TÜV Association: 82 percent of German companies that have experienced an IT security incident in the past 12 months have kept it secret.
Only 15 percent of companies informed the public about the incident, 4 percent of them because they are legally obliged to do so. This is the case, for example, when personal data is leaked. Almost three quarters of the companies surveyed stated that they avoid making a cyber security incident public because they fear reputational damage. This is despite the fact that 83 percent believe that more companies should make cyber security incidents public in order to raise risk awareness. These are the results of the representative Ipsos study commissioned by the TÜV Association, for which around 500 companies in Germany were surveyed.
Transparency raises awareness of cyber attack
Most companies lack transparency when they fall victim to a cyber attack. Transparency can actually contribute to cyber security. Making such attacks public shows other victims that cyberattacks are a widespread phenomenon. “Perpetrators and victims are often confused,” says Marc Fliehe, Head of Digitalization and Education at the TÜV Association. “Even if a company takes a high level of security precautions, it can still fall victim to a cyber attack.” Here, transparency could lead to a change in thinking. “Companies should pursue an active information policy and not become a pawn of hackers,” says Fliehe. “We need a culture in which dealing with cyber security incidents publicly is a matter of course.”
Education helps to prevent hackers
Cyber security is not just an issue for a company’s IT department, but should also be a priority for management. Companies should invest in modern hardware and software and seek advice from external experts if necessary. Practical tests are also becoming increasingly important in order to uncover vulnerabilities and rehearse emergencies in emergency drills.
In addition to preventing cyber attacks, it is important to recognize attacks, react as quickly as possible and restore IT systems after a security incident. In order to fend off an attack as quickly as possible, it must be clear in advance which measures need to be taken and in what order. “Hackers also like to attack on public holidays,” says Fliehe, “which is why response times, availability and communication processes must be defined in advance.” In order to be able to act routinely, companies should have rehearsed the emergency beforehand.