A survey of small and medium companies in Italy suggests a strong need for more focus on cyber security ahead of the EU’s General Data Protection Regulation (GDPR) coming into force next May.

A Cyber Crime Observatory run by Politecnico di Milano School of Management found only 9% of SMEs run training courses or email updates teaching staff about IT security risks.

The proportion rises to 20% of medium-small firms and 24% of larger firms.

The researchers analysed the information security systems and expenditure breakdown of 803 SMEs operating in Italy last year.

Alessandro Piva, director of the research observatory said:

“Cybercrime has grown dramatically over the past months, alongside a continued rise in ransomware, and attacks on products linked to the Internet of Things.

“Yet despite this, SMEs are not taking the threat seriously. Although 93% of SMEs report that they allocated a security budget for 2016, this does not necessarily mean that it was spent in a well-informed manner. In fact, the top reported reason for security expenditure was to comply with legislation (48%).”

Companies are struggling to look beyond the short-term and are failing to create robust, future-focused cyber security plans, Piva said, adding:

“It seems that smaller organisations don’t anticipate that they will be targeted as victims of cybercrime in the same way as, say, Yahoo in 2013, where a hack left over one billion users’ information publicly available. Yet without a contingency plan or any preventative measures, these companies are leaving themselves wide-open for potentially devastating cyber-attacks.”

Data collected by Euromonitor International this year also suggest that Italian banks and e-commerce merchants are also failing to match reductions in online fraud seen in other European countries.

Unlike the data for other European countries, the Italian data for most types of card fraud have flatlined for the past eight years, perhaps suggesting under-reporting.