In September 2018, Sopra Steria Consulting and the F.A.Z.-Institut conducted an online survey of 308 specialists and decision-makers from various industries. The survey focused on experiences, measures and challenges relating to IT strategies and cyber attacks in the company itself. The result shows: There is still too much carelessness in dealing with cyber security. Conversely, companies with a high level of security awareness suffer from a shortage of skilled personnel in their search for suitable specialists. An increase in security budgets is on the agenda for most companies.
Half of all companies suffered financial losses due to the high threat situation and the trend towards blackmail.
For the currently published "Potential Analysis Protecting Companies, Minimizing Risks", decision-makers from the water and energy supply, insurance, banking and financial services, public administration, media and telecommunications, automotive and manufacturing sectors were interviewed. According to the survey, every third company has been the victim of a cyber attack in the past twelve months. The highest threat was malware (82%), followed by e-mail spam (68%), data leaks (67%) and IT system failure (64%). It is worrying that 44% of all companies were confronted with criminal blackmail. As a result, 52% of the companies and authorities surveyed suffered financial losses. In addition to image losses (13%), there were also losses in service quality or damage to products (17%).
Technology available – there is a need to catch up on security strategies
IT security does not fail due to a technical malfunction. There is a lot of catching up to do, especially in the implementation of strategic security measures.
The survey showed that 59% of all authorities and companies already have an existing IT security strategy. This means that in 41% of all cases a corresponding package of measures is still missing. 19% of companies and authorities want to end this situation in the medium term and are therefore working on an IT security strategy. In 10 % of the cases such a strategy is planned and 4 % see no need at all. Even though 76% of all bosses are now aware of the issue of cyber security, digital carelessness remains a problem. After all, 36% of the management see only a low risk of becoming a victim of cyber attacks.
For many decision-makers, the new EU-GDPR was the first occasion for security retrofitting. In this context, 72% have invested in protective measures against data loss. A look at the internal measures taken by the company in the last three years reveals a striking trend: Only 26% have introduced a prevention system and 32% have implemented case management for security incidents. The most common measure introduced was authorization management (57%).
Too tight a budget, neglect of employee training and lack of skilled workers are the main problems.
According to the potential analysis, only 47% of all employees are sensitized to the problem of cyber security. Nevertheless, in the past three years only 36% of all surveyed authorities and companies offered an internal security awareness campaign for their employees. The most important reason: one in four companies has to make do with a budget for IT security that is too tight. Investments in employee training often fall by the wayside. Budget problems, however, have another consequence. The CISOs in 67% of all authorities and companies can hardly cope with the security challenges without external help. Cause: IT infrastructures are constantly growing in complexity. IT security specialists are urgently needed. But this is where the shortage of specialists has a double effect. On the one hand, IT experts need to be found. On the other hand, security budgets lack the necessary volume to finance skilled workers.
Higher budgets for IT security are indispensable
To meet the challenges, higher security budgets are essential. Accordingly, more than half of the decision-makers surveyed (56%) assume that the investment volume for IT security will increase by 2021. One in four managers expects continued spending on protecting corporate data and fighting cyber attacks. Above all, employee awareness and the recruitment of required IT security specialists are high on the agenda. Because currently, the human factor is the biggest problem in overcoming security gaps.