W ith the increasing digitalization of processes and business models, cybercrime is becoming a real danger for many companies. The earlier assumption that only the large companies were at risk has long been outdated. Meanwhile, almost every manager in medium-sized businesses knows someone who has become a victim of cybercrime, if it does not even affect their own company. Accordingly, the perceived perception of crime is increasing strongly, as the chart below illustrates.
IT security has long since ceased to be an issue for the IT department (or even the external IT service provider) to be responsible for, but has instead become a matter for management. Often it is not the technical system that is the victim of cyber attacks, but rather the employees, who open the door to cyber criminals out of ignorance or carelessness. This is also confirmed by the PWC study, which classifies “poorly trained employees” in combination with the increased use of mobile end devices as the greatest security risks for medium-sized companies. A secure company has firmly anchored IT security in its corporate culture.
With the increasing networking within a supply chain via industry 4.0 technology, the issue of IT security is also gaining in importance across companies. It is no longer enough just to secure one’s own systems, but requires a common understanding with its partners about IT security, which encompasses the entire value chain. As a result, the Industry 4.0 platform is making concrete efforts to secure cross-company communication with the appropriate standards. A secure company cooperates closely with its partners to secure the systems along the supply chain.
Not to be neglected in the question of IT security are also the cases in which information security in the company is endangered without intent or criminal background. This can happen, for example, through the destruction of data carriers (fire, water, storm) or the accidental deletion or surrender of data. A secure company works with backup systems and is insured against damage and its consequences.
In summary, the importance of IT security for the entire company can be seen, which can take on an existential dimension especially in medium-sized companies, if the companies do not take care of it. Prudent entrepreneurs should develop appropriate strategies for the organization at management level and implement them with the necessary resources and investments in the company.
Why is cybercrime such a big threat?
Many entrepreneurs are wondering why IT security should be a completely new threat, as crime has always existed. It is worth remembering how cybercrime works and what distinguishes it from analogous crime:
Worldwide availability: A cyber criminal no longer needs to be physically present, but can launch his attack from anywhere with Internet access.
2nd Networking: Thanks to the high level of networking, an attack can come from very different directions, starting with your own server structure and cloud services through to your supply chain partners.
3. a lack of subjective sense of insecurity: In contrast to a real house burglary, with all its emotional consequences, a cyber attack is subjectively perceived as less dramatic.
4 Crime as a service: Even if they do not have sufficient skills for a cyber attack, they can now acquire the corresponding services relatively cheaply.
The following chart illustrates the dilemma of IT security: services for cyber attacks are offered on the market at low prices. On the other hand, you cannot make a system 100% secure, you can only increase the effort for the cyber criminal so much with appropriate security measures that it is not worth it for him to penetrate the system, because the expected profit is correspondingly lower.
It is comparable to the burglary protection of a front door. Every door can be opened with the appropriate insert, so if a burglar has a specific interest in your house (e.g. because he wants to steal a special work of art), he will certainly find ways to do so. With a door with multiple frames, however, they protect themselves against the large number of “occasional burglars” who do not specifically target your house, but simply want to steal valuables. These burglars usually give up after 30 – 40 seconds, if they don’t get the door open until then.
How do I make the right decision between effort and benefit?
For IT security in medium-sized businesses, the basic principle is to secure the systems in such a way that the effort required to penetrate them discourages a large number of cyber criminals. Particularly sensitive data or information should of course be specially protected, just as they still have a safe in their house for particularly valuable jewellery. This decision is strategic and cannot be made by the IT department. Rather, it is the management’s responsibility to define these limits together with the relevant specialist departments.
The following chart illustrates the relationship between effort and benefit (information security). In this system, the company must define the lower security level from a risk perspective and determine the upper security level from a cost perspective.
The “Management System for Information Security” (ISMS) prepared by the Federal Office for Information Security is recommended for the sustainable implementation of such a system in your company. This includes all regulations that ensure the control and guidance for the achievement of the company’s objectives and is thus firmly integrated into the existing management system. It is important that the company’s management principles anchor the security aspects and thus make it clear that information security affects the entire company. Further important components of the ISMS are the internal resources that are used for security and the employees who are supposed to be familiar with the essential regulations for IT security. In its implementation, the security process is a decisive component that comprises the documentation and goals for information security, includes the security concept and describes the internal information security organization.
The introduction of an ISMS means a cultural change for companies. Consequently, there is also internal organizational resistance, which must be overcome in the sense of the entire company. It is important for the company that the goals and agreed regulations are communicated and regularly reviewed by management. The flow of information and transparent documentation are decisive factors in the implementation of an information security strategy. Through regular performance reviews, current developments can be taken into account for further improvement, always within the defined upper and lower limits.
Where do you start tomorrow?
Information security in a company is not a project, but a permanent task, which makes it all the more important to start securing your systems. As an entrepreneur you should be aware of the responsibility for the existential necessity and not be deterred by the big task. The following steps are recommended for implementation:
Analyze your status quo with regard to data protection and cyber security with the help of the Quick Checks: https://www.vds-quick-check.de/
Define the lower and upper limits for information security in your company.
Inform yourself about consulting offers and funding opportunities for support in your region, the selection of a consulting support is also about trust and start an information security project.
Look for comrades-in-arms, for example other companies, with whom you can exchange information on the subject of IT security.
Discuss the topic not only with the executives, but with all employees not only once, but continuously and introduce a sustainable cultural change in thinking about IT security.