information; in spite of not to
have had the access by means of the use defined groups. Finally, only a 7.6% of the
companies confirm that all their employees have access to the totality of the information.
One has also analyzed the existence of plans and policies that affect at the level of
security of the companies of more than ten workers. Most frequent it is awareness plan,
implanted in 24.6% of the companies, followed of policy of use of electronic mail
(17.6%) and plan of business continuity (11,9%).
The plans of awareness and business continuity internationally have a level of greater
implementation than in Spain. 38.5% of the international companies of 1 to 100
employees have a plan of business continuity and a 39.2% of one of awareness 32
according to the data of study GSISS 33 (Figure 30).
32
These percentages should be taken with caution because the companies analyzed in the international arena are 1 to 100
workers (with a sample of 2,217 entities), while in Spain are analyzed companies with 10 to 49 employees (with a sample of
329 entities).
33
Op. cit. 13
Figure 30: Comparative international of the existence of plans and policies of security in the
companies (%)
100%
90%
80%
70%
60%
50%
39,2% 38,5%
40%
30% 24,6%
17,6%
20%
11,9%
10%
0%
Awareness Plan Business Continuity Plan E-mail use Policy
Spain International
Spain n=329, International n=2,217 Sources: INTECO (2009) and GSISS-PwC (2009)
With respect to the continuity plan, in him they are had to anticipate the possible
contingencies that can affect to the functions or critical processes it organization and to
assure that the answer to all they is executed of an organized and consequent way.
The priority in the subjects boarded by the continuity plan is, as it is possible to be
observed in Figure 31, the identification and prioritization of critical processes of business
with an 80.1%, the definition of times of recovery as opposed to incidences (62.5%) and
the strategies of communication of the plan (58.2%).
Figure 31: Distribution of the contents of the plan of continuity of the companies (%)
Identification and
prioritization of critical 80,1%
business processes
Definition of recovering
65,2%
time from incidents
Communication strategies
58,2%
internal / external
IT Risk Assessment 54,6%
Continuity plan Test 50,4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Finally, the companies that have started up plans, procedures and/or policies of security,
can verify of form completes the state of evolution and the degree of attainment of all it,
using like mechanism security audit, where in addition they can evaluate and establish
the improvement actions to carry out.
In the study, 22.8% of the organizations with more than ten employees affirm that it has
made sometimes a security audit (n=75). In the audits different aspects were reviewed,
between which the following ones stand out:
• The activities relative to its operation or the administration of the company, made
in 84% of the cases.
• Of the servants of access control made by Micro Spanish company and both, the
means and the configuration 78.7% small that they affirm to have made audits.
• The procedures and the organization of the company, in a 69.3% of the cases.
• The degree of fulfilment of the norm on protection of data, also evaluated by

69.3% of the organizations that carried out a security audit.
Figure 32: Aspects reviewed in the audits of security of the companies of more than ten
employees (%)
Explotation (backups,
84,0%
administration...)
Servers settings 78,7%
Access Control measures 78,7%
Procedures and
69,3%
organization
LOPD Accomplishment 69,3%
Physical Security 64,0%
Other 22,7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
n=75 Source: INTECO
As a result of to have made a security audit, 81.3% of the companies made some type of
change (Figure 33), being the most frequent answers the change in some process (40%)
and the development of security policies (36%).
Figure 33: Changes conducted by the companies after the accomplishment of the security
audits (%)
Some process changed 40,0%
Developed / developing
36,0%
policies
Purchased new security

32,0%
solutions
None 18,7%
Others 14,7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
n=75 Source: INTECO
4 SECURITY INCIDENCES: SMALL AND
MICROCOMPANY PERCEPTION AND REAL
SITUATION OF ITS EQUIPMENT
Described the state of security of the small and Micro Spanish companies, in the following
chapter one studies which are their incidences of security and to what extent affects their
equipment.
In order to make the analysis, data derived from the perception of the owner of the
company (based on the information provided in the surveys) are examined and real data
coming from the analysis of the equipment of the auditors by means of iScan, the tool of
security analysis property of INTECO specialized in the detection of malicious code
(malware) 34 .
In the possibility of the crossing of both sources of intelligence is the strength of the study,
since the used methodology allows putting in resistance perception and reality. It implies
that in the analysis that will appear in present section they consider 3 different bases of
calculation:
• In the case of the general perception of the companies on the certainty of

incidents, the total of participant companies in the survey has been considered
(2,206).
• In the case of the analysis of the malicious code, the total of companies has been
considered that have made audits of security with the software of iScan (622).
• In the case of the crossings between both, it has been made on it subsamples of
companies that, having participated in the survey, also have made audits of
security with iScan (527).
In each graph, the used base of calculation is mentioned.
4.1 Perception of the incidences of security by part of the companies
22.7% of the Spanish companies of less than 50 employees and with, at least, a
connected computer to Internet, declare not to have undergone non incident of security,
as opposed to 77.4% that it says to have registered some.
34
More information is presented in detail in Chapter 2.2.2 Phase 2: Audit of security.
The incidents that most frequently take place are the reception of electronic mail not
wished (Spam), referred by a 63.2% of the survey organizations, the technical virus
(49.2%), failures (22.8%) and the trojans (21.7%).
Less frequent incidences are, in opinion of the companies, the IT frauds (4.7%), the loss
or robbery of data or information (4.6%) and the distributed attacks of refusal on watch
(DDoS) 35 , happened to the 1.5% of the organizations.
Figure 34: Security Incidents declared by the companies (%)
Junk mail (spam) 63,2% 34,6% 2,2%
Viruses 49,2% 48,8% 2,0%
Technical failures 22,8% 70,9% 6,3%
Trojans 21,7% 68,9% 9,4%
Spy sw 15,1% 74,9% 10,0%
Phising or telematic frauds 4,7% 83,5% 11,8%
Data or Information loss or theft 4,6% 87,4% 8,0%
Denial of Service (DDoS) attacks 1,5% 81,9% 16,6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No Don't know
When presenting/displaying this chapter, was explained that the strength of the
methodology consisted indeed of allowing the resistance between the perceptions of the
owner of the company, cradle in the declarations made in the survey, and the reality of the
equipment, cradle in the audit in practiced line. One first comparison appears next (Table
13), of where conclusions can be advanced in which it will be deepened more ahead:
• In the first place, the confusion is confirmed that the term virus continues
generating between the users. A 49.2% affirmed to lodge virus in their equipment,
when in the practiced remote analyses a single variant has not been identified 36 .
35
It is understood as a denial of service, in terms of security, a set of techniques that aim to leave a server inoperable. The
attack is to saturate service requests to the server until it can not meet them, causing them to collapse. A more
sophisticated method of attack is the Distributed Denial of Service (DDoS), in which the requests are sent in a coordinated
manner among multiple computers, which may be being used for this purpose without the knowledge of their rightful
owners. This may be so by using programs that allow malware to take control of your computer remotely, such as in cases
of certain types of worm or because the attacker has been charged to enter directly into the computer of the victim
36
This reflects the tendency to drop the development of virus for Trojans, because the latter are motivated to provide their
creators some kind of economic benefit, in consequence more time and effort invested in programs and disseminate these
specimens. Consider, in the case of the virus, the effectiveness of its detection iScan is not total, as explained in epigraph
However, if the term is extended virus to any manifestation of malware, in this
case if the perception of the user and the real situation of the equipment are in
tune is appraised, since a 48.4% of the audited computers present/display some
manifestation of malware.
• Secondly, the real presence of trojans in the equipment (27.8%) surpasses the
level perceived by the owners of companies (21.7%).
• Finally, spy software is in the equipment to a lesser extent (1.4%) of which present
think the survey companies (15.1%)
Table 13: Level of incidents of security in the companies: declared data versus. real data (%)
Incidence Declared Real

Total malware - 48,4
Virus 49,2 0,0
Trojans 21,7 27,8
Spy Software 15,1 1,4
Source: INTECO
4.2 Real incidences detected in the computers of the small and micro Spanish
companies
This section is constructed completely from the collected real data of the equipment of the
organizations thanks to the tool iScan developed by INTECO.
The analyses in line offer, among other data, information relative to the level of infection of
the audited equipment, as well as to the typology of malicious code present in him.
The term malware comes from the English malicious software, and it is any computer
science program that it has like objective to infiltrate or to damage a computer without the
knowledge of its owner and with very diverse purposes. To the effects of this study, the
terms are used malware and code or malicious program of indistinct form. In the daily
language the generic expression is used “computer virus" to describe all the types of
malware, although in fact the virus is one of their multiple typologies.
The used classification is described next to group the manifestations of malicious code
that will be analyzed in this epigraph:
• Trojan or Trojan horse: it is a piece of disguised harmful software of legitimate

software that is not able to talk back itself in case same, that can be enclosed with
2.2.2Methodological Point. Since iScan can only detect known malware, and viruses (like worms) generate new fingerprint
files, therefore, are not present in databases of known malware, you may have virus samples that are not being detected.
any type of software by a programmer and to contaminate to the equipment by
means of the deceit. Although they do not produce really visible effects or
appreciable at the moment for arriving at the equipment, they present/display a
level of high danger. Within the trojans, as well, different types exist, based on the
effects on the system between which they are possible to emphasize:
o Banking Bankers or trojans: they make the robbery of credentials of

authentication used by users to conduct banking operations online. The
robbed information depends on the security implementation of the site
against which it acts and it varies from receivers of forms of validation until
which they make captures of video of the activity made by the user to make
this validation or those that robs digital certificates. This type of malware it
is in rise, and its objective is centred in the fraud.
o Backdoors: it allows the attacker to take the remote control from the
infected system, being able to carry out diverse actions (to spy on the
remote writing-desk, to make webcam or screen captures, to raise or to
unload archives, to alter on-speed operation of the system, etc.).
o Keyloggers: they have capacity to capture and to store the pulsations

conducted on the keyboard. Later this banking information (that it can
contain passwords, data, etc.) is sent to an attacker, who can use them in
his own benefit. Really, one is a variety that also is centred in the fraud.
o Telephone Diallers or markers: programs that, once installed in the

equipment, turn aside the original telephone connection towards another
number of special cost (806, 807, etc.) with the consequent economic
damage for the affected one. They can solely affect the users who accede
to Internet through narrow band by means of RTB (Basis Telephony
Network) or RDSI (ISDN), for that reason is an infrequent category.
• Virus: they are computer science programs that need to lodge in another file and
which they can infect to other files/programs by means of the modification of him,
in order to include retorts of itself in the infected element. Erroneously it is included
under this name to all malicious software.
• Worm: programs with capacity to propagate to other parts of the affected

equipment, to removals devices or other equipment. Depending on its code, it
could conduct different harmful battles in the systems. Unlike the virus, the worms
do not need another file to talk back themselves. They can modify the operating
system with the purpose of car to execute itself like part of the process of boot of
the system. In order to contaminate other systems, they operate vulnerabilities of
the objective or they use some type of social engineering to deceive the users and
to be able to execute.
• Adware: it shows advertising announcements that unexpectedly appear in the

equipment when the connection to a page is being used Web or after it has settled
in the memory of the computer. Sometimes, they compile information on the habits
of navigation of the users soon to send to them to the coincident publicity with its
interests.
• Spyware: they are programs that compile information on the user without their
consent. By general norm, they settle as plugins to the navigator without the
knowledge of the user and send to a servant in Internet the navigation habits (like
for example, what pages visit the user). In addition to the invasion to the privacy,
these programs transmit information of constant form, reason why they consume
bandwidth of the connection of the system to Internet and negatively affect the
speed of the rest of services that the user is using.
• Jokes: they alter the normal operation of the equipment with actions that bother or
distract the user, although do not cause to damage some to the system.
• Exploit: created malicious code with the purpose of taking advantage of some
failure or vulnerability the systems. Usually they are used to execute arbitrary code
of remote form; to enter the vulnerable equipment without the legitimate user
perceives itself of it and to act with freedom within the attacked system.
• Rootkits: are programs inserted in a computer after some attacker has gained the
control of a system. rootkit they include functions generally to hide the signs of the
attack, like erasing log of entrances or concealing the processes of the attacker
• Scripts: they are codes written in some programming language with the objective
to conduct battles non-wished in the system, normally through navigator or
electronic mail in format HTML. The most habitual languages for this type of codes
are Visual BASIC Script, Javascript, etc.
• Tools: programs that, with no need of being malware, can be used by a remote
attacker to make security analysis, to accede to the affected system, or to carry
out other illegal actions (cracking of passwords, scanner of ports, climbed of
privileges, etc.). The danger or of the tool will not depend on if it has been installed
with the consent of the user and its functionality is known. For example, a tool of
remote administration can be used for the maintenance of the equipment or
connection from another computer, but also it could be installed by an attacker to
accede without the consent of the user, to spy on, to extract sensible information,
etc.
• Detected suspicious archives heuristically: the heuristic method is one of the
methods used by the applications antivirus to detect malicious codes, being based
on the similarity of code, indications and in behaviours `strange' similar to those of
other virus already known. Not, the certainty that the detected code does not exist
as virus by this method is really malicious, and can produce false positives.
4.2.1 Evolution of the incidence of malware
So and as one went ahead in Table 13, in the date of accomplishment of the study, 48.4%
of the equipment of the small ones and Micro Spanish companies are it jeopardize, when
lodging at least a file of malicious code (Figure 35). It supposes an increase in the level of
infection of 8.4 percentage points from the 2008.
The data, in addition, confirms that the companies are not other people's to the
proliferation of malware that also undergo the domestic equipment 37 , although it is certain
that the presence of malicious code in the Spanish homes surpasses to the detected one
in the companies (in February of 2009, 63.8% of the 6,347 domestic equipment analyzed
in line contained some manifestation of malware).
Figure 35: Annual evolution of the level of incidences in the equipment of the companies
after making the security audit (%)
100%
90%
80%
51,6%
70% 60,0%
60%
50%
40%
30%
48,4%
20% 40,0%
10%
0%
2008 2009
Hosting malware Not hosting malware
2008 n=265, 2009 n= 622 Source: INTECO
37
INTECO (2009): Estudio sobre la seguridad de la información y la e-confianza de los hogares españoles. Available at
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/Informe_1T_2009
In the present surroundings, it seems that the hackers invest their resources in extending
their park of victims, with independence of which the addressee is a home or a company.
It is logical that the companies, given the potentially sensible and critical information for
the business that can store, make the efforts of protection necessary to avoid to become
infected.
The detailed analysis of both values - perceived incidences and detected incidences -
allows identifying the percentage of companies that have an erroneous perception about
the existence of malicious code within their equipment. Figure 36 samples that the
companies that are before a potential risk are those that are infected. In this situation they
are so much that think that its equipment is infected and is it really (35.1%) and those that
think that they are clean but in fact they are infected (13.1%).
In addition the figure also reflects to the small and microcompanies that being participated
in the survey and analyzed their equipment, is free from any type of malicious code
(15.9%).
Figure 36: Perception of the companies about the existence of malicious code in its
equipment (%)
35,1% 13,1% 15,9% 31,3% 2,3% 2,3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Users belive infected - Infected computer

