Cybercrime has been one of the dominant topics in the media for years. As recently as May 2024, Federal Minister of the Interior Nancy Faeser, together with BSI and BKA presented the current "Federal Cybercrime Situation Report". In the report for 2023, they come to the joint conclusion that the threat of cybercrime is higher than ever before. Criminals are increasingly focusing on small and medium-sized companies for purely cost-benefit reasons - the reason: criminals can assume that their IT defenses (also known as cyber resilience) are significantly weaker, i.e. they can reach their target much faster with much less effort. Technological progress also benefits them - advanced language models and artificial intelligence not only open up new possibilities for cyber attacks, but also optimize tried and tested attack methods: Fraudulent emails (also known as phishing), for example, can hardly be recognized as such thanks to error-free formulations and ever-improving research options. A study by the industry association bitkom e.V. confirms that 62 percent of companies in Germany now feel threatened by cyber attacks.
However, the immense importance of IT security in companies is based on a variety of factors: In addition to protection against cybercrime, compliance with legal regulations, protection against data loss, avoiding economic damage, ensuring the continuity of business operations and maintaining trustworthiness and reputation all play a central role.
Various laws and regulations already require companies to take appropriate security precautions and define certain measures to be taken in the event of a security incident. These include, among other things General Data Protection Regulation (GDPR), the NIS2 Directive, the Cyber Resilience Act as well as various industry-specific regulations, violations of which can result in severe penalties. When it comes to data loss, cybercrime is just one of the possible causes. Force majeure events - such as power outages or natural disasters - as well as internal company threats, such as accidental data deletion by employees, must also be considered as causes of data loss and avoided by taking appropriate measures.
But what damage does a company actually face in the event of cyberattacks, data loss and the like? The economic damage caused by IT security incidents can threaten a company's very existence, as not only the direct costs of rectifying the incident, but also the costs of lost business and recovery have to be borne. In addition, the risk of customer churn due to cyber incidents that damage trust and reputation should not be underestimated. In the worst-case scenario, companies may be able to cope with the short-term financial damage, but will still have to cease business operations due to a drop in customer demand in the medium term.
IT security is therefore no longer a nice-to-have, but an absolute must-have. But what is the right way to tackle the major topic of IT security? First of all, the good news: every step, no matter how small, strengthens your company's defenses and thus increases its IT security. For a holistic IT security strategy, the topic can be reduced to three fields of action: Technology, Organization, People - TOM for short.
Actively improve the body's defenses
A secure IT infrastructure forms the basis for a company's IT security, as existing technical vulnerabilities and security gaps open the door to cyber criminals. Bringing people and technology into harmony - this is the task of organizational IT security, whose measures primarily include defining the IT security strategy and regulating processes through security-enhancing guidelines. Last but not least, people - according to an IBM study, a whopping 90 percent of all security incidents can be attributed to human error. Investing in training and raising staff awareness of IT security risks can therefore be considered one of the greatest levers for increasing IT security.
Detailed information on the topic and many practical tips for deriving individually suitable cyber resilience measures can be found in the Whitepaper of the IT experts of the axilaris GmbH based in Chemnitz.