Cyber ​​attacks are increasing and companies are not sufficiently prepared

The threat posed by cyber attacks has intensified for the German companies surveyed over the past twelve months; at the same time, however, a large proportion of them are not adequately prepared for such attacks.

This is suggested by a study by Imperva based on a survey by the market research company YouGov of employees with extensive or sole decision-making authority in the IT profession.

Cyber ​​attacks with massive business-damaging consequences

36 percent of the IT managers surveyed state that the number of cyber attacks on their company has increased slightly or even significantly in the last twelve months. Ransomware (20%) and DDoS attacks (18%) dominated: in the first variant, hackers gain control of the computer using malware and only release the device again after paying a ransom. In DDoS attacks, hackers try to make so many requests to the system that it ultimately collapses. The consequences of this and other attacks were grave. Almost one in five IT managers surveyed reported that cyberattacks resulted in lost customers; 46 percent experienced a system failure. Other consequences mentioned were financial extortion (16%), lost sales (15%), damage to reputation (14%) and official sanctions (10%).

In addition, in the context of the cyber attacks at the companies surveyed, various categories of data were compromised or misused: employee (20%) and customer data (17%) were the most frequently targeted for manipulation, but also protected intellectual property, management information (both 16%) and Budget and other financial planning documents (13%).

No transparency in the use of data – holistic security strategy required

The companies responded to the attacks with various measures: 50 percent of those surveyed stated that the cybersecurity strategy had been revised; 48 percent have increased their investment in cybersecurity tools and solutions. In addition, almost every fourth company has hired additional staff in the area of ​​IT and cyber security. The need for strategic course correction and technical equipment is high; for example, according to the survey, not even every second company has an up-to-date crisis plan (44%). In addition, just under half of the companies surveyed (49%) use data discovery and classification tools or database activity monitoring tools (44%) that provide insight into how sensitive data is being used within the organization.

In addition to these findings, the study results have also clearly shown that the IT managers surveyed must also look beyond their own operations with regard to data management and use. Because digital business models in particular, but also collaboration with suppliers, for example, increasingly require the sharing of data, which harbors further security risks: only 23 percent of the companies surveyed currently have a complete and automated list of all third parties with whom they exchange internal data. 39% manually update such a list, and 16% say they don’t maintain any third-party lists at all. More than 30 percent have no or no secure systems and procedures that determine what data third parties can access.

“A large proportion of the companies surveyed are still not drawing sufficient conclusions from the current threat situation. And most companies are only now really starting to implement data-driven business models,” states Kai Zobel, Area Vice President EMEA Imperva. “To effectively protect data, companies need a new culture that thinks security and innovation together, as well as investments in processes, systems and people. Above all, however, they need a holistic security strategy that brings together metrics from all areas of the company on a central platform. This is the only way to effectively protect one’s own IT infrastructure – against attacks from outside and inside.”

Sticking point “security” in cloud models

In addition, many of the IT managers surveyed are conflicted when it comes to the topic of data security in the context of the introduction and use of cloud models. After all, 23 percent describe the introduction of the cloud as the greatest cybersecurity challenge in digital transformation projects from a data protection perspective. In addition, 29 percent of those surveyed are convinced that the overview of the data on-premises is larger than in the cloud (30%: overview of about the same size). And 31 percent of respondents believe their company’s data is less secure in the cloud than on-premises; only 18 percent see the data in the cloud as being in better hands.

Significant increase in cyber attacks forecast – focus on employees in prevention

For 2022, 47 percent of those surveyed expect a significant increase in cyber attacks: 31 percent assume an increase of up to 50 percent; another 16 percent expect even more attacks. Ransomware attacks are rated as the greatest threat (35%); 13 percent of respondents each name DDoS attacks and insider threats as the greatest risk.

Strategic measures, but above all current work models and the involvement of employees, play an important role in containing the threat situation. 50 percent of the companies surveyed plan to offer more training courses in the next twelve months to raise awareness of the topic of cyber security. A third of organizations surveyed (32%) want to review remote work policies and 18 percent want to review their bring-your-own-device (BYOD) policies. Updating the contingency plan in case of an attack is the second most common measure (37%).

About the study:

The online survey on which the study is based was conducted by YouGov Deutschland GmbH between December 10th and 20th, 2021. A total of 528 people with extensive or sole decision-making authority in the IT field who work in companies with at least ten employees were interviewed.