The 2025 IT security report from the Federal Office for Information Security (BSI) sends a stark signal: Germany’s cybersecurity situation remains tense. Despite operational successes such as dismantling the LockBit ransomware group, there is no reason for complacency. The BSI identifies ‘insufficiently protected attack surfaces’ as the main driver of ongoing risks.

Exploding vulnerabilities and escalating threats

The numbers are alarming: an average of 119 new vulnerabilities are discovered daily – a 24% increase. These range from classic software bugs and insecure design to IoT devices that are compromised straight out of the factory. Attackers exploit these weaknesses for exploitation attacks, which have risen by 38%, and increasingly combine ransomware with data leaks to extract record ransoms.

The BSI’s message is clear: backups are important, but they cannot prevent data leaks. Securing attack surfaces remains the decisive lever.

SMEs as ‘easy prey’

Small and medium-sized enterprises (SMEs) remain a primary target. Around 80% of ransomware attacks hit SMEs, even though 91% of them rate their IT security as good. In reality, they meet only 56% of the basic requirements of the CyberRiskCheck – a dangerous perception gap.

Alexander Ingelheim, CEO and co-founder of Proliance, warns: “Overestimating your security isn’t protection—it’s flying blind.” The upcoming NIS2 regulation will act as a much-needed guide, forcing SMEs to base risk management on real data.

The human factor as the Achilles heel

Users themselves are becoming a weak link. For the second consecutive year, awareness and use of essential measures such as two-factor authentication (2FA) and password managers are declining. The reason: these measures are perceived as too complicated. This growing ‘digital carelessness’ opens doors to attackers.

Alexander Koch, SVP Sales EMEA of Yubicon, comments: “The gap between high phishing threats and user behavior is critical. The solution is technologies that are both secure and intuitive—like hardware-based passkeys.”

Experts call for proactive resilience

Industry voices emphasize that reactive approaches are no longer sufficient:

• Peter Machat (Armis) emphasises the growing complexity of networked IT, OT and IoT systems. For critical infrastructures, complete asset transparency and cyber exposure management are essential.
• Eric Litowsky (BlueVoyant) highlights that access brokers and compromised IoT devices allow attacks to begin even before they become visible on the company’s own network.
• Thomas Boele (Check Point) emphasises that cybersecurity is a continuous process that consistently integrates zero trust and the intrusion kill chain.
• Max Imbiel (Cloudflare) warns against the ‘new normal’: vulnerabilities are growing faster than teams can patch them, while risk awareness is declining.
• Robert Frank (DigiCert) warns that inadequate certificate and key management directly increases the attack surface. Automated trust infrastructures are the key here.
• Kristian von Mejer (Forescout) and Patrick Scholl (Infinigate) emphasise that IoT devices that are infected at the factory require proactive risk management and real-time transparency for every device.
• Lars Christiansen (JFrog) highlights the risks of compromised supply chains: AI and DevOps are shifting security responsibility directly to development.
• Jiannis Papadakis (Keyfactor) calls for quantum resilience through crypto agility.
• Michael Heuer (keepit) makes it clear that backups alone are no longer sufficient against ransomware and data leaks; companies must take responsibility for their cloud data.
• Matthias Canisius (mondoo) and Thomas Müller-Martin (Omada) call for prioritisation and automation in vulnerability management in order to effectively close the flood of security gaps.
• Frank Strecker (Skaylink) emphasises that managed cloud services have become the basic prerequisite for resilience.
• Sebastian Cler (SpaceNet) stresses that trust is based equally on people, processes and technology.
• Sergej Epp (Sysdig) and Zac Warren (Tanium ) warn that many teams do not have the capacity for real-time cloud security, which means that security gaps often go unnoticed.
• Sebastian Lacour (Veeam) sees long-term solutions in data resilience maturity models and close cooperation between industry and authorities.

Conclusion: cybersecurity as a strategic success factor

The BSI 2025 report makes one thing clear: cybersecurity is not a state, but a dynamic process integrating technology, organization, and human behavior. Companies must know their attack surfaces, prioritize vulnerabilities, proactively secure IoT and OT networks, and protect the human factor with intuitive solutions. Those who act decisively today are shaping the digital future, rather than merely defending it.

The takeaway is unambiguous: resilience, transparency, and proactive cyber hygiene are Germany’s key success factors in 2025.