Civey survey

Cyber security threats are on the rise. Almost half of German companies experienced a cyber attack in the last year, sustaining tremendous economic damage in the process. The Russian war of aggression against Ukraine has made companies more vulnerable to the dangers of hybrid warfare. Cyber security plays a strategic role in the resilience of organisations and should be a top priority for CEOs. As part of a Civey survey, we asked employees, managing directors and the self-employed three questions about the state of cyber security in their company. Does the necessary awareness of the topic exist? How is it applied in practice? Who is the main driver?

Awareness of cyber security

Cyber security calls for a comprehensive and common understanding of cyber threats and their consequences for the company. This is the only way to implement preventative measures with the necessary urgency and commitment.

Employees report a clear need for more to be done to establish the topic in corporate culture.

Only one in three employees considers awareness of cyber security to be firmly established in the company. A further 27% have seen some initial progress but believe that this is not enough to create a sustainable security culture. Almost one in five is unable to express an opinion on the topic.

Executives present an even clearer picture.

Over half say there is no awareness of cyber security in the company or have no opinion. On the other hand, only one in five executives confirms that the company has a sustainable security culture.

Cyber security in practice

A general understanding of cyber risks and security is one thing. Taking effective measures on a day-to-day basis in the company is something else altogether. We asked the following: Are cyber attacks simulated in the company? These simulations are the fire drill of the virtual age. They help to identify security gaps in processes and structures and to put cyber security into practice in the company.

The responses highlight inadequate practices in cyber security.

Only 15% of employees report that the company simulates cyber attacks in house. Almost half are unable to make a statement on this topic. One in five believes that the company will not simulate attacks in the future.

With executives and the self-employed an indifferent attitude emerges. They point to a failure to prioritise simulations.

Over 75% have no knowledge of the simulation of cyber attacks or find it irrelevant. Only 8% indicate that cyber attacks are simulated in house. A very small proportion, 4%, point to training being used as a substitute.

Main drivers of cyber-security

Cyber security plays a strategic role in the resilience of companies and is a topic that should be promoted by the company’s top management. This builds commitment to cultural change and brings about the swift implementation of measures in the company’s day-to-day operations.

The reality is quite different – as the results of our survey show.

Is management getting involved? Definitely not. Only around 15% of employees see management as the main driver of cyber security. Instead, almost half of them consider the topic to be the responsibility of the IT security officer in the specialist department. More than a third cannot name a main driver.

The responses of executives and the self-employed confirm this finding. What’s more, they show that cyber security has only been included in the management and communications agenda to a limited extent. Only one third see themselves as the main drivers of this topic. Yet what is most frightening is that almost 60% of them do not see anyone taking responsibility or are unable to name a main driver.

Establishing cyber security in corporate culture

Despite the topic of cyber security being on everyone’s lips, companies are inadequately protected against cyber risks. The results of our Civey survey reveal considerable gaps. Both managers and employees lack the necessary understanding of the topic.

To close these gaps, cyber security needs to become deeply ingrained in corporate culture – just as compliance was a few years ago. This calls for systematic communications and intensive discussion in the company. Cyber security is not a topic for nerds, rather it is a challenge that affects everyone in the company. Corporate management must be the main driver of the topic and play an active role. This is the only way to successfully change the attitude of companies.

Between 1 March 2023 and 14 March 2023, Civey carried out an online survey for H/Advisors Deekeling Arndt of 1,000 employees as well as 1,000 executives and self-employed persons from 18 years old upwards. Due to selection quotas and weighting the results are representative with a statistical error of 5.6 %. You can find more information about the method used here.