User believe not infected - Infected computer
User believe not infected - Not infected computer
User believe infected - Not infected computer
User doesn't know about infection - Infected computer
User doesn't know about infection - Not infected computer
4.2.2 Typology of the detected malicious code
The types of malware with greater incidence in the audited computers they are the trojans
(27.8%), advertising software not wished (23.2%) and the tools (19.6%). This order,
trojans in the first place, followed of advertising software not wished (adware) and tools,
talk back the tendency that repeats month after month when analyzing in remote more
than 6,000 on-carriage equipment of the panel of INTECO homes 38 .
The explanation to the relevance of these concrete types of malicious code is in the
lucrative purpose that it presents/displays the industry of malware at the present time.
Trojans and adware are the categories that offer a greater return on the investment to
their creators: first, because the electronic fraud and the seconds are related in many
occasions to, because they provide income by publicity to his authors.
The high presence of tools (19.6%) could respond that some detections of malware they
must to programs intentionally installed by the own administrators of systems, or to the
users of the equipment to make administrative workings on them (of the type useful to
extinguish the computer of remote form, programs to hide windows, etc.).
Figure 37: Equipment of the companies that lodge malware according to typology of
malicious code (%)
100%
90%
80%
70%
60%
50%
40%
27,8%
30% 23,2%
19,6%
20%
10% 5,3%
2,7% 2,4% 1,4% 0,0%
0%
Trojans Undesired Tools Heuristically Worms Spyware Viruses Other
advertising detected
software files
The average number of malicious archives by equipment (Table 14) ascends to 4.6, with
special weight of the tools (1.6 archives by infected computer) and trojans (1.4).
38
Op. cit. 37
Table 14: Average number of archives infected by category
Types of malicious archives Of February to 2009 July

Tools 1.6
Trojans 1.4
Not wished advertising Software (adware) 1.3
Detected suspicious archives heuristically 0.1
Worms 0.1
Spy programs 0.0
Virus 0.0
Others 0.1
Total Sample 4.6
Number of equipment that lodges malware n=301 Source: INTECO
4.2.3 Diversification of the detected malicious code
In order to determine the degree of diversification of malware the number of detections of

each one of the identified malicious codes is analyzed, and to what extent is present in the
equipment.
The data take shelter in Table 15. In the 622 applied audits of security other so many
equipment, 1,381 malicious archives with 963 unique variants have been identified (that is
to say, codes different from malware).
The data confirm the high level of diversification of the malicious code: of all the archives
detected in the scan, each detected unique variant would only have an interview
(hypothetical) in 1.4 archives.
Table 15: Total number of malicious archives, variant unique of malware and index of
repetition
Analyzed variable Real data

Number of malicious archives 1,381
Unique variants of malware 963
Index of repetition of each unique variant of malware 1.4
Source: INTECO
It is analyzed next to what categories of malicious code belong to this volume of unique
variants.
Of the total of detected unique variants, most corresponds to trojans (35.1%) and tools
(32.6%) and something more than one fourth parts are manifestations of not wished
advertising software (26.9%). That is to say: the trojans, not only are the type of malware
that in greater measurement is present in the scanned equipment, but also that represent
the category that more unique variants it accumulates, which makes difficult their
detection.
Figure 38: Distribution of the categories of malicious code (%)
1,8% 2,9%
0,7%
35,1%
32,6%
26,9%
Trojans Undesired advertising software Tools Spyware Worms Other
Number of unique variants of malware n=963 Source: INTECO
Of the detected unique variants, more than two third parts they appear in single
equipment: one is unique detections of the unique variants.
The analysis is in Figure 39, and it confirms the high level of diversification and
heterogeneity of malware: of the 963 identified unique variants of malware in the analyzed
equipment, 678 are detected in a single occasion, and 231 do it in two occasions.
Figure 39: Number of detections of each unique variant of malware
1000
900
800
678
700
600
500
400
300 231
200
100 36
7 5 2
0
1 detection 2 detections 3 detections 4 detections 5 detections 6 detections
Number of unique variants of malware n=963 Source: INTECO
The data presented/displayed in this chapter state the important volume of variants of
malicious code that create the hackers, through the constant modification of their codes,
with the objective to make difficult their detection. This becomes the main obstacle for the
effectiveness of the solutions antimalware based on the specimen recognition to apply the
corresponding vaccine.
Indeed, the speed whereupon new variants of malware are created questions the
infallibility of the lists of malware how only method.
Malware found to greater frequency in the equipment of the participant Spanish

companies in the study it is related in Table 16, according to the classification of his
metadata 39 . The two more frequent detections, Generic and Agent, they have generic
denominations, fruit of the application of heuristic methods.
39
Means semantic metadata identifier of a family, such metadata will Win32.Bagle.AE Bagle. Heuristic detections are
excluded from the classification, since many variants really different heuristics can be scheduled by the same name.
Table 16: TOP-5 of type of malware found according to metadata by number of equipment
that lodges it
Type of malware found Number of equipment

Generic 66
Agent 62
MyWebSearch 55
Small 26
Gator 16
Source: INTECO
4.2.4 Danger presented by malicious code and equipment risk
Starting off of the number of detected unique variants four categories of risk has been
defined that allow establish a level of danger for the equipment of the participant
companies. For its construction the following criterion has been used:
• High risk: one includes in this category the specimens that, potentially, allow to
the remote access on the part of an attacker to the system victim; they can
suppose an economic damage for the user; they facilitate the capture of
confidential or sensible information of the victim; they are used as footbridges to
attack other equipment (being able to carry legal consequences for the victim) or
mine the yield and functionality of the system, or erasing archives, slowing down
the equipment, closing windows, etc.
On the basis of this criterion, the trojans, the telephone markers are assimilated to
variants of malware of high risk (diallers), the recorders of pulsations of keyboard
(keyloggers), the virus, the worms, rootkits, exploits and macros.
• Medium risk: they are included here exemplary that, although has an impact
unwished on the system, do not harm of well-known form their yield: they open
windows unwished when sailing; they inlay publicity in legitimate pages webs that
really do not contain publicity; they facilitate the capture of information of the victim
(for example, the patterns of navigation to create profiles of directed publicity, etc.).
The categories considered in this type of risk are not wished advertising software
(adware), the spy programs (spyware), the detections by heuristic and the
sequences of malicious commandos (scripts).
• Low risk: here the manifestations are included that smaller level of affection they
have on the equipment. One is equipment used for hacking (for example, scan of
ports, modifiers of Ethernet address 40 , etc.). In most of the cases are tools
installed by the user of deliberate form, to list and to kill processes, or to connect
themselves remotely to their equipment, etc. By another part, also specimens of
risk under the typical programs are considered joke (for example, those that
unfolds a window that is moved and is impossible to close it with the mouse) and
the virus exclusive for movable platforms then these are not able to execute
themselves on the teams of the users.
To the effects of the study, they are considered like malware of low level of risk the
tools 41 , the jokes and malware lodged in the computers but oriented to other
devices (movable, PDA's).
• Without irrigation: equipment where malware is not detected.
This is a generic classification and, by as much, it holds to an error margin 42 and with an
originating slant not only by the generalization to categories on the basis of the described
criteria, but also by the own equipment of the equipment of the companies. For example,
a telephone marker (to dialler) will be in fact of null risk for an equipment that does not
have a nonconventional modem for basic wire net since as a rule routers ADSL does not
have the possibility of making calls; nevertheless, in the classification before explained, it
is being considered to diallers like of high risk, due to its potential economic impact on the
victim.
Starting off of this classification of the risk, and according to the data coming from scan of
the equipment, 31.4% of the equipment analysed had been infected by malware
considered as highly dangerous. 11.9% were infected by malware with medium risk levels
and a 5.1% by low risk level malware. The remaining 51.6% were uninfected computers
and therefore without risk.
40
Be understood as Ethernet address, that address that identifies our network device on a local network.
41
Malware such as "tool" may have a variable risk depending on whether it has been deliberately installed by the legitimate
user of the computer or by a third party without your knowledge. Therefore, when calculating the indicator will apply by
default low risk level, although in some circumstances a malware tool can be classified as high risk.
42
Risk assessment of samples by manual analysis of 963 variants, while more rigorous, it would be excessively slow and
costly. Whereas the properties of the various categories of malware studied follow a Gaussian distribution, the global
deviation of the adoption of a generic approach is insignificant in statistical terms.
Figure 40: Distribution of the equipment in function of the risk level (%)
31,4%
51,6%
11,9%
5,1%
No Risk Low Medium High
This classification is logical, given the high presence of trojans that are considered in their
totality like malware of high risk, between the equipment. The analysis takes place on the
equipment, and not on the malicious code in itself. That is to say, infected equipment with
a file of high risk and one of average or low risk will be always including in the group of
high risk.
Really, the analyzed computers present/display patterns multi-infection with a great

incidence of trojans. This causes that the value of high risk prevailing on the others, which
does not mean that the threats of average risks and low so they are not extended, it is
important to remind that, for example, which the tools, that are the third detected category
more in the equipment, are catalogued like malware of low risk.
4.2.5 Factors of influence on the state of infection of the equipment
In this chapter it is analyzed if factors as the operating system of the equipment or the
presence of programs antivirus influences the real incidence of malware.
In relation to the type of operating system, at the moment an unequal penetration of the
malicious code in the operating systems exists, with greater presence of malware in the
equipment Windows that in the computers with another operating system. It is, partly, due
to which Windows is the platform with greater number of users. That is to say, the fact that
Linux and Mac they present/display very inferior levels of infection to those of Windows
does not mean that they are absolutely invulnerable. Simply, the hackers, at the time of
developing malicious code, do it so that it is supported by the extended platform more in
the market.
What happens with programs antivirus? To have antivirus guarantees the absence of
malware in the equipment? Figure 41 shows the comparative analysis of the level of risk
of the equipment based on the existence or not of antivirus. Two conclusions can be
extracted:
• The fact to have antivirus contributes to reduce the level of risk of the equipment: a
46.3% of equipment without antivirus present/display a level of high risk, as
opposed to 31.9% in the case of computers with this tool.
• The antivirus installation does not cause that the equipment is invulnerable, since
continues existing infection in the computers with antivirus. The security solutions
type antivirus help the prevention, but they do not guarantee the absence of
infections.
Figure 41: Level of risk of the equipment of the companies according to the antivirus use
(%)
100%
90%
31,9%
80%
46,3%
70%
60% 12,9%
5,3%
50% 7,3%
7,3%
40%
30%
49,9%
20% 39,0%
10%
0%
Uses Antivirus Doesn't use Antivirus
No Risk Low Medium High
Equipment with antivirus n=551; Equipment without antivirus =41 Source: INTECO
In addition, if an analysis of the average of malicious archives based on if there is antivirus

or not, the result is the following one: the equipment without antivirus lodges an average
of 4.5 malicious archives, whereas those with antivirus contain 2.2 files. Really, the tools
antivirus are only one castrates more of security against the malicious code, but they do
not constitute, in case single, the definitive solution against malware.
The programs antivirus, that are totally necessary, in case single they cannot prevent all
the infections, already that the intense production of malware prevents in some cases to
the antivirus laboratories of identifying all the threats univocally.
5 SECURITY OF MOBILE AND WIRELESS
COMMUNICATIONS IN THE SMALL AND
MICROCOMPANIES
One of main the advantages associated to the wireless technologies is its contribution to
the mobilization of the communications. For it is necessary to count on small devices and
of easy transport that allows the advantage of the connection advantages which they offer
these technologies.
It has implied a greater presence of laptops in the small and Micro Spanish companies. In
the present study 51.4% of the survey organizations have one, with a 47.6% of
implantation in the microcompanies and a 72.9% in the small ones.
5.1 Security in advanced movable devices
The movable devices have happened to be simple terminals for the voice transmission, to
complex devices or smartphones that they execute applications, they have an operating
system, they transmit data and/or electronic mails and they are able to store information.
Some examples of these in their different technological platforms are: Mobile Windows,
Blackberry, Symbian, Palm, Android or the own one iPhone.
All these new functionalities turn them small personal computers, reason why also they
inherit the possible risks associated to them: malware, loss of information, etc.
Therefore, the analysis has been gotten up in the study on the degree of inclusion of the
advanced movable devices in the Spanish organizations, the incidents of security
experienced and the adopted safety measures on them.
33.5% of the microcompanies and small companies have some type of advanced
movable device (PDA, Blackberry, moving bodies 3G, etc.). Of among them, 80.6%
incorporate bluetooth or Wi-Fi, as opposed to a 15.3% that it does not have and a 2.8%
that does not know if it has this technology his device.
Figure 42: Existing advanced movable devices in the companies (%)
27,3%
66,5% 33,5%
5,2%
1,0%
Don't having advanced cell phone

