Only in a quarter of German companies do management take responsibility for IT security. This is especially the case in smaller companies. The larger the company, the less often the bosses feel responsible.
Whether small and medium-sized companies or corporations: In only 25 percent of German companies does the management take responsibility for IT security. This is proven by the representative study “Cybersecurity in Numbers” by G DATA CyberDefense AG, Statista and brand eins.
Cyber attacks on companies and institutions cause high costs and illustrate the importance of extensive IT security measures. With the NIS 2024 guideline coming into force in October 2, the executive floor is no longer allowed to delegate IT security.
NIS-2 increases the pressure and makes management responsible
Should IT security be a top priority? Definitely! Due to the increasing digitalization of work and production processes in companies, cybersecurity is no longer a sideshow and should be a top priority for company management. Cyber attacks are very expensive and quickly become life-threatening. According to the representative study “Cybersecurity in Numbers” by G DATA CyberDefense, Statista and brand eins, management most often transfers responsibility for security precautions against cyberattacks to the IT department. In only a quarter of German companies, management sees the need to be responsible for implementing and maintaining protective measures themselves. With NIS-2 at the latest, the pressure on many board members will increase and they will be legally obliged to take the issue of IT security seriously. If they fail to comply, they may also be held personally liable.
“IT security is by law a top priority,” explains Tim Berghoff, Security Evangelist at G DATA CyberDefense. “The NIS 2 guideline also makes management directly responsible and no management or board can shift this responsibility. If those responsible do not take the implementation and monitoring of IT security measures seriously, they are personally liable and violations also result in high fines.”
Small business leaders are more likely to make IT security a priority
The exclusive survey also shows that the larger a company is, the less responsibility lies with top management. Only one in ten companies with 1.000 or more employees has management responsible for IT security. This is fatal with regard to NIS-2. And time is running out. What is surprising, however, is that in 40 percent of small companies with fewer than 50 employees, responsibility for IT security already lies with the management or board of directors. Nevertheless, there is also an acute need to catch up among small companies, because in three out of five small companies IT security is not yet a top priority. There is an urgent need to catch up on this because the boardroom plays a key role in establishing a safety culture in the company.
Study "Cyber Security in Numbers"
“Cybersecurity in Numbers” is characterized by a high level of information density and particular methodological depth: Statista’s researchers and market researchers have brought together numbers, data and facts from more than 300 statistics into a unique complete work. More than 5.000 employees in Germany were surveyed as part of a representative online study on cybersecurity in professional and private contexts. The experts at Statista closely monitored the survey and, thanks to a sample size that is well above the industry standard, are able to present reliable and valid market research results in the “Cybersecurity in Numbers” issue.
What does the NIS 2 directive mean for companies?
With NIS-2 (“Network and Information Security” Directive), security standards will apply across the EU for many companies and organizations in 18 critical sectors from October 2024, 18. This is intended to ensure a higher and uniform level of IT security in the EU. Highly critical sectors such as energy and public administration are particularly affected, but also providers who produce, process and sell food, for example.
More at GData.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.