Transformation Quarterly 01_2023

by Volker Heck

Cyber attacks have been on the rise worldwide for 20 years now. Last year alone, ransomware attacks increased by 13 percent. All sectors – business, public services, society – are affected. Nevertheless, a recent representative survey conducted by Civey on behalf of DAA shows that far from enough is being done, especially in businesses, to prevent potential damage.

Cyber attacks have become an integral part of our new era and also part of increasing hybrid warfare. In 2022, cyber attacks on public institutions, airports and companies in Germany increased massively on the same day the German government decided to supply heavy battle tanks to Ukraine. According to the FAZ newspaper, the State of North Rhine-Westphalia’s Interior Minister Herbert Reul sees a clear link here to Russian intelligence.

The rising number of people working from home also makes companies massively more vulnerable. Cyber security is therefore a topic that concerns not just IT specialists but all areas of companies.  Effective cyber protection must be an integral part of a company’s DNA and thus it also needs to be part of in-company digital transformation processes.

So much for the theory. In practice the exact opposite is evident, as was observed in a representative Civey survey conducted in March 2023 on behalf of DAA among 1,000 managing directors and 1,000 employees. 46.4% of employee respondents see the IT security officers as responsible for cyber security, while 29% of management see themselves as responsible. Overall, however, 37.4% of the employees surveyed and as many as 58.3% of management also say that the issue of cyber security is not being driven forward by anyone in their company, or at least they are not aware of that being the case. These figures are particularly worrying at management level.

Given that recent surveys show 79% of board members surveyed by trade associations say that the issue of cyber risk has become massively more important at executive level in recent years, these results are very surprising to say the least. The results of the Civey survey also clearly suggest that senior management and employees are not pulling in the same direction on the important issue of cyber security.

So what needs to be done? First, companies need to invest much more in prevention than they have in the past. 80% of this work can be done up front. “If you fail to plan, you are planning to fail” – true to Benjamin Franklin’s principle, possible cybercrime events and impact must be sufficiently prepared for in good time. This includes setting up clear responsibilities and procedures for everyone in the company.

The second part has a lot to do with corporate culture. The Civey results show a frightening lack of knowledge about who in a company feels responsible for the important topic of cyber security or who actually has this responsibility. However, this is not a niche topic that an IT manager is responsible for. It is an intrinsic part of the core business. It is based on a shared understanding of security, which must be built from the bottom up and also lived by top management. Companies must promote a security culture and involve their employees in this process. This includes training, regular dialogue and joint analysis of weaknesses.