Having cell phone with Bluetooth or Wi-Fi
Don't having cell phone with Bluetooth or Wi-Fi
Having cell phone and don't know if having Bluetooth and/or Wi-Fi
Between the organizations that have a terminal with bluetooth or Wi-Fi, the habit of more
frequent use is to only connect it when it is going away to use (37.8%). Other companies
affirm that they always maintain ignition to it visible and (30.1%), and a 13.6% that, having
even ignited it, maintains it hidden (Figure 43).
Also cases of non-use of this technology are identified, like the companies that do not use
it and recognize that they do not have it activated (10.8%) and other that do not even
know their state or if they have her or not (7.7%).
Figure 43: Habits of use of bluetooth in the advanced movable devices of the companies (%)
Turning it on when using

it and turning it off when 37,8%
not using it.
Having bluetooth always

30,1%
on-line.
Having Bluetooth always

on-line but with the 13,6%
device in hidden mode.
Don't use Bluetooth and

10,8%
have it off-line.
Don't use Bluetooth and

don't know if it is on-line 7,7%
or off-line.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The safety measure more adopted by the companies for these devices is the use of a PIN
or code of security of four digits like previous step necessary to be able to ignite it
(91.2%), followed of the password to unblock it after a period of inactivity (42%). The
backup of the contacts or other information stored in the device are a measurement used
by 40% of the companies that have advanced moving bodies.
Really, the use of some of the measures is almost absolute: only a 3.9% of the
organizations affirm not to use no or it does not consider it necessary.
Figure 44: Installed used safety measures /in the advanced movable devices of the
companies (%)
100%
91,2%
90%
80%
70%
60%
50%
42,0% 40,0%
40%
30%
20%
11,5%
10% 3,9%
0%
4 digits Inactivity unlocking Contacts / other Antivirus software Don't use it, don't
PIN/Security code password data backup consider it a need
Finally, of the total of companies that count on advanced movable devices only a 7% they
affirm to have undergone some type of incident. Of them, the majority has their origin in
their robbery or loss (46.5% and 55.8%, respectively). Also, a 17.3% of the companies
indicate that it has had problems of security by virus or malware and a 5.8% have
undergone some type of fraud through movable telephone.
5.2 Security in the wireless connections
Between the small and participant Micro Spanish companies in the study, 38.1% affirm to
have a radio network (Wi-Fi).
As INTECO recommends in his Guide to protect the radio network Wi-Fi of its company 43 ,
these must take in consideration certain measured to reduce the risks of an incident of
security in their business, like previous step to install a radio network, and to equip with
security the wireless accesses to Internet. They are:
• The use of security protocols that allow the coding in function of a password is
made by 81.8%. This measurement guarantees that so much is protected the
access to the network like the communications between the devices. Both systems
43
INTECO (2009): Guía para proteger la red inalámbrica Wi-Fi de su empresa. Available at
http://www.inteco.es/Seguridad/Observatorio/manuales_es/GuiaManual_wifi_pymes
more common to assure the access to the network are protocol WEP (Wired
Equivalent Privacy) 44 and protocol WPA (Wi-Fi Protected Access) 45 .
• The hiding of the network point that 19% of the organizations make. With this
action one obtains that the name of the network does not spread. This way, if
somebody wants to connect itself to her, it will only be able to do it if it knows the
SSID (Service Seth Identifier) or code (that is including in all the packages of a
radio network identifying them like part of that network).
• The filtrate of the directions MAC, made by 14.9% of the survey companies. It is a
unique identifier of the devices of network of its equipment (card of network,
moving bodies, PDA, to router).
• Other measures are carried out by 0.7% of the organizations. Among them they
appear the following ones: to change direction IP for the local network of router,
authenticating the people who connect themselves to the network or to extinguish
router or joining point when the radio network is not used.
Figure 45: Safety measures that have the radio networks the companies (%)
Encryption (WEP/WPA) 81,8%
Hiding netpoint access 19,0%
MAC adresses filter 14,9%
Other 0,7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
44
It was the first cipher associated with 802.11. It uses a symmetric key. It is considered as the least secure of all because it
is easy to break, as long as the person who wants to do to have adequate computer skills.
45
This protocol was originally designed as the authentication protocol to overcome the weaknesses of WEP encryption.
Although its key length is less than that of WEP, the encryption method is more robust.
Of the companies that have radio network, 4.4% have certainty of to have undergone the
robbery of bandwidth (to see Table 17) as opposed to an 89.7% that it has not undergone
it.
Table 17: Certainty of to have undergone robbery of Wi-Fi, according to size of the company
(%)
It does It does not

Employees Yes No
not know answer
Less than 10 4,0 89,6 5,8 0,6
From 10 to 49 6,7 89,6 2,2 1,5
Total Sample 4,4 89,7 5,2 0,7
Only a 2.6% of the organizations affirm to accede to Internet by means of some network
that detects from the company. The main risk of this practical one is the connection to
networks without authenticating or based. In the case of networks without authenticating,
the risk comes dice by the impossibility to know the origin physical a potential fraudulent
action Internet; whereas in the case of connecting itself to based networks, the risk of this
practice is in which the information that the companies interchange with the outside could
be in the open and, therefore, to the free access of the hackers.
6 CONSEQUENCES, REACTIONS AND ANSWERS
BEFORE THE INCIDENCES OF SECURITY IN THE
SMALL AND MICROCOMPANIES
6.1 Consequences of security incidents
In opinion of the companies that have declared to have undergone some incident of
security, the greater consequence to the one than faces is the loss of working time (a
54.9%).
Other significant consequences are the problems of connection/networks and the loss of
archives and data, options mentioned by a 26.1% and a 20.1% of companies,
respectively.
A 20.6% of companies exist that has not experienced any consequence of importance,
and a 17.1% that does not know what consequences have had the incident of security
undergone for their company.
Figure 46: Consequences derived of security incidents (%)
Loss of working time (hours) 54,9%
Conection/Network problems 26,1%
Loss of files and data 20,1%
Damages in my computer (hardware) 14,2%
Loss of trust in electronic devices 8,8%
Business image/reputation damages 2,0%
Fines or penalties 1,1%
Fraud with an economical damage 1,0%
Other 2,5%
None important situation 20,6%
Don't know 17,1%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Organizations that have undergone some incidence n= 1,708 Source: INTECO
A comparative analysis allows resisting the Spanish reality with the data at international
level. He is interesting to verify how each one of the consequences is perceived in greater
measurement in the international scope that in the Spanish company.
Figure 47: Comparative international of companies according to the consequences that
were derived from the undergone incidents of security (%)
Conection/Network 65,5%
problems 26,1%
52,9%
Loss of files and data
20,1%
Damages in my computer 32,6%

(hardware) 14,2%
Business image/reputation 22,7%

damages 2,0%
11,9%
Fines or penalties
1,1%
Fraud with an economical 19,6%

damage 1,0%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Spain Internacional
Spain n=1,708, International n= 2,217 Sources: INTECO (2009) and GSISS-PwC (2009)
The impact that a security incidence has from the point of view of time, economic is
analyzed next and of image.
In line with which it reflected Figure 46, the companies consider that the lost time is the
most excellent effect of face to the business. Thus, near a 70% of the consulted
companies it considers that the security incidences have had some type of impact (high,
average or low) in terms of the used time.
Other types of analyzed effects are:
• The economic losses, considering as such possible fines, losses of clients,

etc. 69% of the companies affirm that the security incidences have not affected
absolutely economic level, as opposed to a 31% that it considers that yes has
existed monetary impact.
• The negative effects on the image of the company, that they can tolerate a loss
of confidence in the market. 73.8% of the companies consider that the incidences
have a null impact on their image. A 26.2% recognize that yes there has been an
effect in this sense, although the majority of them consider that the impact level is
low.
Figure 48: Level of impact undergone by the companies in relation to different points of
view (%)
Entity image point of view 73,8% 18,9% 5,3%2,0%
Other impacts 73,3% 18,4% 6,0% 2,3%
Economical point of view 69,0% 22,5% 6,8% 1,7%
Invested time point of

31,9% 33,5% 24,6% 10,1%
view
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Without impact Low Impact Medium Impact High Impact
The data analyzed until now allow conclude that the company is not associating the
negative incidence of security undergone to possible economic losses or effects on the
enterprise image. The only consequence valued in certain way is the impact in time. It
surprises the difference of consideration between the economic impact and the temporary
impact since, really, a loss of time tolerates a monetary loss.
The international analysis offers a reality different from the Spanish, so and as it shows
Figure 49. The companies of less than 100 employees, at international level, consider in
greater measurement the economic repercussion derived from the incidence that the
mere loss of time. Thus, as opposed to a 69% of Spanish companies that affirm that any
type of monetary impact does not exist on the business, only a 7.6% of the organizations
at international level maintain this affirmation.
Two methodological aspects are indicated here that must be considered at the time of
interpreting the results:
• The different size from companies that constitute the sample in each case, causes
that they are not exactly comparable (companies of 1 to 49 employees in the case
of Spain, whereas at international level it is organizations of up to 100 wage-
earners).
• In Spain the surveys companies described like null, low, average or high the
experienced economic impact, without associating an objective amount to each
one of the four options of answer. At international level, however, it was
considered like impact under when the economic damage he was inferior to ten
thousand dollars, means when the damage was between ten thousands one and
nine hundred ninety and nine thousand nine hundred ninety and nine dollars, and
high impact for any value superior to a million dollars.
Figure 49: Comparative international according to the level of impact undergone by the
companies as a result of a security incident (%)
Without Impact 39,6%

31,9%
Time lost
Low 43,8%
33,5%
Medium 13,9%
24,6%
High 2,7%
10,1%
Without Impact 7,6%

Economical terms
69,0%
Low 62,1%
22,5%
Medium 27,6%
6,8%
High 2,8%
1,7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Spain International
Spain n=1,708, International n=2,217 Sources: INTECO (2009) y GSISS-PwC (2009)
6.2 Reactions of the companies as opposed to the security incidences
Before a security incident the companies respond installing or updating a security tool
(42.9%), making backups of the archives (24.6%) or changing of passwords (20.7%). One
is the mentioned reactions in greater measurement.
Also a 30.9% of the companies exists that does not make any change in their habits of
security after experiencing an incidence.
Figure 50: Changes of habits in the companies due to a security incident (%)
Installing/Upgrading
42,9%
applications/tools
Begining to make backups 24,6%
Changing of Passwords 20,7%
Consuting to an expert
14,1%
and contracted an audit
Not using Internet services

5,4%
any more
Other 4,0%
No changes in my habits 30,9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
It is analyzed next if the reaction adopted by the owner of the company is different based
on the type from undergone incidence. For it, the companies have been crossed that they
affirm to have experienced each one of the incidents analyzed in chapter 4 (this is, virus,
Spam, spy software, technical trojans, failures, robbery of data, fraud and DDoS) with the
action undertaken in each case.
Thus, a greater level of answer in the most serious incidences is appraised. Facing being
able to draw conclusions of the present figure the reader must have in consideration that
the bases taken for each one from the incidents of security declared by the companies is
reduced.
For example, in the case of the companies that have experimented a DDoS (n=32) a
62.5% as opposed to installed tools of security (a 42.9% at global level) and an inferior
percentage to 10% stayed inactivates (as opposed to a 30.9% of the companies that, at
global level, they affirmed not to carry out no change in his habits).
Figure 51: Method used by the companies to solve incidents in relation to the type of
undergone incident (%)
80%
70%
62,5%
60%
49,1% 48,6% 50,5%
50% 43,6% 43,8% 43,1% 45,1%
40%
30%
20% 15,6%
9,7%
5,6% 5,7% 7,5% 5,4% 5,9%
10% 5,6%
0%
Viruses Spam Spy SW Trojans Technical Data thefts Fraud DDoS
(n=1085) (n=1394) (n=334) (n=479) failures (n=102) (n=103) (n=32)
(n=502)
Installing/Upgrading applications/tools No changes in my habits
Begining to make backups Changing of Passwords
Consuting to an expert and contracted an audit Not using Internet services any more
Source: INTECO
6.3 Answer of the companies as opposed to the security incidences
In order to conclude this chapter, the method is analyzed that the companies use to solve
the security incidents.
Figure 52: Method used by the companies to solve incidents (%)
Solved by internal
29,1%
personnel
Locating an external
25,5%
security expert
Locating an external
23,3%
security expert
Calling the IT provider 16,9%
Calling a mate with

3,7%
knowledge
Other 1,2%
Nothing done 0,3%
0% 10% 20% 30% 40% 50% 60% 70% 80%
29.1% recognize that the incidences are solved thanks to the intervention of the own
personnel of the companies, while that a 65.7% of the cases resort to specialized services
external, or an expert in security (25.5%), a technical service (23.3%) or the local supplier
of computer science systems (16.9%).
Also in this case one has been believed advisable to analyze if the used method of
resolution keeps some type from relation with the undergone incident 46 .
declared incident (%)
DDoS (n=32) 72,4% 10,3% 10,3% 3,4%3,4%
Fraud (n=103) 44,9% 17,3% 15,3% 20,4% 2,0%
Data thefts (n=102) 33,7% 27,6% 24,5% 9,2% 5,1%
Technical failures (n=502) 29,5% 27,9% 24,5% 13,5% 4,6%
Trojans (n=479) 36,0% 26,2% 21,6% 11,1% 5,0%
Spy SW (n=334) 38,3% 20,9% 19,9% 15,6% 5,3%
Spam (n=1394) 29,9% 24,1% 24,3% 18,2% 3,6%
Viruses (n=1085) 30,0% 26,0% 22,7% 16,8% 3,9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Solved by internal personnel Locating an external security expert

