Opinion: German companies are not yet sufficiently afraid of cyberattacks
Many companies are worried about potential cyberattacks. But despite this, investment in IT security remains meager, says Tobias Glemser.
(Image: Song_about_summer/Shutterstock.com/Bearbeitung heise online)
Ransomware gangs, CEO fraudsters and other cybercrime actors should no longer stand a chance. According to the Allianz insurance group's risk barometer, most German companies see cyber incidents as the biggest risk to their business. The World Economic Forum's Global Risks Report 2025 comes to a similar conclusion, with cyber espionage and cyber warfare still ranking fifth among the risks. And according to a survey by Statista and Bitkom, expenditure on IT security (software, hardware, consulting and testing) has even exceeded the ten billion euro threshold for the first time.
According to another Statista survey in collaboration with Bitkom, the "damage caused by data theft, industrial espionage or sabotage" in German companies amounts to around 266 billion euros. Wait a minute. So the damage exceeds the investments by a good 26 times? Let's let this disparity sink in and go into more detail: What about the effectiveness of spending so little compared to the damage? If you spend so little, perhaps the effectiveness is simply very high.
Awareness training as a panacea?
Let's take a look at the measures and leave out "virus protection" and "firewall" as standard. Strong passwords as standard certainly don't seem to be. In collaboration with the University of Bonn, cybersecurity start-up Identeco analyzed around 30 million access data published in 2024 and assigned them to DAX companies. In first and second place were variants of the company name and variants of LinkedIn, respectively, and in third place "123456", followed by "password" and – listen and be amazed – "12345678".
It can be assumed that awareness training will be on the list of the most popular measures in many companies and also in public administration. If done correctly, awareness can help with risks that are technically unavoidable. In our company, for example, we repeatedly receive supposed messages from customers asking about outstanding invoices. Nice domains such as "sap-finanzbuchhaltung.de" are used.
The idea behind this is that after receiving a genuine, outstanding invoice, the fraudsters send new invoices to the genuine customer in the familiar layout and indicate a changed IBAN. This is not a "cyberattack", but ultimately an attack on the payment process of companies. Improving the process, for example by always contacting the supplier/service provider again via a known email address/phone number when IBANs are changed and reconfirming the change, will help in the long term. However, raising awareness can probably also help here.
"Do not click on fraudulent attachments"
What about technical attacks? Unfortunately, there are no figures on this, only an indifferent study situation. Dirk Häger, head of department at the BSI, has said at several events that there has been no evidence in over 20 years that this reduces the likelihood of a successful cyberattack. He considers security awareness to be a waste of money in this respect. Now, by its very nature, it is difficult or impossible to find evidence of things that have not happened. But are we training for things that we can't prevent in a more sustainable way?
"Don't click on fraudulent attachments." I'm sure everyone who has attended even one training course has heard this. Cool demand. How are Lieschen MĂĽller and Bernd Beispiel supposed to do that? If it were so easy to see that anyone could do it, then surely a program could too. But it can't. Unfortunately, people also have an error rate. So if a single wrong click by a single employee can lead to a catastrophe, the more than 260 billion will continue to be a safe bank for fraudsters.
Is that enough? No, that's not enough
For decision-makers, this often seems enough: we have basic measures in place and users are sensitized. The "human firewall". That's enough. And what happens if something goes wrong? Often enough, employees have to go on short-time working. This externalizes the costs – at least large blocks of costs – to society. This must stop. Those who cut the wrong corners and demonstrably fail should also be held accountable.
Videos by heise
Long story short: companies are still spending too little money on cybersecurity, even though they see it as the biggest risk. And if they are already spending money, the question arises as to why one wrong click on an email is still enough and Application Allowlisting is not active. A finding in almost all the analyses we do of standard Office environments.
What helps? Well, cybersecurity is still optional for many organizations. This should improve in the future under NIS2 because it will then become mandatory. Unfortunately, German politicians have not managed to implement the regulation. There is currently no real run on this topic in the consultancy market. So we will probably have to continue to live with this discrepancy in the future and welcome every company that voluntarily engages with sustainable cybersecurity measures.
(axk)
