Digital carelessness? IT security is matter for the boss!
In the past two years, companies in Germany have suffered losses of €100 billion as a result of cybercrime attacks. This is the conclusion of a study by the Bitkom digital association. Furthermore, in a brochure on cybercrime published in 2016, the Federal Criminal Police Office complained that “although companies invested more heavily in preparatory awareness-raising and training measures, a large number of the companies surveyed continue to find a high level of negligence (88 percent) and a lack of understanding of risk (77 percent) amongst their employees.”
There is also good news, however: at the executive level of German companies in particular, a new way of thinking can be observed, at least from the perspective of IT security experts. For the “Digital Security Potential Analysis”, we interviewed a total of 205 IT decision-makers from companies with 500 or more employees in April 2017. 38 percent believe that the danger of cyber-attacks due to the actions of board members and managing directors will continue to be minimised in 2017. Two years ago, one in two IT managers complained that the risks were being underestimated.
Digital carelessness is therefore on the decline in German companies. Nevertheless, it remains key that IT security as well as the prevention of and fight against cybercrime are given greater importance in the minds of senior management. After all, one in four IT decision-makers would like to see a greater aversion to risk amongst their managers. Likewise, there are just as many who call for greater awareness of the fact that it is not only large organisations and certain industries such as banks which can become the target of cybercriminals, but practically any company.
These requests and demands are justified. As companies undergo digitisation and increasingly network via the Internet and the cloud, their vulnerability grows: data theft, espionage, sabotage and blackmail present a threat to all industries, public institutions, and critical infrastructures such as power plants, telecommunications networks or hospitals.
There is no alternative to digitisation and networking: they help companies to remain competitive moving forward. Nonetheless, many organisations are pushing ahead with the digitisation of their business and production processes without paying enough attention to security. It is not only technical solutions from the IT departments that are important here, but rather the level of knowledge and risk awareness in company boardrooms.
IT security is a strategic task for businesses
Cybersecurity must therefore be (or become) a matter for the boss. There will always be both internal and external attacks, so willingness and ability to react are a top priority. The continuity of business operations must be ensured even in the event of serious security incidents. Managers should ask themselves what risk management, contingency plans and responsibilities are in place, and should regularly get an overview of the current situation. The topic of IT security also belongs on every executive board agenda when it comes to investing in new technologies
In order to avoid misplaced investments and to influence the (re-)design of company-wide security guidelines in a targeted manner, it is necessary to be able to realistically assess the statements of internal employees concerning the security situation. Overconfidence in terms of IT security is one of the greatest threats to operational and data security and is still widespread.
Appearances can be deceiving
Numerous studies have shown that managing directors in particular often see their company as much better equipped to deal with internal security breaches and external attacks than it actually is. In many companies, there is a wide gap between the real level of resilience and a threat that is becoming increasingly serious, both in terms of the severity of the attacks and the nature of the attackers.
Measures driven by corporate management provide a remedy: these include targeted investments in intelligent threat detection, predictive data analysis and incident response solutions. Although these approaches do not offer 100% security, they do contribute very significantly to a substantial reduction in the risk of damage and the consequences of serious security incidents.
Digitisation doesn’t just raise questions; it is also part of the answer
Digitisation doesn’t just create new threat scenarios for which companies must find a strategic answer. Digitisation is also an important part of this answer. For example, it can employ pattern recognition, looking at large amounts of data (an important asset of artificial intelligence) to detect atypical deviations and thus potential attacks coming from outside, repelling them on an increasingly automatic basis.
Digitisation is also the method of choice for responding flexibly to changing and novel attack scenarios. Companies must aim to have an IT security management system that is as digitised and dynamic as possible, guaranteeing an institution adequate cybersecurity at all times by identifying, implementing and monitoring targets itself. This is also a technical task for corporate IT, but it will not work without the leadership of management.