Locating an external security expert Calling the IT provider
Calling a mate with knowledge
Source: INTECO
46
Serve as a clarification for the implementation of Figure 61 have been taken into account only the responses made which
relate to the personal use of external / internal (1,661), excluding the responses: do nothing (5), other (20) and does not
respond (22). So the percentages have been recalculated on the methods used entities conducted by staff of both the
company as outside it.
7 E-CONFIDENCE IN SMALL AND MICROCOMPANIES
e-Confidence determines the acceptance, familiarity and security whereupon the

companies approach the adoption of services of the Society of the Information.
In order to measure it three variables are used:
• In the first place, the level of use of certain services on the part of the small and
microcompanies is analyzed in line. In particular, those habitual services in the
enterprise context have been considered: purchases to suppliers, sales through
Internet, accomplishment of managements with the Public Administration,
shipment of information of the company via Internet, services of electronic bank,
accomplishment of payments via PayPal and use of electronic company/signature.
• Secondly one is moderate, between the companies that they affirm to use each
one of the services, the declared level of confidence that this service offers to
them.
• Finally, the companies that they affirm not to trust the analyzed services identify
the reasons that justify their distrust that is translated in brakes and barriers to their
adoption.
Of the joint analysis of the information a diagnosis of the present situation is extracted and
conclusions are outlined that can orient future lines of performance.
Figure 54 shows the percentage of companies that use the services. It emphasizes the
electronic bank, used by 84.2% of the studied organizations. Also the shipment of
information about the company through Internet by means of the electronic mail or forms
is used of considerable form Web (59.9%), the accomplishment of managements with the
Public Administration (57.2%) and the use of the electronic company/signature (50.2%).
The services of purchase and sale to traverse of Internet also are used of considerable
form by the small and microcompanies (a 41% and a 40.6% respectively), like of the
services of payment by Internet (like PayPal, Google Checkout, Amazon Payments or
similar), used by a 41.5%.
Finally the electronic invoice is located that, with a rate of use of 8% at global level, is the
resource with smaller presence between the participant companies in the study.
Figure 54: Use of electronic services through Internet on the part of the companies (%)
Use of electronic bank 84,2% 15,8%
Web forms sent by e-mail 59,9% 40,1%
Public Administration steps 57,2% 42,8%
Use of electronic signature 50,2% 49,8%
Payments over the Internet 41,5% 58,5%
Providers Purchasing 41,0% 59,0%
Client Sales 40,6% 59,4%
Use of Electronic Bill 8,0% 92,0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No
Figure 55 offers a compared analysis of the Spanish reality with the European reality 47 ,
and it distinguishes as well between UE 15 and UE 27. Notice that, to facilitate the
corporatization with the European data, has only considered the subsample of small
companies (those that they have between 10 and 49 wage-earners). It explains that the
data do not agree with shown in the figure previous when showing the global level of use.
The results are very positive: in five of the eight analyzed services the level of use on the
part of the Spanish companies of between 10 and 49 employees surpasses to the
European data. One treats, in particular, of the use of electronic bank, the
accomplishment of managements with the public administrations, the use of the electronic
company/signature, the accomplishment of purchases and, finally, the sales in line. These
situations are adopted in greater measurement by the Spanish company that by its
homologous ones in Europe. It emphasizes very specially the adoption of the electronic
company/signature, where the small Spanish company surpasses in more than 40 points
the European.
Between the services adopted in greater degree by the European companies they are the
use of electronic invoice, the use of webs of the companies like sale channel and the
possibility of allowing the accomplishment of payments by Internet.
47
Eurostat (2008): ICT usage by enterprises 2008. Available at http://www.eds-estatis.de/de/downloads/sif/qa_08_048.pdf
Figure 55: Comparative European according to the use of services through Internet on the
93,3% part of the companies (%)
100%
84,0%
83,4%
90%
73,9%
71,2%
70,9%
80%
62,3%
70%
49,2%
60%
43,2%
50%
31,9%
28,0%
25,8%
25,7%
40%
21,9%
21,6%
20,9%
19,9%
16,9%
30%
15,1%
11,6%
9,8%
9,8%
9,4%
20%
5,5%
10%
0%
Spain UE 15 UE 27
Use of electronic bank Public Administration steps Use of electronic signature
Providers Purchasing Client Sales Use of Electronic Bill
Use of web as a Sales channel Payments over the Internet
Spain n=329, Europe n=67,303 Sources: INTECO (2009), Eurostat (2008)
In general, the reading is positive: considering the level of use like the clearest indicator of
the confidence that the company shows in line in a service, it is possible to be concluded
that e-confidence is in healthful levels.
7.1 e-Confidence in the Information Society
Following epigraph analyzes the confidence level that the companies declare to have
towards the service in question. In order to facilitate the interpretation, the analysis in four
blocks has been structured, that correspond to four types of services:
• Managements with the Public Administrations.
• Own activities of the electronic commerce.
• Electronic banking operations.
• Shipment of personal data and electronic company/signature.
7.1.1 e-Confidence in process with Public Administration
In the last years, Internet has become an essential tool for the companies, in as much in
whatever makes agile many of its process. One of the services that in greater
measurement have repelled in the comfort and facility of management is the increasing
possibility of making transactions with the Public Administration in line: more and more
habitual process with the Social Security, Tributary Agency, etc., can be made through the
Network.
In global terms, a 57.2% of the companies make these proceedings, and the size favors
its adoption: a 73.8% of the companies of 10 to 49 employees recognize to use this
service, as opposed to 54.3% in the case of the microcompanies.
In the analysis of the confidence, he is very excellent that 90% of the companies show
much or enough confidence towards these operations. Significant differences based on
the size are not appraised: be small or microcompanies, the certain thing is that the
Spanish companies trust the accomplishment of managements with the Public
Administration through Internet.
Table 18: Degree of confidence of the companies when they make process with the Public
Administration through Internet, according to the size of the company (%)
Confidence
%
Size companies Neither
that make Much Enough little nor Little None
much
Less than 10 54,3 39,4 50,5 6,6 2,2 1,3
From 10 to 49 73,8 41,7 48,8 6,3 2,4 0,8
Total sample 57,2 39,9 50,2 6,5 2,3 1,2
The companies that show little or no confidence towards the accomplishment of process
with the Public Administration through Internet continue trusting more traditional
mechanisms (65.1%) or they do not find it safe (32.6%). Notice, in any case, that is a base
of calculation so reduced (n=43) that it causes that the conclusions must be extracted with
caution.
Figure 56: Reasons by which the companies trust little or nothing at the time of making
managements with the Public Administration traverse of Internet (%)
2,3%
32,6%
65,1%
Traditional mechanisms are more trustable to me I don't think it is secure It is odd and unknown to me
n=43 Source: INTECO
7.1.2 e-Confidence in the electronic commerce
Beyond the accomplishment of managements with the Administration, the company is

using the channel that opens Internet to him for the own taking of steps of its business. In
this sense, the commerce in line constitutes a clear point to begin with. Since the
companies, independently of their size, buy to suppliers, and sell clients, to what extent
conducts these operations through Internet?
41.0% of the companies they buy to suppliers through Internet and, also in this case,
differences of use based on the size are appraised: a 49.1% of the companies of 10 to 49
employees recognize to buy in line to their suppliers, as opposed to a 39.6% in the case
of the microcompanies.
In both cases, the confidence level is high: an 82.7% of the companies show to much or
enough confidence in the accomplishment of these operations. In this case, the so large
factor is not a so decisive at the time of determining greater or smaller confidence: 83.5%
of the microcompanies are trusted the purchase in line their suppliers very, as opposed to
79% in the case of the small companies.
Table 19: Degree of confidence of the companies when they make purchases to suppliers
through Internet, according to the size of the company (%)
Confidence
%
much
Less than 10 39,6 33,8 49,7 10,6 3,5 2,3
From 10 to 49 49,1 39,1 39,9 14,9 4,3 1,8
Total sample 41,0 34,8 47,9 11,4 3,6 2,2
Between 5.8% of the companies that trust little or nothing in the accomplishment of these
managements through Internet (n=53), it is deepened in the reasons for it. A greater
confidence in the traditional mechanisms (66%) and the perception of which he is not safe
(26.4%) is the reasons that allege in greater measurement.
Figure 57: Reasons by which the companies trust little or nothing when making purchases
to suppliers through Internet (%)
7,5%
26,4%
66,0%
n=53 Source: INTECO
Sale to clients using the Network it is made by 40.6% of the survey companies. In this
case, considerable differences between the companies of less than 10 employees (40.2%
of use) and of 10 to 49 employees are not appraised (43%).
In the analysis of the declared confidence they are appraised, once again, very positive
valuations on the part of the companies: an 85% trust much or enough the
accomplishment of sales to clients to traverse of Internet.
Table 20: Degree of confidence of the companies when they make sales to clients to
traverse of Internet, according to the size of the company (%)
Confidence
%
much
Less than 10 40,2 55,5 29,4 6,6 4,4 4,1
From 10 to 49 43,0 51,1 34,8 7,8 3,5 2,8
Total sample 40,6 54,8 30,2 6,8 4,2 3,9
In this case, 8.1% of owners of companies who show little or no confidence (n=73), also
do it because they trust more traditional mechanisms (52%) and because they do not find
it safe (37%).
Figure 58: Reasons by which the companies trust little or nothing when making sales to
clients through Internet (%)
11,0%
52,0%
37,0%
n=73 Source: INTECO
One of the possible formulas used by the companies to sell in line is, indeed, to make it
through its page corporative Web.
50.8% of the Spanish organizations have page Web at the moment of celebration of the
survey, which supposes a positive evolution with respect to year 2008: the study 48 of
48
AETIC-Everis (2008): Las Tecnologías de la Información y las Comunicaciones en la empresa española 2008. Available
at: http://www.everis.es/Images/81871%20Las%20Tecnologias%20BAJA%20WEB_tcm31-46591.pdf
AETIC/Everis The Technologies of the Information and the Communications in the
Spanish company 2008 sample that, in that year, the percentage of companies that had
page Web was of 47.1%.
The level is slightly by behind the European situation: in UE 27 a 65.2% of the companies
have corporative page Web, and in 15 UE the percentage ascends until 67.5%.
Figure 59: Comparative European of companies that have page Web (%)
100%
90%
80%
67,5%
70% 65,2%
60%
50,8%
50%
40%
30%
20%
10%
0%
Spain EU 15 EU 27
Spain n= 2,206, Europe n= 67,303 Sources: INTECO (2009), Eurostat (2008)
Of the total of companies that have page Web, 13.9% use it like sale channel. Excellent
differences based on the size are not appraised.
Table 21: Use of the page Web like sale channel, according to the size of the company (%)
It does They do not

Size Yes No
not know answer
Less than 10 14,1 83,7 1,1 1,0
From 10 to 49 13,1 84,3 0,0 2,5
Total Sample 13,9 83,9 0,9 1,3
The accomplishment is analyzed next of payments through Internet. The level of

general use ascends to 41.5% and, also in this case, a use superior on the part of the
companies of 10 is appraised to 49 employees (49.4%) who by the companies of less
than 10 employees (40.1%).
The degree of deposited confidence in this means continues taking elevated values,
although he is slightly smaller to the confidence in purchase and sale in line: 75.1% of the
companies that make them grants much or enough confidence, without significant
differences based on the size of the companies are appraised.
Table 22: Degree of confidence of the companies when they make payments by Internet,
% Confidence
companies Neither
Size
it much
Less than 10 40,1 43,4 30,9 9,2 7,5 9,0
From 10 to 49 49,4 44,5 33,9 10,6 6,7 4,3
Total sample 41,5 43,7 31,4 9,4 7,2 8,2
Also in this case the explanation of the lack of confidence (n=142) is in the fact that they
trust more traditional mechanisms (46.5%) and the perception of insecurity (40.1%).
Figure 60: Reasons by which the companies trust little or nothing when making payments to
traverse of Internet (%)
1,4%
12,0%
46,5%
40,1%
Traditional mechanisms are more trustable to me I don't think it is secure

It is odd and unknown to me Don't answer
7.1.3 e-Confidence in the electronic banking operations
When analyzing the extension in the use of certain services between the Spanish
companies, sees that the accomplishment of banking operations through Internet is the
practice online more widely used between the collective object of study. An 84.2% of the
companies make banking managements in line, with greater intensity by part of the
companies of 10 to 49 employees (93%) who by the microcompanies (82.6%).
Also in this case the valuations are very positive: 90.3% of the companies show to much
or enough confidence towards the accomplishment of operations of electronic bank.
Table 23: Degree of confidence of the companies when they use services of electronic bank,
Confidence
%
much
Less than 10 82,6 38,3 52,0 5,9 2,5 1,2
From 10 to 49 93,0 39,9 50,0 6,2 2,9 1,0
Total sample 84,2 38,6 51,7 5,9 2,6 1,2
n= 1.857 Source: INTECO
Like the rest of analyzed services, the main reason for the companies to which the bank
online offers little to them or no confidence (n=69), is that they trust more the traditional
mechanisms (53.6%).
Figure 61: Reasons by which the companies trust little or nothing the services of electronic
bank (%)
4,3%
42,0%
53,6%
n=69 Source: INTECO
7.1.4 e-Confidence in the electronic signature and the shipment of personal data
The objective of the electronic company/signature is to transfer to the surroundings of

electronic documents the same functionality that contributes the written by hand
company/signature to a printed document, that is to say, to identify the author and, in the
case of shared documents, to fix the content of the document by means of the copy
crossing signed by all the implied parts.
At practical level, the use of the electronic company/signature requires the use of the
technology to assign to the label data of the holder of the certificate a series of tie keys
him. 50.1% of the total of the surveys companies use the electronic company/signature,
being the use between the companies of 10 to 49 employees superior to who show the
small ones and microcompanies (61.6% as opposed to 48%). To 90.8% this operative one
generates much or enough confidence to them.
Table 24: Degree of confidence of the companies when they use the electronic
company/signature, according to the size of the company (%)
Confidence
%
much
Less than 10 48,1 42,3 48,5 6,3 2,1 0,8
From 10 to 49 62,1 43,3 48,4 5,4 1,5 1,5
Total sample 50,2 42,4 48,4 6,2 2,0 1,0
Between 3% of companies to which the use of the electronic company/signature offers

little to them or no confidence (n=33), the affinity with the traditional methods (60.6%), the
lack of security sensation (24.2%) and the perception of which he is something strange
and stranger (15.2%) are the reasons that restrain their confidence.
Figure 62: Reasons by which the companies trust little or nothing the use of the electronic
company/signature (%)
15,2%
24,2%
60,6%
n=33 Source: INTECO
Finally, the shipment of information by electronic mail about its company is made by a
59.9% of the total of surveys organizations, with intensity considerably superior between
the companies of 10 to 49 employees (65.9%) who between the companies of so large
minor (58.8%).
This service offers much and enough confidence to 76.9% of them, without significant
differences in function are appraised as large as in this case company.
Table 25: Degree of confidence of the companies when send information by e-mail,
Confidence
%
much
Less than 10 58,8 26,2 50,9 14,1 5,1 3,7
From 10 to 49 65,9 31,1 45,4 15,2 7,9 0,5
Total sample 59,9 26,9 50,0 14,4 5,5 3,2
To 49.6% of the companies that show to little or no confidence at the time of sending
information by Internet about their company affirms that it is because the shipment does
not seem to them safe, whereas for 36.5% the distrust is in which they prefer traditional
means on the digitalis. Be appraised that one is the only one of the analyzed services in
which the majority answer to justify the lack of confidence is the insecurity perception.
Figure 63: Reasons by which the companies trust little or nothing at the time of sending
information by electronic mail (%)
2,6%
11,3%
49,6%
36,5%
I don't think it is secure Traditional mechanisms are more trustable to me

It is odd and unknown to me Don't answer
Really, the Spanish companies present/display a level of adoption of services of the

