Central strategies and concepts that focus on cyber security have not yet been fully developed in many companies. It is true that 78% of the companies surveyed in the “Cyber Security 2022” study by CIO, CSO and Computerwoche have an overall strategy for IT security. However, only 28% of them describe the strategy as comprehensive and detailed. The danger here is that if companies rely on existing concepts and strategies that are not complete, they may lull themselves into a false sense of security and underestimate the actual risk associated with a successful cyber attack.
Number of cyber incidents on the rise
The fact that cyber attacks have reached unprecedented levels is confirmed by a clear majority of companies. 77% say that the number of cyber incidents has increased in 2022 compared to the previous year. Companies are well aware of the growing threat posed by cyber attacks. At least, this is suggested by the fact that 65% have increased their security budget in the past year. For 21%, it has remained about the same, while 5% have reduced their spending on IT security. However, the question arises as to whether a higher budget for IT security automatically means better protection. This will only be the case if the right issues are addressed and previous weak points are eliminated.
Dangers from inside and outside
Companies continue to underestimate the potential threat posed by internal perpetrators. 56% of companies report that there have already been security incidents involving current or former employees in the past. In most cases, employees do not act with malicious intent; rather, they unknowingly pass on business or access data to unauthorized persons. Firmly believing they are doing the right thing, they do not realize they have fallen for sophisticated social engineering methods.
Despite these experiences, only 18% of respondents consider internal threats to be the greatest challenge to IT security. At 40%, threats from outside the company receive significantly more attention in the danger awareness of IT security managers. With regard to internal security incidents, there is therefore a considerable discrepancy between the general perception of risk, the assessment of one’s own risk and the incidents that actually occur.
Need to catch up with Zero Trust
From an objective point of view, zero trust is a contemporary protection concept in times of hybrid work models with a mix of classic office work, home office and mobile working. In many companies, however, zero trust does not (yet) play a role. Corresponding concepts exist in less than half of the companies (46%). The proportion of companies for which the establishment or expansion of zero trust is one of the relevant IT security investments is less than 10%.
Cyber security as a permanent task
85% of companies consider themselves to be well prepared in terms of cyber security. Only 15% rate their expertise and resources as inadequate when it comes to independently identifying security incidents and initiating appropriate countermeasures. Whether in-house or with the help of an external partner – in order to prevent damage to the company, it will remain essential to continuously invest time and resources in IT security in the future. Companies should constantly question their concepts and measures and put them to the test in order to ensure the highest possible level of cyber security.