Security awareness must be raised at all levels
Cyber risks are high on enterprises' agendas as IT security incidents pervade media headlines. Nevertheless, it would be wrong to regard IT security awareness as sufficient or satisfactory. A look at current sensitization in security matters reveals many shortcomings.
Cyber risks are companies' biggest concern but receive insufficient attention
At first glance, it's good news for security managers: Cyber threats will be companies' biggest concern worldwide in 2022, according to the Allianz Risk Barometer 2022. Threats of ransomware attacks, data breaches and IT failures preoccupy enterprises even more than disruptions in business / supply chain, natural disasters or the Covid-19 pandemic which severely affected all enterprises last year. The main reason for this is an increase in ransomware attacks, rated by survey respondents (57 percent) as the biggest cyber threat for the coming year. Respondents acknowledge the need to improve safety precautions and plan for future breakdowns, to avoid facing increasing repercussions from regulators, investors and other stakeholders.
However, security measures do not sustainably reflect concerns of becoming a victim of cyber attacks. There are many clear signs of this.
Security budgets are still too low, security training is still too infrequent
Despite rising cyber risks in times of home office and the COVID-19 pandemic, many companies have failed to respond to the threat situation as one would expect. For example, an economic survey conducted by the BSI (German Federal Office for Information Security) has shown that more than 50 percent of companies invest less than ten percent of IT budgets in cybersecurity. However, the BSI recommends investing up to 20 percent of IT budgets in security. Even relatively cost-effective security measures such as emergency drills or the principle of "IT security as top priority" are not sufficiently implemented, according to the BSI. "IT security is not yet sufficiently represented in the budgets, processes and mentalities of companies," explains Arne Schönbohm, President of the BSI.
The digital association Bitkom also reports that enterprises' security measures do not reflect the threat situation despite a clear awareness of it. In the course of the COVID-19 pandemic, protection of cloud applications has become particularly important. They are often needed to enable employees to work from home.
However, many companies in Germany do not use suitable security measures, according to Bitkom: Although 60 percent rely on tap-proof voice communication, only 46 percent rely on advanced procedures for user identification – such as logging into a device using two-factor authentication. 43 percent protect themselves against data leakages from within, 42 percent separate network access for customers and business partners, and 41 percent encrypt their mail traffic. "Many safety measures can now be easily implemented and integrated into everyday work with little lead time. Despite this, their use is increasing very slowly. Although growth here is basically a positive signal, companies should not lose any time in enhancing their security," comments Dehmel, Bitkom's managing director.
Users are also worried but do not act accordingly
IT-security surveys such as those by the digital association Bitkom clearly reveal a discrepancy between fear of cyber threats and actual measures, not only at the enterprise level. This is also evident at the user level:
On one hand, there is the experience with cybercrime. Eight out of ten people (79 percent) have been affected by online crime in the past twelve months. Only a small minority of 21 percent say they have had no such experiences.
On the other hand, confidence in Internet security is rising. According to Bitkom, trust in Internet data security is increasing from year to year: Three out of ten Internet users (29 percent) consider their personal data in the Internet to be safe.
A document on this subject is available in German. Would you like to read it? Switch to the German view.