Society of the Information than more acceptable, in many cases superior to the shown
ones by the European companies: so it is the case of the accomplishment of the use of
electronic bank, the accomplishment of managements with the public administrations, the
use of the electronic company/signature, the accomplishment of purchases and, finally,
the sales in line. Other services exist in which the Spanish companies must continue
investing efforts to compare itself to the European average. They are the electronic
invoice, the use of webs of the companies like sale channel and the possibility of allowing
the accomplishment of payments by Internet.
Two patterns of behaviour can be extracted common in the analysis individualized of each
one of the services:
• In the first place, the use more is extended between the companies of greater size
(10 to 49 employees) that between the microcompanies. The actions of formation
and awareness that send from the administrations and private sector would have
to consider this circumstance to select suitable groups of impact.
• Secondly, the levels of confidence in each service very are elevated between the
users, in values that are located between the 75 and 90% in all the cases. In this
case, the size of the company does not affect the hour to determine a greater or
smaller confidence.
7.2 Inhibitors to the development of the Information Society
If the companies are using sufficiently the services of the Society of the Information, in line
with the European level, and in addition they affirm to trust them, is there any constraint
on expansion of these services? One analyzes in this epigraph the motivations that the
non users companies of each service show for, indeed, not to use such service.
Obvious, the reasons differ in function of the analyzed service. In Figure 64 it has been
tried to blend the answers facilitated by the companies, facing facilitating its reading and
analysis 49 .
Figure 64: Reasons by which the companies do not make certain services through Internet
(%)
Payments over the

50,7% 26,6% 10,7% 2,5%9,5%
Internet
use of electronic bank 27,4% 27,7% 15,6% 3,7% 25,6%
Public administration
5,1% 6,8% 26,2% 3,3% 58,5%
steps
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
I don't know how to do it Low trustability I am not interested

I didn't know it was possible Other Reasons
Source: INTECO
The conclusions of the analysis are revealing.
• The companies that do not make payments by Internet (n=1,290) recognize not to
do it because they do not know how (50.7%) or because the service does not offer
confidence to them (26.6%), mainly.
49
We must remember that the degree of non-use of each service is different (n = 944 steps, banking and payments n = 348
n = 1,290). For this reason, the conclusions drawn from this analysis should be put in context.
• The organizations who do not use electronic bank (n=348) allege in the first place
the lack of confidence (27.7%) and secondly declare not to know how she
becomes (27.4%). To a considerable percentage (15.6%) it does not interest the
bank in line to him, and an additional 25.6% show other reasons.
• Finally, the companies that do not make managements with the public
administrations through Internet (n= 944) show lack of interest like majority reason
(26.2%), followed of lack of confidence (6.8%). In this case, the proportion of
organizations who do not know how to carry out these managements more (5.1%)
are reduced and, on the contrary, the volume of surveys companies that allege
“another reason” very is elevated (58.5%).
Figure 65 analyzes the brakes to the use of the electronic invoice on the part of the non
user ones. In this case, the calculation base is elevated (n=2,032) since, remembering
presented/displayed data previously, this service shows a rate of certainly reduced use
between the Spanish companies (8%).
59.7% of the companies that do not use electronic invoice do not do because “it does not
report any advantage to him”, which constitutes a very interesting point to begin with to
orient actions destined to impel the use of the electronic invoice between the Spanish
companies.
Figure 65: Reasons by which the companies do not have electronic invoice (%)
2,9%
1,3%
9,6%
11,7%
60,4%
14,1%
Considering there is not advantage

Other
Unknoledgement of the concept "electronic bill"
Interested, but not having time or resources for making it
Don't considering it secure
Don't answer
Companies that do not have electronic invoice n=1,995 Source: INTECO
Finally, in the analysis of the reasons that take to the companies not to use the electronic
company/signature emphasizes the lack of interest (48.6%) and the ignorance of their
utility (14.9%).
Figure 66: Reasons by which the companies do not use the electronic company/signature
(%)
0,5%
20,4%
1,6%
3,2% 48,6%
5,2%
5,5%
14,9%
I am not interested Unknowledgement of the use Low trustability

I don't know how to use it I didn't know I could have it I don't know how to obtain it
Other reasons Don't answer
8 INFORMATION SECURITY INDICATORS SYSTEM OF
THE SMALL AND MICROCOMPANIES
All the analysis shown in the present study can be summarized in the calculation of a
series of indicators that synthesize the resulting information of the investigation of
systematic and segmented way. From this form it is possible to be obtained a global vision
of the state of security of the small and Micro Spanish companies.
The system is made up of seven indicators, and includes from the good practices or the
equipment of security to the real incidences of malware. The system includes the following
indicators:
• IS.1: Indicator of tools.
• IS.2: Indicator of good practices
• IS.3: Indicator of policies.
• IS.4: Incidence meter of malware.
• IS.5: Indicator of equipment is risk situation.
• IS.6: Added indicator of security.
• IS.7: Indicator of e-confidence.
The seven indicators are classified in three groups: indicators related to the protection
(IS.1, IS.2, IS.3), indicators related to the risk and the level of incidences (IS.4, IS.5) and
general indicators of security and e-confidence (IS.6, IS.7). In the first group those are
located that measure and indicate the existing protection in the company; in the second,
those that measure the risks; and in third they appear the IS.6, that calculate taking like
reference to the NIST to construct an indicator based on the actions that a small company
must carry out to protect itself, and the IS.7, that the perception of general security of the
companies in its use of Internet presents/displays.
The indicators acquire values that are between 0 and 100 points. Thus, for example, if
indicator IS.5 acquires a value of 23.8, it but that does not imply that 23.8% of the
computers of the companies have an elevated risk of dissemination, the turn out of the
combined calculations to obtain its result throws a value of 23.8 points in a scale from 0 to
100.
The system of INTECO indicators allows, in the case of making later studies, of making a
pursuit of the evolution and the tendencies of the security in the small and Micro Spanish
companies, with the following advantages:
• It is integral, because it includes so much the use habits as the real equipment in
security or incidences of malware.
• It is synthetic, because it condenses in a set of seven indicators all the excellent

aspects of the security. Separately, each one of them reflects a certain scope of
the security by means of a combined calculation the diverse variables and
parameters that compose each one of these indices.
• It is stable, because it allows have a vision of set of the situation of security of any
market, and segment or sub-segment referred scores whose reference is always
the 100 of the scale. Even in case they varied the number of questions that
compose an indicator, the system of indicators would conserve its stability and its
historical comparable.
• It is operative, because it allows of very simple form to detect the weaknesses of

the system and to inspire measures to reduce them.
• It is strategic, because it helps to understand the consequences for the set of the
system of the individual situations of lack of protection, to the time that allow to
introduce the connection between the policies of security of the Administration and
individual behaviour of the small ones and Micro Spanish companies.
Next they individually describe each one of the indicators:
Indicator of measures and tools
This indicator measures the equipment and the adoption of the safety measures that are
implanted at the present time between the microcompanies and small Spanish
companies. Its calculation therefore is cantered in the own security of the system.
It analyzes the existence in the organizations of programs personal antivirus, firewall or

firewall and programs anti-mail sweepings or anti-Spam.
The result is compared with an optimal situation of security, which would be reached with
complete equipment (100 points).
Indicator of good practices of security
This indicator measures the good practices that the company makes available of the
workers to guarantee the security of the equipment: among others, the use of passwords
(access to equipment and documents), the backup of the important archives (backup), the
disc cleaning (elimination of temporary archives and/or cookies) and the systems of
prevention of intruders by means of the use of filters.
The result is compared with an optimal situation of security that is to say, that in that the
employees would fulfil the totality of the good practices of security stipulated by the
organization (equivalent to 100 points).
Indicator of policies and plans of security
It measures the practices that the companies make to protect and to aware to the workers
so that, in the accomplishment of its daily activity, it progressively increases the level of
security adapting it to its organizations necessities.
One is made up of two concepts: on the one hand, the disposition of the plans and
policies that would allow the company to be able to continue their activity in the case of an
incidence of security and by another one, the procedures that give sense to the policies by
means of the responsible description of the tasks, location, requirements and positions to
carry out them.
All these aspects are moderate for the set of companies based on the disposition that do
of them and of the importance assigned to each section. The result is compared with an
optimal situation of security, which would be reached when the companies have the
policies, procedures and plans (100 points).
Incidence meter of malware
It indicates the percentage of computers with some incidence of malware detected in

iScan of the equipment that the company has established. Therefore this indicator reflects
the reality of, to the minus, a computer of each one of the companies that have made the
security audit.
In this case, a value under would indicate an optimal situation of security, since this
indicator measures the existence of malware in the equipment, that is to say, the more
small is its low value the more will be the incidence of malware in the computer of the
organization.
Indicator of equipment in risk situation
For the calculation of this synthetic indicator they are considered on the one hand, those
conducts and habits of the organization from which it could be derived, in greater or
smaller measurement, than the equipment of the company is in risk situation and, by
another one, the extracted information of the equipment in which in the remote audit it has
been detected to except an incidence of malware with high risk. It includes, among others,
the following elements:
• If the equipment is to the current of the updates of security of the operating system
(data collected through the audit of the computers).
• If in the equipment some piece of malware of high risk has been detected. In this
malicious code it is necessary to contemplate malware of the following families:
trojans - of back door (backdoors), banking (bankers), recorders of pulsations
(keyloggers), telephone markers (diallers) - virus, worms, rootkits, exploits and
macros
• If it has program antivirus and if this one is assets.
The final result does not have to be to reach the Maxima on the contrary score but, the
more reduced the level of risk, the more optimal will be the situation of security of the
computers and the own system of the organization (0 points).
Indicator of e-confidence
It measures the subjective perception with respect to the degree of confidence of security
of the companies when they use Internet and in the case of generating distrust on the
security that it causes to them (“it does not seem to me safe”).
The confidence degree is moderate on the following elements: the purchases to suppliers,
sales to clients, managements with the Public Administration, electronic bank, the
shipment of information of the company through Internet and the payments by Internet.
The result is compared with an optimal situation of security, which would be reached with
a greater use and the complete degree of confidence (100 points).
Global indicator of security
Finally with the object to have an only value that allows knowing the level security of the
information of the small ones and Micro Spanish companies calculates an added global
indicator.
The calculation of this indicator becomes on the basis of the results obtained throughout
study on the incidences and necessities of security of the small and Micro Spanish
companies. Reason why their parameters already are presents of some form in the rest of
the indicators.
For the construction of the indicator it has been taken as reference a guide from the
NIST 50 , in that the actions are enumerated that a small company must carry out to protect
itself. Three types of behaviours are distinguished:
• Absolutely necessary actions that the companies must make to protect their
information, systems and networks. Among them are the following ones:
o To protect the information, the systems or the networks of the damage that
can cause virus, spyware and another malicious code.
o To provide security for the connection to Internet.
o To install firewall personal in all the connected equipment to Internet.
o To update the operating system and the applications.
o To make backups of the important information of the company.
o Physical control of access to the computers and components of network.
o Security of networks and joining points Wi-Fi.
o Formation in the matter of security for employees.
o Individual accounts of user for each employee.
o To limit the employees the access to the information and the possibility of
installing software.
• Practices highly recommended and related to diverse aspects:
o To have policies of use of electronic mail.
o Blockade of emergent windows.
o Good practices in the use of the commerce and the electronic bank.
o Good practices in the hiring of employees.
o To obtain specialized aid when it is necessary.
50
Op. cit. 15
Also other measures that the NIST does not contemplate, like the accomplishment of
security audits and the procedures for the Spanish regulatory fulfilment are considered
necessary for this point, in particular the LOPD
• Other considerations, as they are:
o Plans of contingency and recovery of disasters.
o Considerations in the prevention of the security of the information.
o Policies related to the security of the information.
The final result is compared with an optimal situation of security, which is reached when
the companies have the actions and practices before mentioned (100 points).
8.1 Analysis of the information security indicators
The global analysis of the indicators of the security of the information offers a positive
reading, dice the reduced value that adopt the indicators of the risk and the high values of
those related to the protection.
Figure 67 represents in red the main values that is to say, the one of e-confidence and the
global one of security. To the right of these risks appear the indicators related to the
incidences/: the incidence meter of malware and the one of equipment in risk situation.
Finally, to the right they locate the group of protection indicators, the indicator of tools, the
one of good practices and the one of plans and policies.
In general, the global situation stays with considerable equipment in tools (76.1), an
accomplishment of good practices moderate (51.1) and another one of plans and policies
under (21). One obtains a moderate incidence in computers with malicious codes (48.4)
and, of very special form, a relatively low number of computers in risk situation (23.8).
With respect to the generals of security and e-confidence, the taken values are 54.4 and
73.2 respectively, being deduced that the situation of security offered by the added
indicator global is in optimal levels, and the subjective perception with respect to the
degree of confidence of security of the companies when they use Internet enough is
elevated.
Figure 67: Information Security Indicators System (0-100 points)
100
90
80 76,1
73,2
70
60 54,4
51,1
48,4
50
40
30 23,8
21,0
20
10
0
Tools Good Politics and Security E-Trustability Malware Equipment in
Indicator Practices Plans Global Indicator incidences situation of
Indicator Indicators Indicator Indicator risk Indicator
Protection Indicators Incidences/Risks Indicators
Source: INTECO
One is a logical and expectable behaviour, and demonstrates the increasing adoption
between the small and microcompanies, like users of Internet, of a culture of security of
the information, thus like the existing inverse relation between security and the risks: while
more tools, good practices and policies of security use the companies, minor number of
incidences and minor risk level will present/display their equipment. This is reflected in the
acceptable valuation of the global indicator of security.
9 CONCLUSIONS
If exists a common characteristic to all the small and Micro Spanish companies, this one is
indeed its heterogeneity. A difference that implies - since it has been seen throughout the
report - tools, good practices, agreed procedures and policies in the matter of security with
its specific necessities.
This diversity also exists at the time of applying all them, consequence of its different size,
degree of maturity and knowledge on its requirements and necessities in the matter of
security of the information.
In relation to first of them, size of the company, this study allows to glimpse the existing
differences in the implementation of the measures before commented. The reality is that
the size influences: the companies with greater number of workers have, how it is logical,
more human and economic resources to be able to dedicate them to the information
systems. Thus for example, in the case of the level of implantation of the measures and
solutions of security, the small companies (between 10 and 49 employees) in front of the
microcompanies (less than 10 workers) present/display a higher percentage of installation
of tools and/or solutions as much in all the computers as in certain common computer
science equipment of the organization.
Single an exception exists: the programs antivirus, that as it of the study is seen long are
a tool mainly extended between the companies, since the totality of the organizations
almost has them. , it has not been possible to state in the section of incidences of the
report, that in the security of a company not only is enough with having installed certain
tools, but that requires of other complementary measures, like good practices and
procedures, that they form a global system of protection in the organization.
In line with the high degree of dependency of the small and Micro Spanish companies of
the information systems, the owners of companies have demonstrated to special
preoccupation by the availability of their technological infrastructure and the information
that this one supports, for which the great majority makes backups and install antivirus
systems. In resistance, the confidentiality of the computerized data does not seem to be of
the aspects that a significant number account with firewall systems of and other elements
of perimeter security more worries to the small Spanish organizations, since the majority
does not have coding tools, although.
With respect to place that Spain in the world occupies in matter of security of the
information in the SME, it is possible to be concluded that the Spanish companies with
less than fifty employees and connection to Internet are clearly sharpshooting more in the
use of the technological mechanisms net and extended socially (antivirus, firewall
personal or mechanisms of authentication). The situation is completely different when we
compared the use of technological but advanced controls (for example: mechanisms of
coding or tools of detection of intruders) or aspects of strategic, procedural and
organizational security, where the small companies of the rest of Europe and the world
take a clear advantage to us. This indicates that the Spanish organizations have the
perception of which the security is a merely technological aspect, approach that must
deliver an attack to change facing reaching a maturity level that allows increase the levels
of security and e-confidence.
Indeed, with respect to maturity degree, behaviours between the organizations glimpse
that as much show that this factor is determining, at the time of acting before an
incidence, like a hour to start up actions and/or practices of security. Not only in the
equipment, also in the global of the company.
However, considering this variable also the importance is appraised already that has
those organizations to become aware from the risks, that a high percentage of these think
that they are not susceptible to undergo an incident of “little interesting” security when
considering itself for the possible attackers.
Finally, in relation to knowledge of its necessities, it is possible to be verified in diverse

