With around 53%, more than half of German businesses stated that they had become the victim of data theft within the last two years. Small and medium-sized enterprises with under 500 employees were especially affected, with almost 70% having lost sensitive data. “Companies need to do much more to ensure their digital security. The study shows that the risk to companies in all industries and of any size is real. Anyone can be the victim of espionage, sabotage, or data theft,” explains Bitkom President Achim Berg.
In comparison to the last survey conducted in 2015 (we reported), the number of affected businesses is still rising (from 51 to 53%), while the financial damage has increased even more significantly from 51 to 55 billion euros, or an increase of approximately 8%. The fact that only about every third company reports attacks to the authorities is also cause for concern. Many of the companies that refuse to report attacks fear that doing so could cause damage to their company’s image.
The results also show that there is still a lot of catching up to do in the area of personnel security. While almost all companies protect their data by means of technical and organisational counter-measures such as firewalls, virus scanners and access rights, only about half of the companies stated that they appoint a security officer (54%) or train employees on important security issues (53%). “Considering the fact that attacks are often carried out by current or past employees, such negligence in staff training is surprising. In this area the security of any business could be significantly improved with comparatively little effort and in a very short time,” Berg continues.
In order to ensure the appropriate protection of a company’s know-how a comprehensive security concept is required. “In the sense of holistic and sustainable economic protection, we must focus not just on IT-related measures but also risk minimisation plans in areas such as organisation, personnel and the raising of awareness,” emphasised Dr. Hans-Georg Maaßen, President of the Federal Office for Constitutional Protection. Companies should also not be afraid to turn to state authorities and, for example, file complaints against attackers.
1. Business Management
- Raise the awareness of management on the need for data protection
- Develop company-specific protection strategies at management level
- Implement the use of a security officer
2. IT Departments
- Strengthen basic protection by means of dedicated encryption and attack detection
- Stronger monitoring of networked devices and detection of anomalies (security information event management)
- Use of preventive rather than reactive protective mechanisms (security by design)
- Define stricter rules regarding the handling and operation of portable devices
3. Business Organisation
- Establish risk management strategies to identify external risks and internal weaknesses at an early stage
- Stricter control of access rights to data as well as to sensitive physical areas
- Develop emergency management plans to respond rapidly in case of a crisis
4. Personnel Security
- Establish a security culture as well as training/raising awareness among employees
- Employ IT experts with hands-on production know-how
- Define stricter rules for protection against data theft during business travels abroad
5. Security Certifications
- Pursue relevant safety certificates
