• Only 13 per cent of organisations rely on dual-factor authentication systems that verify identity through two unrelated steps
• 19% of companies have not established a clear strategy for identifying application and infrastructure vulnerabilities and risk being caught unprepared.
• Regarding data protection, only 27% use Identity & access management solutions to manage and monitor user access to critical infrastructure, applications and data
• The sector that pays the most attention to security in customer interactions is banking

Rome, 4 April 2023.- The digitalisation of the relationship with their customers makes it increasingly necessary to implement security systems that provide consumers with the same level of trust they would have through physical sales channels. However, Italian companies still have a long way to go to offer a secure interaction with their customers. This is one of the main conclusions of the report 'The digitisation of sales in Italy', produced by Minsait in collaboration with the Osservatori Digital Innovation of the Politecnico di Milano.

According to the report, securing digital identity and protecting access to online channels is still not a priority for Italian companies. 73% of Italian companies with online channels say they rely on single factor authentication systems. Only 13% of organisations rely on systems based on a dual authentication factor, which verify identity through two unrelated steps (e.g. password and biometrics). Finally, only 2% of companies have implemented adaptive authentication systems, capable of measuring the level of risk and only inserting a second security step if necessary.

On the security side of cloud infrastructures and applications, there is, on the other hand, a good level of attention among organisations in searching for vulnerabilities that may allow malicious actors to access corporate systems. 33% of companies rely on application security tools in the form of Interactive Application Security Testing (IAST) and Dynamic Application Security Testing (DAST), while 13% prefer Vulnerability Assessment (VA) and Penetration Test (PT) tools. Thirty-five per cent of the sample performs periodic assessments using all these methods in different ways. The remaining 19 per cent of companies have not established a clear strategy for identifying application and infrastructure vulnerabilities and risk being caught unprepared.

Regarding data protection, 82 per cent of organisations use backup and recovery solutions to protect their data, while 56 per cent use Data discovery & classification solutions to identify and classify data by assigning different security requirements to it. 52% of organisations use Data masking solutions to mask sensitive data through anonymisation or encryption techniques. Only 27 per cent use Identity & access management solutions to manage and monitor user access to critical infrastructure, applications and data.

An impetus to equip themselves with data security solutions also stems from the need for compliance with the requirements imposed by the regulations: 83% of Italian companies have completed their projects to comply with the GDPR, the reference regulation for the protection of personal data, and a further 10% state that they are in the process of adapting, despite the fact that the full applicability of the regulation dates back to 2018.

"Equipping oneself with digital security technologies, methods and processes does not only mean protecting the sensitive data and information assets of organisations, but also gaining the trust of consumers who feel safe interacting with companies through digital sales channels," said Sergio Scornavacca, Cybersecurity Director of Minsait in Italy and Director of Net Studio, the Group's company specialising in Cybersecurity, Digital Identity and Access Management.

Sector comparison

The sector that pays the most attention to security in customer interactions is the banking sector. 55% of companies in this sector have dual-factor authentication systems (compared to 13% of the average) and are experimenting more widely with the implementation of adaptive authentication systems (13% compared to 2% of the average). Public administrations and healthcare companies, partly driven by regulatory obligations, have also secured user access to online portals: 79% of PAs and 70% of healthcare facilities offer customers the possibility of accessing either through proprietary credentials or through national digital identity systems (such as SPID and CIE).

As far as security assessment activities are concerned, the most virtuous sectors are Banking and Insurance and Utilities: in both cases, all companies carry out regular vulnerability detection activities applying different modalities. Sectors that are more deficient in this respect are the Manufacturing and Telco and Media sectors, where activities carried out on a one-off basis are preferred. Even in the PA there is an insufficient level of attention to the subject: 37 per cent of organisations seem not to have established a clear strategy for identifying application and infrastructure vulnerabilities.

The sectors most concerned about regulatory compliance are also those characterised by the greatest regulatory pressure, i.e. the banking and energy & utilities sectors. The public sector is also seeing a very high adoption of the GDPR regulation, with 99 per cent of PA and healthcare facilities claiming to have completed their compliance processes.

The report 'The Digitisation of Sales in Italy' provides an overview of the cybersecurity measures implemented by the 602 leading Italian companies involved in terms of authentication, infrastructure and application security, data protection and regulatory compliance: https://www.minsait.com/en/news/insights/digitization-sales-italy