DACH survey on IT security
Sophos Cybersecurity, Umfrage, IT-Security
There are numerous good reasons for making data security a strategic companies and organisations as a top priority: Starting with the increasing complexity of corporate IT, data protection regulations, home offices, mobile working and the integration of IOT (Internet of Things). (Internet of Things) via prominent cyber cyberattacks on large corporations or the influence of hacker groups on political political developments to specialised cyberattacks on critical infrastructures or critical infrastructure or vulnerable sectors such as healthcare. These are a few randomly chosen examples, the list is long. Increasingly increasingly demanded, even from experts, that corporate IT protection be made a management issue. a management issue.
But what significance does the topic of IT security actually have actually at the very top in the executive suites of German, Austrian and Swiss companies? How high do the company managements estimate the danger of the risk of cybercriminal attacks and what consequences for the operative business due to hacker attacks are they most likely to expect? Does the current current global political situation have an influence on perceptions and decisions regarding regarding IT security? These and a number of other aspects were IT security company Sophos wanted to find out in a broad-based study. to find out. In the early summer of this year, the opinion research institute Ipsos surveyed and senior managers (C-level) in the three countries in the early summer of this year. countries. IT personnel were explicitly excluded.
Higher up, but still: IT security is not a matter for the
a matter for the boss. IT has a duty.
The vast majority of managers surveyed (around 81 per cent) said they had a high to very high awareness of IT security.
to very high awareness of IT security. Also, according to the
According to all respondents, the majority of companies (more than 60 per cent) have also
IT security to a higher or the highest hierarchical level within the past three years.
to a higher or the highest hierarchical level.
This reveals contradiction, because when asked about the actual responsibility for IT security responsibility for IT security, a different picture emerges, which is to be expected. expected picture: the larger the company, the less responsibility the management level has. the less responsibility is borne by the management level. This is especially true for companies with more than 200 employees, with only 1.9 per cent of respondents stating that IT security is located at management or board level. This figure is significantly higher for smaller companies with up to 199 employees and in the retail sector. this value is significantly higher, with around 22 percent of the bosses personally involved.
The The main responsibility for cyber security in larger companies is borne by 49.1 percent of the for cybersecurity, while 36.5 per cent of smaller companies also have their own of the smaller companies, their own IT teams are also responsible. With 35.8 percent of the and 33.1 per cent of the smaller companies, a good third of all companies also assign a good third of all companies transfer the responsibility for their IT security to external service providers.
Little Ukraine effect:
German CEOs feel confident about IT security
Of course, Sophos was also interested to find out whether and to what extent
and to what extent, in view of the global political situation and the current war in
war in Europe, which was already raging on a cyber level long before the actual
the perception and importance of IT security has changed in the last two years.
IT security have changed within the last two years. On this
23 percent of respondents from companies with more than 200 employees and almost
employees and almost 36 percent of smaller companies confirmed that cybersecurity had become
cyber security has become even more important.
The majority, however, apparently feel very secure anyway. 53 per cent of the smaller companies and almost 70 per cent of the larger ones of smaller and almost 70 per cent of larger companies state that their awareness of cyber cybersecurity in the last two years and that they were already well were already well positioned for this. Also with regard to the existing IT security structures in the company: 62.2 percent say that their company is say that their company is well to very well equipped against cyber attacks, Among decision-makers under 45 years of age, this value is even 2.5 percentage points higher. A good 58 per cent consider a cybercriminal attack on their company to be 58 per cent consider a cybercriminal attack on their company to be probable to very probable, while just under 39 per cent consider this 39 percent consider this to be rather unlikely.
Cyberattack consequences: Additional costs are the biggest concern,
Supply chain and workforce hardly
With a view to the
consequences of a cyberattack, the most frequently cited concern in German executive su
the costs incurred - for example, due to the need to restore business operations.
of business operations. The possible interruptions to commercial processes are the second most
are the second most frequent focus of attention. An interesting aspect here is that problems
supply chains are suspected by fewer respondents (23 per cent) than a possible
(23 per cent) than a possible loss of image (28 per cent). Only in the
manufacturing industry alone, and this is no great surprise, a total of almost
37 per cent of respondents assume that the supply chains could be affected.
could possibly be affected. The loss of customers or
employees as a result of cyberattacks, on the other hand, are of little to no significance.
to no significance: 19.4 per cent expect customer losses and even fewer (1.5 per cent) fear
and even fewer (1.5 per cent) fear losing employees. Also
insolvency (9.5 per cent) and fines due to data protection violations (5.5 per cent)
(5.5 per cent) are hardly seen as risks.
Switzerland, where almost 22 per cent expect an insolvency and 11.8 per cent a
22 per cent expect insolvency and 11.8 per cent expect fines as possible consequences of cyber
cyberattacks.
Chester Wisniewski:
Internationally (unfortunately) a similar picture
"The results in the DACH region are disappointing,
are in line with what we are seeing in North America, ASEAN and other regions," comments Chester Wisniewski.
Chester Wisniewski, Principal Research Scientist at Sophos, comments on the results of the study.
Sophos, commenting on the study's findings. "Unfortunately, when security is managed as a
IT, security is typically relegated to the status of a task, rather than a priority.
downgraded, rather than being a priority. The role of the security team
is to identify risks and help the board to prioritise
prioritise these risks, whereas the IT department is tasked
IT department is tasked with implementing the necessary changes, depending on how
those risks are to be addressed."
Also, in terms of the importance of IT security against the the backdrop of the global political situation, there also seems to be unanimous serenity around the world. Wisniewski: "The war in Ukraine has not really changed not really changed attitudes, apart from the critical US infrastructures. The US CISA agency has stepped up its efforts to improve security awareness and, in some cases, the reporting requirements for critical infrastructure providers, but outside the US or in other private sector companies, there have been no major concerns or actions evident."
About the survey:
Ipsos,on behalf of Sophos, surveyed 201 C-level managers and
-managers from the retail, services and manufacturing sectors in Germany
and 50 each in Austria and Switzerland about IT security in their companies.
companies.