sections of the study, that the owners of companies interviewed consider have a high
degree of information on which they need its small organizations. An indication of it is that
in the majority of the occasions they affirm not to need the solutions as main excuse not to
use them.
However, he is right to say that although the microcompany and people in charge small do
not recognize their lack of knowledge, nevertheless the great majority of them affirm to
outsourcing its services of computer science, mainly because a real interest in having
does not exist personnel dedicated to the security of the information. Others alleged
reasons are the high economic cost that supposes having in east group position profile or
not to have qualified workers to cover the necessities.
Between the small and microcompanies that yes count on these personnel, eight of each
ten have in addition a security director. The existence of he himself, is guarantee of a
greater implementation of tools and/or solutions of security in the organizations. Since
with him they are increased the effectiveness at the time of solving the security incidents
that originate and they reduce the possible impacts that are created in global terms.
Also the companies recognize that his investment in security she is minor who in
previous the economic exercise, justifying it in that interest does not exist, is no budget, or
does not exist time to look for them and to acquire them. In addition, more of 20% of the
companies they recognize that not to invest in security it does not suppose for them a
barrier at the time of implementing tools and/or solutions of security.
In spite of these reasons, the small and microcompanies they know to recognize which
are requirements that products and/or solutions of security they must have. Of this
form, with respect to products, more than six of each ten companies they value much that
these have a balanced relation of quality and effectiveness, as well as the service
postsale, technical support and guarantee in the product. In relation to the solutions, he
himself percentage of organizations considers the revisions of security, the services of
resolution of incidents and the formation necessary or very necessary/information
specialized in security.
However, the products and solutions are not only the mechanisms that the organizations
must to implement the security in their equipment and their systems. They are necessary
but nonsufficient. They also need to maintain good practices that guarantee their state
of security. The main creator of which the organizations can be and feel protected is the
conjunction of both elements. These are materialized in the program, backup
accomplishment and, the update and use of original software and its operating systems
and/or tool of security, that in the present study is shaped in more than eight of each ten
organizations that they affirm to fulfil these requirements. Thus, at global level, the
practical totality of the companies (94.2%) makes backups, of which almost half, by
means of some automatic system and of daily way. 85% more affirm to have software
under license and 88.9% create to have updated their operating system and its tools of
security.
Another one of the points analyzed in the scope of the security of the information is the
knowledge of the companies on level of adjustment in the matter of protection of data.
Putting itself manifest that at global level a high percentage of the same ones thinks that
this norm is to him binding.
Resisting the results of 2009 with the study on LOPD in companies made by INTECO in
2008, the evolution can be observed that the LOPD has had between the organizations.
For example, an increase of more has taken place than 15 percentage points of the
number of companies that they affirm to have declared the files with personal character
data in the Spanish Agency of Protection of Data; or an increase of the number of
companies that fulfil the obligations relative to the request of consent of the interested one
for the treatment of the data (more than 33 percentage points of increase) and to have of
information to the interested one on the collection of the data (more than 38 percentage
points also of increase).
However, it calls the attention that still half of the small companies that consider that they
have personal character data have declared their files before the Publication and
document record department of the Spanish Agency of Protection of Data.
It is clear that the actions of diffusion, formation and awareness of the effective norm,
carried out by public and deprived organizations have had desired effect, although
becomes evident, that other established aspects exist in which the organizations must
continue improving.
A second key element in the progressive increase of the security level on which the small
and Micro Spanish companies they have been the beginning of plans and policies of
security. In order to be able to shape these actions, the companies count on a tool of
great utility and important aid for the management of the organizations, the Information
Security Management System (ISMS).
At the moment, the percentage of small companies that have some type of plan or policy
(plan of security and continuity of the business), is located, according to the type of plan,
between 11.9% and 24.6%. Although in the case of the security plan, a 21.7% of the
organizations have predicted to develop it in the future.
In which one talk about security audits, 22.8% of the small companies affirm that it has
made some. In them, these organizations reviewed multitude of aspects, between which it
is possible to emphasize that more than eight of each ten companies they were centred in
the activities related to his operation. And as a result of the aspects reviewed in these
audits 81.3% of the small companies chose to make some type of change in their safe
measures, practices or behaviours.
Therefore, in spite of the interest demonstrated by the small and microcompanies in

certain tools of security (antivirus, firewall backups and) these measures usually do not
come from the hand of plans of security, continuity or awareness which is translated in a
cost non-optimized in technologies of the information, the ignorance of the threats to
which the company is exposed and the deficiency in the implementation of the
recommended safety measures. Additionally, the implanted mechanisms would gain
effectiveness if policies and formal procedures for their use and management were
accompanied by.
In any case, the implementation of tools, good practices and plans and policies of security
is a decision that corresponds to the own companies which, based on its activity and
volume of business, have to establish its calendar and its priorities in the matter of
security of the information, to reduce the number of incidences that appear.
With respect to security incidences, Micro Spanish company and 35.1% small have a
correct perception of to have undergone an incident, whereas for a 13.1% she is
erroneous, when considering that they are not infected when they are it. These companies
run a serious potential risk, since they consider that their equipment is safe but really they
have been affected by some type of malicious code (malware).
Between the typology of detected malicious code more in the equipment, it is possible to
emphasize the one of the family of the trojans and not wished advertising software (with
present levels of infection in 27.8% and 23.2% of the equipment respectively). Both
belong to the categories that give greater return on the investment to their creators. This is
the hackers create them because it supposes an economic benefit to them greater than
other types of malware, to the power to operate this malicious code to commit frauds,
industrial espionage, blackmails, massive shipment of mail unwished, etc.
Very few small and Micro Spanish companies count on the knowledge necessary in their
own personnel to solve their incidents. Safe in the cases in that they resort to well-known
with knowledge, it is left patent that the specialized services are a key piece that can
represent a fundamental paper and to that are due to direct to great part of the efforts,
necessary formation and preparation, that they are indicated to be able to elevate the
level of security of these companies. Between the advantages to designate a security
person in charge it emphasizes the considerable increase of the effectiveness in the hour
to solve the security incidents, which is translated in the reduction of impact for these
companies in global terms.
The main one consequence derived of the security incidents they are the losses of the
invested time that influence in 68.1% of the companies. Others, as the economic losses or
the damage in the image of the company hardly they are perceived by the participant
organizations in the study. The incidences implied changes of habits in 69.1% of the
organizations. More than four of each ten companies they installed or they updated a
program or tool of security, whereas one fourth part of them began to make backups of
the archives. This demonstrates that, to weighing of the level of incidences that the small
and microcompanies they affirm to have, its own knowledge on measures and good
practices, or the one of the personnel in that they have delegate the resolution of security
incidents (65.7% of the companies resort to specialized services external), makes
possible to them to make changes in the conducts.
The evolution of the incidents and the diversification of malware in the organizations,
make that they begin to arrive threats at movable and wireless devices. Thus, global
level, 4.4% recognize to have undergone robbery of Wi-Fi and 7% to have had an incident
in its advanced movable devices. The increase of the number of these devices will imply
that the companies must make additional efforts to give cover to the security necessities
that present/display these terminals.
Finally, his can affirm that e-confidence is high. Thus, the confidence in the Society of
the Information of the small and Micro Spanish companies is reflected in the fact that
more than half of the same ones they use resources like the electronic bank, the
accomplishment of managements with the Public Administration, the shipment by email or
through forms Web of information of the organization or the electronic company/signature.
And four of each ten companies use the services of payments by Internet, purchases to
suppliers and sales to clients. More concretely and as an example, 90.3% of the small
companies affirm that to conduct operations bank online it gives confidence them.
Besides to use these services like subject assets, the small organizations deposit much or
enough confidence in the benefit and/or commercialization of their products and services
through Internet.
9.1 Analysis SWOT
As a synthesis of these final reflections on the results of the study and like previous step
to the following section of recommendations, one appears analysis DAFO. With it is tried
to apply to this methodology to the study of the state of the security of the sector of the
Spanish from the situation of its surroundings - external factors (opportunities and threats)
- and of the internal situation - internal factors (weaknesses and strengths).
9.1.1 Strengths
• Good technological capacity
The small and Micro Spanish companies have a similar technological situation, or
even better, than those of their European surroundings. He is especially remarkable
that practically the connected Micro Spanish company and totality small to Internet
have connections of broadband ADSL.
• High level of implantation of certain tools of security
The diffusion of certain tools of security in these homologous companies is superior to

the one of its European, especially in the case of the antivirus, firewall and
mechanisms of authentication (to see section 3.1 Security tools). The high use of
these tools can suppose an important starting point for the progressive improvement
of the security in the small and Micro Spanish companies.
• High level of use of the electronic company/signature and other services of

Internet
So and as it was indicated in section 7.1, the small and Micro Spanish companies
have levels of use of electronic company/signature and accomplishment of
managements with the Public Administrations superior to the companies of the
European surroundings. This factor differential can be used like handle to equip with
greater security these organizations.
• Increasing level of awareness and adaptation in the matter of protection of data
Although still one is far from considering that most of the small and microcompanies
they are adapted to the exigencies of the Spanish norm of protection of data, is stated
a most important improvement in his degree of adaptation to the obligations derived
from the LOPD and the RDLOP, as well as an increasing number of companies is
interested in fulfilling the same one (to see section 3.3).
• High level of e-confidence
In main lines it is possible to be concluded that the small and Micro Spanish
companies with connection to Internet tend to the use of the services available in the
public networks and show that they do it trusted the offered levels of security,
especially in the cases of the electronic bank and and-Administration.
9.1.2 Weaknesses
• Significant existence of vulnerabilities, risks and impacts
It has been in evidence in this one study that 48.4% of the small Spaniards have some
type of vulnerability in their systems, which indicates the risk to which they are
exposed.
• False sensation of security
The use of the technologies and the services in the public networks on the part of the
small and microcompanies, is made under a false sensation of security like
consequence consider like a protection sufficient the installation of certain tools in its
equipment or to believe little probable to be victims of a security incident (to see
section 3.1.2).
This certain unconsciousness is pronounced in a remarkable level of infection by

malicious code in many cases without not even knowing it, and worse still, declaring to
think that they have a suitable level of security. Also, many companies think that it has
installed security tools when in fact they do not have them (to see Figure 6), or that
their systems and programs are updated, when in fact they present/display
vulnerabilities (to see Figure 19).
All it prevents to deepen in the search of suitable solutions of security and necessary
for its business and it takes to them to diminish the risks and of incurring little prudent
behaviours.
• Cantered in the technological dimension
Many companies still consider the security of the information like something purely
technological. This perception prevents them to reach a greater level of maturity with
the treatment of the procedural aspects, of personnel, organizations, etc.
• Slow progress in some aspects
It has been observed that the improvement in some analyzed aspects is slow. The
case of the electronic invoice is especially excellent (to see chapter 7) where, in spite
of the made effort, the growth in the last year has been little. The risk exists of which
this slow growth makes more slowly evolve aspects related to e-confidence or the
security of the information.
9.1.3 Opportunities
• High level of commitment of the Public Administrations and the associations of

owners of companies
One of the axes of performance of the Plan Advances is cantered in reinforcing the
confidence in the TIC of the companies by means of public policies of security of the
information, among other measures 51 . This axis of performance has given as result
initiatives as for example the program of “Impulse to the implantation and Certification
of ISMS in the SME” promoted by INTECO 52 , the “Guide for companies: how to adapt
to the norm on protection of data” 53 published by INTECO or autonomic initiatives like
for example “Security and legislation in e-me” of the Government of the Principality of
Asturias, among others. On the other hand, different Chambers of Commerce and the
associations make available of the SME courses of security of the information 54 or
security guides 55 .
In the same way, the present study can be considered framed in this same line, since
it allows to know and to be able to make the best approach to solve the problems of
security of the Spanish companies.
51
http://www.planavanza.es/LineasEstrategicas/AreasDeActuacion/EjeConfianzaYSeguridad/SeguridadInfo/
52
http://cert.inteco.es/Formacion/SGSI
53
INTECO (2009): Guía para empresas: cómo adaptarse a la normativa sobre protección de datos. Available at
https://www.inteco.es/Seguridad/Observatorio/manuales_es/GuiaManual_LOPD_pymes
54
Examples are the Course of the Chamber of Commerce Huesca “Jornada sobre gestión de la seguridad en los sistemas
de información de la pyme” (http://www.camarahuesca.com) or networking and security courses taught by the
“Confederación Española de Organizaciones Empresariales (CEOE)”
55
For example the “Guía de Seguridad de la Información para PYMES” promoted by the “Asociación Murciana de
Empresas de Tecnologías de la Información y las Telecomunicaciones”.
http://www.vdigitalrm.com/archivos/guia_seguridad_pymes.pdf
• Approach of the product manufacturers from security to the market of security
of the information in the companies
Security the manufacturing product companies are cantered more and more in the
market of the small and Micro Spanish companies, offering adapted solutions more to
their necessities 56 .
• Level of outsourcing of the functions of IT
An elevated microcompany and percentage small, a 65.7%, resort to specialists in

