The 2025 IT security report from the Federal Office for Information Security (BSI) sends a stark signal: Germany’s cybersecurity situation remains tense. Despite operational successes such as dismantling the LockBit ransomware group, there is no reason for complacency. The BSI identifies ‘insufficiently protected attack surfaces’ as the main driver of ongoing risks.

Exploding vulnerabilities and escalating threats

The numbers are alarming: an average of 119 new vulnerabilities are discovered daily – a 24% increase. These range from classic software bugs and insecure design to IoT devices that are compromised straight out of the factory. Attackers exploit these weaknesses for exploitation attacks, which have risen by 38%, and increasingly combine ransomware with data leaks to extract record ransoms.

The BSI’s message is clear: backups are important, but they cannot prevent data leaks. Securing attack surfaces remains the decisive lever.

SMEs as ‘easy prey’

Small and medium-sized enterprises (SMEs) remain a primary target. Around 80% of ransomware attacks hit SMEs, even though 91% of them rate their IT security as good. In reality, they meet only 56% of the basic requirements of the CyberRiskCheck – a dangerous perception gap.

Alexander Ingelheim, CEO and co-founder of Proliance, warns: “Overestimating your security isn’t protection—it’s flying blind.” The upcoming NIS2 regulation will act as a much-needed guide, forcing SMEs to base risk management on real data.

The human factor as the Achilles heel

Users themselves are becoming a weak link. For the second consecutive year, awareness and use of essential measures such as two-factor authentication (2FA) and password managers are declining. The reason: these measures are perceived as too complicated. This growing ‘digital carelessness’ opens doors to attackers.

Alexander Koch, SVP Sales EMEA of Yubicon, comments: “The gap between high phishing threats and user behavior is critical. The solution is technologies that are both secure and intuitive—like hardware-based passkeys.”

Experts call for proactive resilience

Industry voices emphasize that reactive approaches are no longer sufficient:

• Peter Machat (BlueVoyant) highlights the growing complexity of networked IT, OT, and IoT systems. Complete asset visibility and cyber exposure management are essential for critical infrastructures.
• Eric Litowsky (BlueVoyant) points out that access brokers and compromised IoT devices allow attacks to begin before they are even visible on internal networks.
• Thomas Boele (Check Point) stresses that cybersecurity is a continuous process, requiring consistent adoption of Zero Trust and the Intrusion Kill Chain.
• Max Imbiel (Cloudflare) warns that vulnerabilities grow faster than teams can patch them, while awareness declines.
• Robert Frank (DigiCert) calls for automated trust infrastructures to manage certificates and keys effectively, reducing attack surfaces.
• Kristian von Mejer & Patrick Scholl (Infinigate) emphasize the need for proactive risk management and real-time visibility for every IoT device.
• Lars Christiansen (JFrog) underlines risks in compromised supply chains, as AI and DevOps shift security responsibility to the development stage.
• Jiannis Papadakis (Keyfactor) calls for quantum resilience through crypto agility.
• Michael Heuer (Keyfactor) stresses that backups alone are insufficient against ransomware and data leaks; companies must take responsibility for cloud data.
• Matthias Canisius (Keyfactor) & Thomas Müller-Martin (Omada) highlight the need for prioritization and automation in vulnerability management.
• Frank Strecker (Skaylink) notes that managed cloud services have become foundational for resilience.
• Sebastian Cler (SpaceNet) points out that trust relies equally on people, processes, and technology.
• Sergej Epp & Zac Warren (Sysdig) warn that many teams cannot manage real-time cloud security, leaving gaps undetected.
• Sebastian Lacour (Sysdig) sees long-term solutions in data resilience maturity models and close collaboration between industry and authorities.

Conclusion: cybersecurity as a strategic success factor

The BSI 2025 report makes one thing clear: cybersecurity is not a state, but a dynamic process integrating technology, organization, and human behavior. Companies must know their attack surfaces, prioritize vulnerabilities, proactively secure IoT and OT networks, and protect the human factor with intuitive solutions. Those who act decisively today are shaping the digital future, rather than merely defending it.

The takeaway is unambiguous: resilience, transparency, and proactive cyber hygiene are Germany’s key success factors in 2025.