TÜV survey: majority of companies believe in their own IT security, BSI does not

The TÜV association surveyed companies on their assessment of the IT security situation – and they drew an optimistic conclusion. At the presentation of the survey in Berlin, BSI President Claudia Plattner expressed clear doubts about this self-assessment and warned against carelessness.

15 percent of companies were affected by specific IT security incidents last year that required the intervention of incident response teams, according to a survey of over 500 German companies conducted by the TÜV association. And 91 percent of the companies stated that they were in a rather good or even good position in terms of cyber security.

The President of the German Federal Office for Information Security (BSI) views this result with some concern: "That's a bit of wishful thinking," warned Claudia Plattner, "we're not there!". The BSI's everyday experience regularly speaks a completely different language, Plattner said, categorizing the survey results. Even the IT security "seahorse", Plattner's nickname for the cyber risk check, regularly revealed problems at companies. For operators of critical infrastructures, there is also regularly "clearly room for improvement", for example in information security and business continuity management (BCM), even if the BSI sees improvements here, according to the head of office.

Only half are familiar with NIS2

TÜV Association President Michael Fübi and Claudia Plattner were also surprised by another result of the survey: Just 50 percent of respondents claim to have even heard of the revised Network and Information Security Directive (NIS2). This establishes new security criteria for operators of critical infrastructures and is expected to affect almost 30,000 companies in Germany.

The German implementation law for the NIS2 EU directive is currently being drafted again. It is not only the EU that is putting pressure on it, the BSI President has also repeatedly called for progress to be made as quickly as possible. Plattner hopes that the extended liability of managing directors, which comes with NIS2 and lays down due diligence obligations for company directors, will increase awareness at the management level.

Cloud use brings new necessities

A third surprise from the survey: 79% of the responding companies believe that they would only store their company data in the EU. However, it is almost impossible for companies to check whether this is actually the case, for example with large cloud providers. According to TÜV Association President Michael Fübi, professional data management is the most important factor when using the cloud. Different requirements need to be met for highly confidential data than for less confidential data. However, there has so far been a lack of risk awareness among companies.

"Cloud computing is necessary nowadays, it is the industrialization of IT", Claudia Plattner explained. However, rules and technical possibilities must be observed. Because not "only national or European solutions will be available tomorrow", the BSI is also working with non-hyperscalers that are not from Europe. Whether security can be guaranteed is also relevant for European or national providers: Whether at rest or in a flowing state, they should always be effectively encrypted as a matter of principle and "bring your own key" is generally advisable in all variants. To ensure availability, it makes sense to have backups with other providers and to attach importance to portability to other providers for applications in the cloud.

The results are based on a representative survey of 506 companies with 10 or more employees in Germany conducted by the market research company Ipsos on behalf of the TÜV Association. Those responsible for IT security were surveyed, including senior cybersecurity experts, IT managers and members of management.

(vbr)