systems in case of undergoing incidents.
The formation in matter of security directed to these subcontracted companies could

result in the improvement of the security in a significant set of the small and Micro
Spanish companies. Also, information would be due to facilitate to them on how
outsourcing its processes of efficient form.
It is important to make notice, nevertheless, that, although these companies

outsourcings their computer science systems, would not have to lose the control of the
information security, since it could result in the long term in problems for the same
one.
9.1.4 Threats
• Slow progress in security can cause a lost one of competitiveness
The delay, in general, of the small and Micro Spanish companies in the matter of
security and e-confidence with respect to the organizations of our surroundings closest
(the European, although at world-wide level is also below the average), along with a
slow progress can cause a loss of competitiveness.
They would have to be taken measured so that the level of security in the small and
microcompanies improves to good rate and to be making measurements to verify that
the advance is maintained, to vary or to increase the performances, on the contrary.
• The movable and wireless devices like potential breaches of security for the
companies
A tendency is observed the incorporation of advanced movable devices in the small

companies without which these make sufficient additional efforts for their cover, which
implies an increase of the risk which these companies are exposed.
56
An example of such guidance, see the article “Symantec se orienta a la PYME y especializa su canal”
http://www.idg.es/dealerworld/Symantec-se-orienta-a-la-PYME-y-especializa-a-su-canal/seccion-producto/noticia-80854
10 RECOMMENDATIONS
Next, after analyzing the data of the present study, a series of performance
recommendations is formulated differentiating between the directed ones to the Spanish
companies, the industry of security of the information and to the Public Administrations.
10.1 Recommendations to the small and microcompanies
Recommendation 1: To suitably use the measures and tools of security
The fact that the participant Spanish companies in the study carry out the implantation of
tools of different way based on their size, of maturity incidence and, degree level of
knowledge same that suffer, does not have to be obstacle so that they develop good
practices of security that assure their work. In addition, it is necessary that they confront
the security of the information like something global, where the use and update of the
tools and/or programs is integral part of his routine character.
This approach implies that the organizations are able of:
• To understand better the irrigations which they face, aligning them with its
objectives of business and assets of information.
• To be conscious of the consequences of not approaching them suitably.
• To know what active of information is most important for their business.
• To apply a limited budget of security there where it is needed more.
• To be prepared before the incidences that prevents the normal operation.
Recommendation 2: To install software under license and to update the

programs/operating systems
The companies have to aware themselves of the importance that supposes the use of this
type of software that fulfils the guarantees of legality and originality. Of this form, in case
the programs had vulnerabilities, it is possible to be acceded to patches of security of fast
and safe form.
Equally he is recommendable to have updated the programs and/or operating systems in

this way to avoid the possible vulnerabilities or failures caused in the installation.
Recommendation 3: To establish procedures, plans and policies of security
Since one has been reflected, the organizations are few that have an awareness policy
that it indicates which is the suitable use that is due to give to the information systems of
the company. It is a measurement that allows to avoid security incidents (or to be
protected in case of taking place).
The primary target is that the employees of the company use the resources of information
of constructive way. It is equally necessary to obtain that the employees are conscious of
the policy and they respect it.
A recommendable practice is to make security audits that allow to analyze, to review or to

implant a good state of security in the organization.
In case the organizations that, or are by their size or by his necessities of production, they
cannot have a person in charge to direct the security of the information in the company,
must resort to specialized personnel who guarantees the resolution of incidences and the
design of plans and procedures.
Recommendation 4: To eradicate the false perception of security of the Spanish

companies through the information and the awareness
The main inhibitor that prevents the development of the security of the information in the
organizations is the false sensation of security that they have. This sensation facilitates
the fact that the companies are object of the operation of some type of vulnerability.
The small and microcompanies declare that the main reason not to implement safety
measures is the lack of necessity of these. It is the lack of knowledge of the incidents to
which they are exposed the main factor so that the security problems happen.
It is necessary to break the false impression of security by a double reason: to advance in

the development of the security of the information and to eliminate the threats that hit of
negative form in the Spanish companies.
Recommendation 5: To implant Information Security Management System (ISMS)
The management of the security of the information must be made by means of a process
systematic, documented and known by all the organization. The use of a SGSI allows
equip to the organization with the tools or mechanisms necessary to be able to confront
the present risks in the companies.
Recommendation 6: To provide to the employees formation in the matter of security
of the information
The update of the concepts that sustain the security of the information makes necessary
that the companies follow the public or deprived recommendations coming from the
different organisms and organizations, as well as that transfer the employees.
10.2 Recommendations to the manufacturers
Recommendation 1: To adapt products and solutions of security directed to the

small companies to its concrete necessities
The key to reaching a security product for small and medium company in a satisfactory
manner is an appropriate mix of channel and product and strategies. It implies that it
would have:
• To simplify and to redesign the product to fit it to which the company needs.
• To favour the work of blend, integration and simplification of the existing solutions
so that they can be useful for the organization, before the absence of
specialization of the security tools.
• To cover with global way all the necessities TIC of security at all the levels: data,
application, connection, etc.
• To simplify to the processes of acquisition and installation of solutions.
• To improve the models of compensation to companies of the channel of

distribution by its effort in the penetration in the enterprise market.
• To value the use of existing retail stores to promote the services of security
through elements like informative panels, demonstrations, etc.
Recommendation 2: To make the final prices and margins attractive of the

intermediaries
Through the creation of dynamic contracts for the services of security that favor the
implantation of measures in the companies. These contracts could include an attractive
scale of prices and the possibility of being modified (duration, scope of performance,
resources destined…) if the conditions of the contracting organizations vary.
Recommendation 3: To foment mechanisms to favor the relations with the PP.AA
A greater relation between the manufacturers/security suppliers and the PP.AA it could
help to orient and to approach by means of diffusion campaigns, the present supply of
services and existing solutions of security in the market to the microcompanies and small
Spanish companies.
Recommendation 4: To extend and to improve the services pre-sale and post-sale
By means of these services the security suppliers would offer to the organizations:
• A previous advisory service on sale, that allows to orient to the consumer towards
the solutions that better adapt to their necessities.
• To guarantee a service subsequent to the sale, this would allow maintaining the
services according to the changing client requirements.
10.3 Recommendation to the Public Administrations
Recommendation 1: To promote and to advise in the Information Security

Management Systems (ISMS)
INTECO, within the frame of Plan Avanza, it has received, on the part of the Secretariat of
State of Telecommunications and for the Society of Information (SETSI), a charge of
Management to start up the project destined to foment and to promote so much the
implantation as the certification of Information Security Management System (ISMS), in
the Spanish companies 57 .
This project has like primary targets:
• To Aware and to sensitize to the companies in the Systems of Management of the

Security of the Information.
• To implant a SGSI and a Certification of the system according to norm ISO 27001.
• To increase to the productivity and competitiveness of the companies beneficiaries

of the program.
57
Impulso a la implantación y certificación de un SGSI. Available at https://sgsi.inteco.es/
Recommendation 2: To sensitize to the companies through an approach of the
proactive security based on the risk
The Public Administrations must lead the process simultaneously to break the false
sensation of existing security in the organizations that change the approach of these
towards e-confidence. The objective is that the organizations have an approach based on
the risk.
Both objectives closely are interlaced, since by means of the change of approach a
greater awareness can be obtained. In order to obtain these goals, it is possible to be
worked in two-way traffic:
• By means of the establishment of oriented informative channels to aware the

owners of companies in the matter of security of the information. The objective of
the informative channels must be double: to aware in matter of security and to
present the solutions that can be contributed to them, or in form of guides, state
programs of formation or subventions.
• Through the generation of guides of security directed to the companies and

cradles in the risk. In this sense, the European Information Security Agency
(ENISA) has prepared a manual practitioner to help the organizations to improve
its security applying an approach based on the risk 58 .
Recommendation 3: To orient actions in the subcontracted companies of benefit of

services of technologies of the information (IT)
The data of the study show that eight of each ten companies have subcontracted to the
services of telecommunications and computer science. Therefore, the Public
Administration and other organisms, specially the associations of companies of IT, must
form in the matter of security to this subsector of companies suppliers. They are indeed
these external organizations the most indicated to elevate the level of security of the small
and Micro Spanish companies.
Recommendation 4: To offer information and advising to the companies in its plans

of formation to the employees
With the intention of helping to the microcompanies and small Spanish companies to
prepare the policies of use of the information systems and the plans of awareness to the
employees.
58
ENISA (2007): Information package for SMEs. Available at http://www.enisa.europa.eu/act/rm/cr/risk-management-
inventory/files/deliverables/information-package-for-smes-es/?searchterm=Information%20package%20for%20SMEs
Recommendation 5: To continue fomenting e-confidence between the companies
The Administrations must continue making efforts to foment the use of specialized
services of Internet that imply an advance of the Society of the Information and a
consolidation of the level of e-confidence of the companies. Examples of it are the
electronic company/signature through applications like eDNI or the seals of confidence
associated to codes of conduct of the Web sites.
Recommendation 6: To make a recurrent work of metric diagnosis and of the state

of the security of the information in the companies
This information will allow: to spread between the companies a culture of security based
on the tools, good IT practice, security policies and it will allow them to know its position
respect to the rest of the market; to the industry to adapt its identified supply to the
necessities and niches; to the own AAPP to design suitable reactive public policies as
much preventive, as well as to make a pursuit of the impact of its actions.
In this way, the measures implantation of and good practice of security in the companies
can be obtained with it indicating of the evolution of and allows, as well, determine the
degree of effectiveness of the different actions beginning by the Public Administrations.
Recommendation 7: To elaborate and to spread adapted information to the

necessities of the companies
Through awareness campaigns, manual, indicating guides and, etc. Between the
identified high-priority matters for the elaboration of these guides they are: the analysis of
risks for the organizations, the good practices in security of the information, the generation
of plans of business continuity and the management of security incidents, among others.
10.4 Priority of the recommendations
As a summary a matrix of utility for the different actions presented/displayed in the

previous recommendations appears. Thus, Figure 68 offers a global vision of all the
propose measures, from the combined analysis of the impact of the recommendation and
the cost necessary to approach differentiating it between the recommendations to the
companies, to the manufacturers and suppliers of security and to the AA.PP.
The impact of the action has been defined in base to the average of two factors:
• The estimation of the Spanish influence which they have the measures on the set
of the level of security of the information of the small ones and microcompanies.
• The extension in the time of the made effects of the action.
In order to calculate the cost of each one of them they have considered:
• High complexity: total change of the perceptions, habits, tools of security or other
aspects.
• Average complexity: partial change of the perceptions, habits, tools of security or

other aspects.
• Intrinsic complexity loss: fit partisan of perceptions, habits, tools of security or

other aspects.
Figure 68: Matrix of utility of the recommendations (Cost/Impact)
High
R2 R5 R2 R1
R6 R4 R5
R7 R4 R3
R1 R2
IMPACT
Medium R6
R3 R3 R1
R4
Low
Low Medium High
COST
To companies To manufacturers To public administration
Source: INTECO
By means of the exposed recommendations and the analysis of the relation cost/impact of
each one of them is tried simultaneously to set standards that orient to the different agents
in their intention to reach the optimal level of protection and e-confidence and the culture
of security of the information in the small and Micro Spanish companies, that is tried to
reinforce the interaction between all of them: small organizations, suppliers of services
and Public solutions of security and Administrations.
APPENDIX: BIBLIOGRAPHY
• Eurostat (2008). ICT usage by enterprise 2008. Bruselas. On line. Available at:
http://epp.eurostat.eu/portal/page/portal/information_society/introduction
• Everis, AETIC (2008). Las Tecnologías de la información y las Comunicaciones en

la empresa española 2008. Madrid. On line. Available at: http://www.aetic.es/
• Forrester Research (2008). The State of Enterprise IT Security: 2008 To 2009.

Cambrigde, Estados Unidos. No Available at online.
• Fundetec - Panda security (2007). Seguridad en la PYME española y europea.

