Lax Cybersecurity Attitudes Persist Among German Businesses Amid Rising Threats, Warns Study by TÜV and BSI
Cyber security authorities TÜV and Federal Office issue alarm over potential unforeseen cyber risks - Cybersecurity authorities TÜV and Federal Office for IT Security issue alarm about neglected cyber dangers
German companies are displaying a concerning complacency when it comes to cybersecurity, according to a joint study by TÜV and the Federal Office for Information Security (BSI). The study points to an apparently increasing cyber threat landscape and a widespread misjudgment among businesses about their preparedness.
The study revealed that last year, 15 percent of companies experienced a cyberattack, marking a four-percent increase from the previous year. Phishing attacks were the most common. Alarmingly, despite the rising cyber threat tally, 91 percent of companies felt well-protected, assessed TÜV.
Interestingly, a majority of companies (56 percent) supported the idea of mandatory cybersecurity regulations. However, nearly half of the surveyed companies were unaware of the NIS2 directive, a law that EU foresees compulsory regulations for improved cybersecurity—a legislation yet to be implemented by the German government.
"The survey underscores the need for Germany to urgently address its cybersecurity challenges," said BSI President Claudia Plattner. Politically, there is a catch-up needed due to the delayed implementation of NIS2 directive in Germany, added Plattner, expressing concern that only half of the surveyed companies were aware of the law at all.
Critically, many companies' confidence in their cybersecurity measures might be unfounded, stemming from lack of awareness over evolving cyber risks, outdated defenses, and an underestimation of attackers' capabilities.
Several factors account for this overconfidence:
- Neglect of basic cybersecurity hygiene, such as neglecting system patches, access control, and employee training on phishing techniques.
- Cybersecurity misconstrued as merely an IT issue rather than a leadership concern, leading to insufficient prioritization of risk management and staff training.
- Smaller businesses (SMEs) with limited resources for cybersecurity investments, making them particularly vulnerable.
NIS2 directive, an EU law, aims to enhance cybersecurity across sectors by raising the security standards for important businesses, enforcing incident reporting, and mandating improved governance. In light of this, German companies face increased legal and regulatory pressure to improve their cybersecurity posture and reduce complacency towards cyber risks.
The NIS2 directive means stricter compliance requirements for enhancing cybersecurity measures, incident reporting, and governance. Meet the demands of NIS2 or face potential penalties and reputational damage, warns the directive.
The cybersecurity challenge gets more urgent amid the escalating cybercrime activity and ongoing law enforcement efforts, with cybercriminals increasingly targeting businesses with insufficient defenses.
The Commission could potentially be consulted on the NIS2 directive's implications for technology-based businesses, especially those related to the protection of workers from risks associated with radioactive substances, given the increasing attention on cybersecurity and the need for improved governance.
In the wake of the NIS2 directive, there is a growing need for German businesses to prioritize technology investments in cybersecurity, focusing on areas like system patches, access control, and employee training, to ensure compliance and mitigate risks amid the rapidly evolving cybersecurity landscape.
