What is the state of IT security at companies in the DACH region

In October 2020, Proofpoint published the study "People-CentricCybersecurity" with the question: What is the security situation of companies in Germany, Austria and Switzerland?

Cyber attacks on employees in the form of business email compromise (also known as man-in-the-middle attacks), phishing campaigns, cloud account compromises and ransomware attacks are increasing rapidly. An increase in attacks was observed even after the first lockdown.

‍

The survey of CSOs/CISOs in the DACH region was conducted by the consulting firm techconsult in July and August 2020. A total of 202 companies with 250 or more employees from various industries were surveyed.

The study looks at four key areas:

Frequency of cyberattacks
Employee and organisational readiness
Challenges in implementing cyber strategies
The impact of the COVID-19 pandemic on cybersecurity

#1: Organisations in the rooftop space are exposed to a diverse threat landscape

The companies were asked whether a cyberattack had taken place in the last twelve months. 34% answered yes to this question. For 33%, there were even several attacks. This means that around 135 of the 202 companies surveyed were victims of a cyberattack.

Within 2 years, the frequency of insider threats has increased by 47%.

Max Mustermann

Link: Cost of Insider Threat Report 2020

The question about the type of attack reveals that the frequency of insider threats, at 25%, was still relatively lower than the other types surveyed. Impersonation attacks were more common at 26% and DDoS attacks at28%. The companies surveyed had to contend with ransomware (50%) and phishing attacks (60%) most frequently.

Source: Proofpoint study

In our blog article "Stop phishing", we give you valuable tips and advice on how to identify phishing emails.‍

#2: CSOs and CICOs in the DACH region are particularly concerned about the loss of sensitive information and disruption to operations due to cyberattacks

When asked how the cyberattack affected their own company, 42% of the companies surveyed cited the loss of sensitive information and 40% cited disruption to business operations. Brand and reputational damage is also a common impact at 33%. A financial loss and a loss of regular customers were each felt by 23% of companies. Only 16% reported a loss of turnover.

Source: Proofpoint study

#3 Organisations in the DACH region are aware of the threat - but face challenges to protect themselves

The following chart shows the extent to which the CSOs and CISOs surveyed agreed or disagreed with the three statements.

Source: Proofpoint Study

Only 24% of them consider themselves optimally prepared for a cyber attack. There is still a low level of uncertainty at 48% and 13% (strongly disagree + strongly disagree) do not feel prepared for a cyberattack at all.

The lack of concern at board level may be alarming: Only 26% of the companies surveyed are definitely concerned about cyber security at board level, while 41% are at least moving in the right direction. 13% - i.e. around 26 of the 202 companies surveyed - have not planned the topic at board level.

#4 Employees in the roof space must be better equipped to combat cyber attacks

It is still often the company's own employees who enable attackers to gain access to the system. To what extent do employees make companies vulnerable to cyber attacks? The CSOs and CISOs of the companies surveyed are of the opinion that

falling for phishing emails (70%),
clicking on malicious links (65%),
insecure passwords and changing them too infrequently (52%) and
careless handling of sensitive information (51%)

are among the most common mistakes. Respondents consider the targeted disclosure of data to be less likely (21%).

Source: Proofpoint Study

Despite the increase in targeted cyberattacks on company employees, 47% of CSOs and CISOs surveyed in the DACH region still do not believe that their companies are vulnerable to attacks through their employees. Furthermore, 77% stated that they train their employees in cyber security best practices no more than twice a year.

Fatal from our point of view. After all, hackers and types of attack are evolving just as quickly as digitalisation is advancing. Only through regular security awareness training, i.e. raising awareness of security-related topics, can employees do their part to prevent and avoid cyberattacks.

#5 The future of cyber risks in the DACH region is shifting

Source: Proofpoint Study

Over the next three years, 54% of CSOs and CISOs surveyed see insider threats (here: negligent and criminal combined) as the greatest cyber security threat in their industry. At 50%, the greatest risk lies primarily in phishing attacks.

Every fifth company considers malicious employee behaviour to be one of the most significant risks.

Max Mustermann

The analysis of responses to the question of how their cyber security budget will develop over the next two years suggests that many CSOs and CISOs are aware of the need to improve cyber defence. This is the only way to minimise the risk of falling victim to a cyberattack. 29% do not expect a change in budget, whereas 31% expect an increase of 1-10 per cent, 24% of 11-20 per cent and 8% of 21-50 per cent. Only 1% of respondents expect an increase of more than 100 per cent and 2% expect a decrease in the budget for cyber security.

However, it must be said here: Do not consider if, but when a cyberattack will take place.

Impact of the Covid-19 pandemic on remote working in companies

Since the pandemic and the increase in working from home, media reports of cyberattacks on employees via phishing emails have become more frequent. 34% of CSOs and CISOs stated that they have experienced an increase in targeted phishing attacks since remote workplaces were set up across the board.

A gratifying 62% have provided their employees with additional training on how to ensure cyber security while working from home. Nevertheless, the number of companies that have not taken any preventative measures in this direction is quite high at 17%.

43% of the companies surveyed believe that the transition to working from home has increased their vulnerability to cyber threats. This is probably also due to the unplanned and hasty changeover.

Conclusion

With or without the coronavirus pandemic, the issue of cyberattacks on employees is here to stay. Every "successful" attack confirms to hackers that the "human" target is easy to influence. This makes it all the more important to strengthen employees' security awareness and to optimise the handling of company devices, emails and internal data through regular training.Regularly, as attack patterns and paradigms will continue to evolve in any case and under any circumstances.

Don't fall into the trap of thinking that it will affect others and not your company. Any company, without exception, can fall victim to a cyberattack. Because "at least" data is processed everywhere. Sentences such as: "We don't have the resources for that at the moment" therefore lose their meaning. Your most important and best resource for preventing cyberattacks is sitting in front of the computer.

Invest in your employees' understanding of security and make them your best defence system. So decide now whether you will allow yourself to be hacked or take appropriate preventative measures in the form of security awareness training.

What is the state of IT security at companies in the DACH region?