Madrid. On line. Available at:
http://www.fundetec.es/publicaciones/Informe%20Seguridad%20Panda.pdf
• Gartner (2009).SMB IT Security Spending Habits. Stamford, Estados Unidos. Not

available at online.
• IDC, MessageLabs y McAfee (2007). SMBs in a connected World: business

success jeans facing new IT security risks. Gloucester, Reino Unido. On line.
Available at:
http://de.messagelabs.com/files/all/smb/IDC_SMB_Research_20Feb07.pdf
• INE (2008). Encuesta de uso de TIC y Comercio electrónico en las empresas

2007- 2008. Madrid. Available at:
http://www.ine.es/jaxi/medu.do?type=pcaxis&path=%2Ft09%2Fe02&file=inebase&
L
• INE (2008). Directorio Central de Empresas (DIRCE). Madrid. On line. Available

at: http://www.ine.es/inebmenu/mnu_empresas.htm
• Red.es y Ministerio de Industria, Turismo y Comercio (2007). Tecnologías de la

Información y las Comunicaciones en la microempresa española. Análisis por
sector de actividad y Comunidad Autónoma. Madrid. No Available at online.
• Red.es y Ministerio de Industria, Turismo y Comercio (2008). Las Tecnologías de

movilidad en la empresa españolas. Madrid. On line. Available at:
http://observatorio.red.es/empresas/articles/id/2080/las-tecnologias-movilidad-la-
pyme-espanola.html
• INTECO (2007). Estudio sobre la Seguridad de la Información y e-Confianza en el

ámbito de las Entidades Locales. León. On line. Available at:
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Inf
ormes_1/Estudio_sobre_entidades_locales_48
• INTECO (2007). Estudio sobre la seguridad de la información y e-Confianza de los

hogares españoles. León. On line. Available at:
ormes_1/Estudio_sobre_la_seguridad_de_la_informacion_y__49
• INTECO (2008). Estudio sobre el grado de adaptación de las Pequeñas y

Medianas Empresas españolas a la Ley Orgánica de Protección de Datos (LOPD)
y el nuevo Reglamento de Desarrollo (RDLOPD). León. On line. Available at:
ormes_1/estudio_lopd_PYME
• INTECO (2008). Estudio sobre incidencias y necesidades de seguridad en las

pequeñas y medianas empresas españolas. León. On line. Available at:
ormes_1/estudio_seg_PYME_2
• INTECO (2008). Estudio sobre la situación de seguridad y buenas prácticas en

dispositivos móviles y redes inalámbricas. León. On line. Available at:
ormes_1/estudio_redes
• International Organization for Standardization (ISO), International Electrotechnical

Commission (IEC) (2007). ISO/IEC 27002:2005. Ginebra. No Available at online.
• McAfee (2008). Does size matter? The security challenge of the SMB. Santa
Clara, Estados Unidos. On line. Available at:
http://www.mcafee.com/us/local_content/reports/does_size_matter_en_v2.pdf
• PricewaterhouseCoopers (2008). GSISS (Global State of Information Security

Survey). Londres, Reino Unido. On line. Available at:
http://www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB00
5DE509/$File/PwCsurvey2008_cio_reprint.pdf
LIST OF FIGURE
Figure 1: Distribution of companies in Spain according to number of employees (%) ......22
Figure 2: Percentage distribution of the number of participant companies based on the

number of employees ........................................................................................................26
Figure 3: Level of implantation of the solutions of security in the computers of the

organization (%).................................................................................................................31
Figure 4: Comparative international of the level of implantation of the solutions of security

in the computers of the company (%) ................................................................................33
Figure 5: Annual evolution in the implantation of some tools and solutions of security in
the companies, according to size of the company (%) ......................................................34
Figure 6: Use level of antivirus: declared data versus, real data (%) ................................34
Figure 7: Comparative international of the implantation level of tools and/or solutions of

security in the companies (%)............................................................................................36
Figure 8: Barriers for the implementation of safety measures on the part of the companies
(%) .....................................................................................................................................38
Figure 9: Companies that have a person in charge to direct the computer science security
(%) .....................................................................................................................................39
Figure 10: Comparative international of companies that have a security director of the
information (%) ..................................................................................................................40
Figure 11: Comparative between have/no to have a director of security at the time of
having implemented safety measure in the equipment (%)...............................................41
Figure 12: Reasons by which the companies affirm not to have personnel dedicated to the
computer science aspects and of director of computer science security...........................42
Figure 13: Annual evolution of the investment in security with respect to the cost in
computer science (%) ........................................................................................................43
Figure 14: Valuations that the companies make on the different aspects from a product of
computer science security (%)...........................................................................................44
Figure 15: Valuations that make the companies on the necessity of specialized
services/security solutions (%) ..........................................................................................45
Figure 16: Companies by size that make backups (%) .....................................................47
Figure 17: Frequency with which the companies make backups (%)................................48
Figure 18: Companies that have security systems in the room where lodge the servant
(%) .....................................................................................................................................50
Figure 19: State of update of the operating system and the tools of security of the
companies: declared data versus, real data (%) ...............................................................51
Figure 20: Companies that have files those include personal character data on which they
are considered affected by the LOPD (%) .........................................................................54
Figure 21: Annual evolution of companies that they affirm to have declared the files with
personal character data in the Agency of Protection of Data (%)......................................55
Figure 22: Companies by size that have files and have notified the existence of such
before the Publication and document record department of the Spanish Agency of
Protection of Data (%) .......................................................................................................55
Figure 23: Annual evolution of the level of fulfilment of the companies that have files of
having of request of consent to the holders of the data (%) ..............................................56
Figure 24: Annual evolution of the level of fulfilment of the companies with files with
personal character data of having of information to the holders of the data (%) ...............57
Figure 25: Comparative international of companies that have reviewed the norm of
protection of data in the made audits of security (%).........................................................58
Figure 26: Disposition of a strategy for the increase of the security level (%) ...................60
Figure 27: Comparative international on the existence of a strategy for the increase of the
security level of the information and future expositions (%) ..............................................60
Figure 28: Typology of existing security controls in the companies (%) ............................61
Figure 29: Annual evolution of the type of security controls (%)........................................62
Figure 30: Comparative international of the existence of plans and policies of security in
the companies (%).............................................................................................................63
Figure 31: Distribution of the contents of the plan of continuity of the companies (%) ......64
Figure 32: Aspects reviewed in the audits of security of the companies of more than ten
employees (%)...................................................................................................................65
Figure 33: Changes conducted by the companies after the accomplishment of the security
audits (%)...........................................................................................................................65
Figure 34: Security Incidents declared by the companies (%)...........................................67
Figure 35: Annual evolution of the level of incidences in the equipment of the companies
after making the security audit (%) ....................................................................................71
Figure 36: Perception of the companies about the existence of malicious code in its
equipment (%) ...................................................................................................................72
Figure 37: Equipment of the companies that lodge malware according to typology of
malicious code (%) ............................................................................................................73
Figure 38: Distribution of the categories of malicious code (%).........................................75
Figure 39: Number of detections of each unique variant of malware ................................76
Figure 40: Distribution of the equipment in function of the risk level (%)...........................79
Figure 41: Level of risk of the equipment of the companies according to the antivirus use
(%) .....................................................................................................................................80
Figure 42: Existing advanced movable devices in the companies (%)..............................82
Figure 43: Habits of use of bluetooth in the advanced movable devices of the companies
(%) .....................................................................................................................................83
Figure 44: Installed used safety measures /in the advanced movable devices of the
companies (%)...................................................................................................................84
Figure 45: Safety measures that have the radio networks the companies (%) .................85
Figure 46: Consequences derived of security incidents (%)..............................................87
Figure 47: Comparative international of companies according to the consequences that

were derived from the undergone incidents of security (%)...............................................88
Figure 48: Level of impact undergone by the companies in relation to different points of
view (%) .............................................................................................................................89
Figure 49: Comparative international according to the level of impact undergone by the
companies as a result of a security incident (%) ...............................................................90
Figure 50: Changes of habits in the companies due to a security incident (%) .................91
undergone incident (%)......................................................................................................92
Figure 52: Method used by the companies to solve incidents (%) ....................................92
declared incident (%) .........................................................................................................93
Figure 54: Use of electronic services through Internet on the part of the companies (%) .95
Figure 55: Comparative European according to the use of services through Internet on the
part of the companies (%)..................................................................................................96
Figure 56: Reasons by which the companies trust little or nothing at the time of making
managements with the Public Administration traverse of Internet (%) ..............................98
Figure 57: Reasons by which the companies trust little or nothing when making purchases
to suppliers through Internet (%) .......................................................................................99
Figure 58: Reasons by which the companies trust little or nothing when making sales to
clients through Internet (%)..............................................................................................100
Figure 59: Comparative European of companies that have page Web (%) ....................101
Figure 60: Reasons by which the companies trust little or nothing when making payments
to traverse of Internet (%) ................................................................................................102
Figure 61: Reasons by which the companies trust little or nothing the services of
electronic bank (%) ..........................................................................................................103
Figure 62: Reasons by which the companies trust little or nothing the use of the electronic
company/signature (%)....................................................................................................105
Figure 63: Reasons by which the companies trust little or nothing at the time of sending
information by electronic mail (%)....................................................................................106
Figure 64: Reasons by which the companies do not make certain services through
Internet (%) ......................................................................................................................107
Figure 65: Reasons by which the companies do not have electronic invoice (%) ...........108
Figure 66: Reasons by which the companies do not use the electronic company/signature
(%) ...................................................................................................................................109
Figure 67: Information Security Indicators System (0-100 points)...................................116
Figure 68: Matrix of utility of the recommendations (Cost/Impact) ..................................132
LIST OF TABLES
Table 1: Classification of the companies according to the norm of the European

Community (in force since 1 of January of 2005) ..............................................................21
Table 2: Levels of error sample by size of the participant companies in the study............27
Table 3: Distribution of the companies in the sample according to the different

Independent Communities.................................................................................................28
Table 4: Implantation of the solutions of security according to the number of equipment in

which they are installed (%)...............................................................................................32
Table 5: Reasons declared by the companies not to use the security tools and solutions in
the computers (%) .............................................................................................................37
Table 6: Distribution of companies by size according to the possession of personnel

dedicated in exclusive feature to the computer science aspects (%) ................................38
Table 7: Distribution of companies by size according to the valuation conducted on the

acquisition of computer science material (%) ....................................................................43
Table 8: Type of configuration at the time of making backups, according to the size of
company (%)......................................................................................................................48
Table 9: Place where the companies store backups, according to size of the company (%)
...........................................................................................................................................49
Table 10: Servers availability, according to the size of the company (%)..........................49
Table 11: Manual update frequency on the part of the companies of its programs,
according to size of the company (%)................................................................................52
Table 12: Companies that are considered affected by the norm of protection of data
according to the size of the company (%)..........................................................................53
Table 13: Level of incidents of security in the companies: declared data versus. real data
(%) .....................................................................................................................................68
Table 14: Average number of archives infected by category.............................................74
Table 15: Total number of malicious archives, variant unique of malware and index of
repetition ............................................................................................................................74
Table 16: TOP-5 of type of malware found according to metadata by number of equipment
that lodges it ......................................................................................................................77
Table 17: Certainty of to have undergone robbery of Wi-Fi, according to size of the
company (%)......................................................................................................................86
Table 18: Degree of confidence of the companies when they make process with the Public
Administration through Internet, according to the size of the company (%) ......................97
Table 19: Degree of confidence of the companies when they make purchases to suppliers
through Internet, according to the size of the company (%) ..............................................99
Table 20: Degree of confidence of the companies when they make sales to clients to
traverse of Internet, according to the size of the company (%) .......................................100
Table 21: Use of the page Web like sale channel, according to the size of the company
(%) ...................................................................................................................................101
Table 22: Degree of confidence of the companies when they make payments by Internet,
according to the size of the company (%)........................................................................102
Table 23: Degree of confidence of the companies when they use services of electronic
bank, according to the size of the company (%)..............................................................103
Table 24: Degree of confidence of the companies when they use the electronic
company/signature, according to the size of the company (%) .......................................104
Table 25: Degree of confidence of the companies when send information by e-mail,
according to the size of the company (%)........................................................................105
Instituto Nacional
de Tecnologías
de la Comunicación
http://www.inteco.es
http://observatorio.inteco.es

Study On The Security and Etrust in The Small Micro and Spanish Companies - English Version. by INTECO

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Study On The Security and Etrust in The Small Micro and Spanish Companies - English Version. by INTECO

Încărcat de

Drepturi de autor:

Formate disponibile

Study on the security

and e-trust in the small micro and

OBSERVATORIO DE LA SEGURIDAD DE LA INFORMACIÓN

Pablo Pérez San-José (Coordinador)

Susana de la Source Rodríguez

Laura García Pérez

Javier Rey Perille

Héctor René Suárez Suárez

KEY POINTS .......................................................................................................................7

I Tools, good practices and policies of security .........................................................7

II Incidences of security: perception and real situation .............................................11

V Indicator Security Systems ....................................................................................13

1 INTRODUCTION AND OBJECTIVES ........................................................................16

1.1 Introduction ........................................................................................................16

1.1.1 Instituto Nacional de Tecnologías de la Comunicación (Spanish National

1.1.2 Observatorio de la Seguridad de la Información (Information Security

1.2.1 General Objective ..........................................................................................18

1.2.2 Specific objectives..........................................................................................18

2.1 Characterization of investigation universal object ..............................................21

2.2 Phases of the investigation project ....................................................................22

2.2.1 Phase 1: Compilation and study of information..............................................22

2.2.2 Phase 2: Audit of security ..............................................................................23

2.2.3 Phase 3: Surveys to companies.....................................................................25

3 TOOLS, GOOD PRACTICES AND SECURITY POLICIES IN THE SMALL AND

3.1 Security tools .....................................................................................................30

3.1.3 Personnel dedicated to the security of the information ..................................38

3.2 Good practices of security .................................................................................45

3.2.1 Backup accomplishment ................................................................................46

3.2.2 Programs and operating systems update ......................................................50

3.3 Knowledge and adjustment to the norm on protection of data...........................52

3.4 Security plans and security ................................................................................59

4 SECURITY INCIDENCES: SMALL AND MICROCOMPANY PERCEPTION AND

4.1 Perception of the incidences of security by part of the companies ....................66

4.2.1 Evolution of the incidence of malware............................................................71

4.2.2 Typology of the detected malicious code .......................................................72

4.2.3 Diversification of the detected malicious code ...............................................74

4.2.4 Danger presented by malicious code and equipment risk .............................77

5 SECURITY OF MOBILE AND WIRELESS COMMUNICATIONS IN THE SMALL AND

5.1 Security in advanced movable devices ..............................................................81

5.2 Security in the wireless connections ..................................................................84

6 CONSEQUENCES, REACTIONS AND ANSWERS BEFORE THE INCIDENCES OF

6.1 Consequences of security incidents ..................................................................87

6.2 Reactions of the companies as opposed to the security incidences..................90

6.3 Answer of the companies as opposed to the security incidences......................92

7 E-CONFIDENCE IN SMALL AND MICROCOMPANIES............................................94

7.1 e-Confidence in the Information Society ............................................................96

7.1.1 e-Confidence in process with Public Administration ......................................96

7.1.2 e-Confidence in the electronic commerce......................................................98

7.1.3 e-Confidence in the electronic banking operations ......................................102

7.2 Inhibitors to the development of the Information Society .................................107

8 INFORMATION SECURITY INDICATORS SYSTEM OF THE SMALL AND

8.1 Analysis of the information security indicators .................................................115

9.1 Analysis SWOT ................................................................................................122

9.1.4 Threats .........................................................................................................125

10.1 Recommendations to the small and microcompanies......................................126

10.2 Recommendations to the manufacturers .........................................................128

10.3 Recommendation to the Public Administrations ..............................................129

10.4 Priority of the recommendations ......................................................................131

LIST OF TABLES ............................................................................................................140

In order to make the analysis, a methodology based on the accomplishment of surveys

Are next some of the key points of the diagnosis.

I Tools, good practices and policies of security

Installed tools of security in the equipment