Is Your Organization Ready? Insights from IPA’s 2024 SME Security Survey
- Matsuda
- 2025年3月25日
- 読了時間: 5分
In recent years, all organizations have been exposed to increasingly sophisticated and complex cyberattack threats.
On February 14, 2025, IPA (Information-technology Promotion Agency, Japan) announced the results of its “2024 Survey on the Actual Conditions of SMEs.”
This report summarizes the status of cybersecurity measures taken by small and medium-sized enterprises (SMEs) that make up the supply chain against cyber incidents (security breaches caused by cyberattacks).
IPA published the preliminary version of the “2024 Survey on the Actual Conditions of SMEs” https://www.ipa.go.jp/pressrelease/2024/press20250214.html
In this article, based on IPA’s report (hereafter referred to as “the report”), we will discuss the current state of cybersecurity among SMEs in recent years.
■ Is Security Really Unnecessary?
Our company provides services that strongly protect PC terminals with two-factor authentication. In our interactions with customers, ưe òten encounter the following situation:
The IT department representatives we speak with directly during meetings are knowledgeable about security and fully recognize the importance of implementing countermeasures. They want to introduce products immediately to prevent cyber incidents before they occur.
However, when it comes to actual implementation, they hit a wall: it’s extremely difficult to convince upper management, who hold the final decision-making authority, of the importance of security.
Perhaps some of you reading this have faced similar challenges?
This issue is not limited to SMEs, but security measures often get postponed because their benefits are not immediately visible.
Supporting this observation, the report reveals that about 70% of companies lack an organized security framework, and about 60% have not invested in security measures.
4. About 70% of companies have not established an organizational security structure.
5.About 60% of companies have not invested in information security measures over the past three terms. The percentage of companies that answered “We have not invested in information security measures” was 62.6%, up from 55.2% in the 2016 survey and 33.1% in the 2021 survey.
Furthermore, when asked why they did not invest in security measures, the majority cited:
"We don't feel it's necessary."
"We don't see the cost-effectiveness."
"It's too expensive."
In reality, even if you implement security products, they don’t directly increase sales or improve work efficiency—in fact, they can sometimes cause inconvenience.
For example, with our products, there is the effort of installing software on each PC, and since authentication devices are required at logon, users need to carry and manage these devices.
From this perspective alone, it’s understandable that security measures—which may seem to offer no visible benefit to the company—are often postponed by decision-makers.
But is security really unnecessary?
■ Cyber Incidents Are Not Natural Disasters
Unlike earthquakes or typhoons, where predicting damage is nearly impossible, cyber incidents are not natural disasters—they are always caused by humans.
2.About 50% of companies that suffered unauthorized access were exploited through vulnerabilities, and about 20% were infiltrated via other companies.
Among companies that experienced cyber incidents in FY2023 and reported “unauthorized access” (n=419), the most common attack method was “exploiting vulnerabilities (such as unpatched security updates)” at 48.0%, followed by “credential theft (ID/password)” at 36.8%. Additionally, 19.8% reported infiltration via business partners or group companies, highlighting supply chain security risks.
According to IPA’s report, most cyber incidents clearly exploit vulnerabilities (gaps in security measures).
If it becomes known that a company lacks adequate security measures, the risk of being targeted increases significantly.
Companies that haven’t experienced cyber incidents simply haven’t been attacked yet. Once they become a clear target, an incident will occur.
This is similar to news stories about rural homes that never locked their doors until a wave of burglaries hit.
Assuming “it hasn’t happened yet, so that it won’t happen” is reckless.
■ What Is Lost When a Cyber Incident Occurs?
Direct damages include "data destruction" and "personal information leaks".
1.Over the past three terms, the average damage cost for companies that experienced cyber incidents was ¥730,000 (9.4% exceeded ¥1,000,000), and the average recovery time was 5.8 days (2.1% took over 50 days).
Recovering destroyed data takes significant time.
Considering that operations may halt during recovery, the actual cost is likely far higher than the reported figures.
From detecting the incident, investigating the damage, responding to inquiries from partners, and restoring systems...
The process can take days or even over 50 days.
The stress on managers and staff during this time is immeasurable.
And the impact doesn’t stop there.
The report also shows that cyber incidents affect business partners.
3. About 70% of companies reported that cyber incidents impacted their business partners.
It has become clear that when a cyber incident occurs, its impact extends beyond the companies directly affected, affecting their business partners as well.
Losing trust from partners can lead to canceled orders and lost distribution channels, severely affecting future sales.
Restoring trust takes time, and in some cases, the damage can lead to business withdrawal or even threaten the company’s survival.
■ Can Security Measures Boost Sales?
Interestingly, the report also shows that investing in security measures can lead to new business opportunities.
7. About 50% of companies that invested in security measures reported that it led to business deals.
Earlier, we noted that many companies believe security measures don’t add value.
However, this finding suggests the opposite: partners increasingly consider security measures a critical factor in risk assessment.
With frequent news of cyber incidents, more companies now view security as essential.
Additional Note
The international security standard PCI DSS v4.0 explicitly requires MFA for all access to cardholder data environments (CDE), making security measures mandatory in certain industries.
■ Summary
The report shows that many SMEs lack cybersecurity measures.
However, once a cyber incident occurs, regaining trust is extremely difficult—especially for SMEs.
Operations halt, trust is lost, and future business becomes uncertain.
For SMEs, the impact can be devastating, making robust security measures essential.
However, for small and medium-sized businesses, spending a large amount on security measures is simply not realistic.
That’s why security measures that match the scale of the organization are essential.
Our products include PC logon security software that can be easily implemented even in small-scale environments.
For example, "YubiOn WindowsLogon Standalone" is a PC logon security solution that can be introduced easily, starting from just one device. It strengthens logon with two-factor authentication as simply as locking your PC. This product is designed to be the perfect solution for small businesses or departments that cannot afford high security costs, allowing them to start immediately.
Why not begin by locking your PC first?
■ Product Links
Quick and easy emplementationof two-factor authentication for PCs
[YubiOn WindowsLogon Standalone]
Smart logon with passkeys
[YubiOn FIDO Logon]
Source:
IPA (Information-technology Promotion Agency, Japan)
“Preliminary Report on the 2024 Survey of SMEs”