IT security: a matter for the boss or a security department?

IT security: a matter for the boss or a security department?

Share post

Sophos surveyed company managements in DA-CH in the retail, service and manufacturing sectors about the importance of IT security. One point is the difference according to company size: the larger the company, the less close the topic is to the CEO.

There are numerous good reasons for strategically declaring the security of data in companies and organizations to be a top priority: starting with the increasing complexity of corporate IT, data protection regulations, working from home, mobile working and the integration of IOT (Internet of Things) through prominent cyber attacks on large companies or the influence of hacker groups on political developments through to specialized cyber attacks on critical infrastructures or vulnerable sectors such as healthcare. These are some random examples, the list is long. Increasingly, therefore, there is also a demand from specialist circles to make the protection of corporate IT a management issue.

Importance of IT security for the CEO

But how important is the topic of IT security at the top of the executive floors of German, Austrian and Swiss companies? How high do company managements assess the risk of cybercriminal attacks and what consequences for the operational business due to hacker attacks do they most likely expect? Does the current global political situation have an impact on perception and decisions regarding IT security?

The IT security company Sophos wanted to find out these and a number of other aspects in a broad-based study. In the early summer of this year, the opinion research institute Ipsos surveyed high and higher executives (C-Level) in the three countries. IT staff was expressly excluded from this.

Key findings from the study

  • IT security is not a top priority in Germany. The IT departments are responsible. A third of the companies rely on external IT services.
  • The global political situation and war have little impact on managers' security awareness. Only a third see the current geopolitical situation as sharpening their focus on IT security.
  • The executive floors feel safe when it comes to IT security. The majority state that they have been well prepared for a long time.
  • C-level managers expect cyber attacks to have economic consequences in particular. The focus is on restoration costs or disruptions to commercial processes. Very few expect the loss of customers and employees or possible failures in the supply chain.
  • Companies in Germany, Austria and Switzerland with very similar results

IT security is not a matter for the boss - IT is a duty

🔎 Survey: Is IT security a matter for the boss? (Image: Sophos).

The vast majority of managers surveyed (around 81 percent) state that they have a high to very high awareness of IT security. According to the information provided by all those surveyed, in the majority of companies (over 60 percent) IT security has been placed at a higher or the highest hierarchical level within the past three years.

An interesting contradiction is revealed here, because when it comes to the question of actual responsibility for IT security, a different picture emerges, which is to be expected: the larger the company, the less responsibility the management level has. This applies above all to companies with more than 200 employees, where only 1,9 percent of those surveyed stated that IT security is located at management or board level. This value is significantly higher in smaller companies with up to 199 employees and in retail, where the boss is still personally involved at around 22 percent.

In larger companies, 49,1 percent of the main responsibility for cyber security lies with their own IT department, while 36,5 percent of smaller companies also have their own IT teams. With 35,8 percent in the larger and 33,1 percent in the smaller companies, a good third of all companies transfer responsibility for their IT security to external service providers.

Little Ukraine effect – you think you are safe

Of course, Sophos was also keen to find out whether and to what extent the perception and importance of IT security had changed over the past two years in view of the global political situation and the current war in Europe, which raged long before the actual military conflict at cyber level years have changed. 23 percent of those surveyed from companies with more than 200 employees and almost 36 percent from smaller companies confirmed that cyber security had become even more important.

  • However, the majority of people seem to feel very safe anyway: 53 percent of the smaller and even almost 70 percent of the larger companies state that nothing has changed in terms of awareness of the topic of cyber security in the last two years and that they were already well positioned to do so .
  • There is also satisfaction with regard to the existing IT security structures in the company: 62,2 percent state that their company is well to very well protected against cyber attacks, for decision-makers under 45 years of age this value is even 2,5 percentage points higher.
  • A good 58 percent consider a cybercriminal attack on their company to be likely to very likely, and almost 39 percent consider this case to be rather unlikely.

Cyber ​​attack consequences: additional costs

With regard to the consequences of a cyber attack, the most frequently mentioned concern in German executive floors is the resulting costs - for example due to the necessary restoration of business operations. The possible interruptions in commercial processes are the second most common focus.

An interesting aspect here: Overall, even fewer respondents (23 percent) suspect problems in the context of the supply chain than a possible loss of image (28 percent). In the manufacturing industry alone, and this is not a big surprise, almost 37 percent of those surveyed assume that the supply chains could possibly be affected.

The leaders, on the other hand, attach little or no importance to the loss of customers or employees as a result of cyber attacks: 19,4 percent expect to lose customers and even fewer (1,5 percent) fear losing employees.

Insolvency (9,5 percent) and fines due to data protection violations (5,5 percent) are also hardly seen as risks, only in Switzerland there is a little more concern here: almost 22 percent expect insolvency and 11,8 percent expect fines to be paid as possible Consequences of cyber attacks.

Conclusion: internationally (unfortunately) a similar picture

"The results in the DACH region, while disappointing, are consistent with what we are seeing in North America, ASEAN and other regions," said Chester Wisniewski, Principal Research Scientist at Sophos, commenting on the study's results. “Unfortunately, when security is managed as part of IT, it is usually relegated to the status of a task rather than a priority. The security team's role is to identify risks and help the board prioritize those risks, while the IT department's role is to implement the necessary changes based on how those risks are to be addressed.”

With regard to the importance of IT security against the background of the global political situation, there seems to be unanimous composure worldwide. Wisniewski: “The war in Ukraine hasn't really changed attitudes, apart from critical US infrastructure. The U.S. CISA agency has increased efforts to improve security awareness and, in some cases, reporting requirements for critical infrastructure vendors, but no major concerns or actions are seen outside of the U.S. or within other private sector organizations.”

About the poll

On behalf of Sophos, Ipsos surveyed 201 C-level managers from trade, services and manufacturing in Germany and 50 each in Austria and Switzerland on the subject of IT security in their companies.

More at Sophos.com

 


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


 

Matching articles on the topic

Cyber ​​danger: HTML smuggling

With HTML smuggling, the malicious file is first created on the user's computer. That's why traditional anti-malware programs and sandboxes detect it ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

I-Soon: China's state-run foreign hackers exposed 

Internally, it is certainly the biggest betrayal of China: an employee of the I-Soon company revealed data and services ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Growing threats over the last year

In 2023, threats have increased significantly. Attacks via encrypted channels have increased by 24 percent. The manufacturing industry is back on track ➡ Read more

Data protection: trends in 2024

What challenges could companies face in the area of ​​data protection this year? And how can you relate to that? ➡ Read more

These threats have shaped 2023

In 2023, botnets returned from the dead, ransomware actors found creative ways to make money from theft, and threat actors ➡ Read more

FBI, Europol, NCA: APT group LockBit smashed!

According to the authorities, Europol, the FBI and the British NCA have dismantled the APT group LockBit. At least she has ➡ Read more