Why prevention alone is no longer enough – and why manufacturers are being held more accountable
Cybercrime is increasingly evolving from an abstract IT risk into an everyday social problem. The latest Cybersecurity Monitor 2026 from the Federal Office for Information Security (BSI) shows just how deeply digital fraud and attack scenarios have now penetrated people’s daily lives: one in ten Germans has been a victim of cybercrime within the past year. Overall, more than one in four respondents stated that they had already been affected by digital crime at least once.
This is also changing the security policy perspective on cybercrime. Whilst cyber security was long regarded primarily as a specialist issue for businesses, public authorities or operators of critical infrastructure, current developments show that cyber attacks have long since been affecting broad sections of society – from online banking to digital shopping.
Cybercrime is becoming a mass phenomenon
The study’s authors recorded particularly frequent cases of fraud in online shopping. This is followed by unauthorised access to online accounts, online banking fraud and classic phishing attacks. What is striking here is not so much the technical sophistication of individual attacks as their enormous scale. Cybercrime is increasingly operating on an industrial scale today.
AI-powered scams, automated phishing campaigns and professionally organised extortion schemes significantly lower the barriers to entry for perpetrators. At the same time, the success rate of social engineering attacks is rising. Many attacks no longer target technical vulnerabilities primarily, but rather human behavioural patterns.
The consequences for those affected are often severe. In addition to financial losses, many victims report significant time expenditure, a loss of trust in digital services or psychological stress. It is precisely this loss of trust that is increasingly becoming an economic and social factor. After all, digital administrative services, banking platforms, e-commerce and cloud applications ultimately rely on users trusting digital processes.
A false sense of security remains a core problem
From the BSI’s perspective, the discrepancy between the actual threat landscape and subjective risk perception appears particularly problematic. Despite rising case numbers, a large proportion of the population still considers themselves to be at little or no risk. At the same time, comparatively few users keep themselves regularly informed about cybersecurity.
This pattern points to a structural problem with modern digitalisation: security mechanisms are often perceived as complicated, disruptive or technically overwhelming. Strong passwords, multi-factor authentication or regular security updates are still regarded by many users as an extra burden rather than a fundamental part of digital use.
From the BSI’s perspective, mere education is therefore no longer sufficient.
The authority is increasingly calling for manufacturers and providers of digital products to be held more accountable. Security features must be simpler, more understandable and enabled by default. Users should not be left to bear the brunt of digital security risks indefinitely.
Manufacturer responsibility is becoming a regulatory issue
This shifts the debate significantly towards “Security by Design” and “Security by Default”.
The idea behind this is that cybersecurity should not rely solely on active user behaviour, but should already be integrated into products, platforms and services.
This development aligns with regulatory trends within the European Union. With requirements such as the NIS2 Directive or the Cyber Resilience Act, pressure is mounting on manufacturers to close security gaps more quickly, provide update processes and make digital products more resilient.
In the consumer sector in particular, the opposite trend has often been evident so far: complex user interfaces, insecure default settings or a lack of transparency further increase the risk of successful attacks. At the same time, connected devices, cloud services and mobile applications are continuously expanding the digital attack surface.
The increasing professionalism of attackers is changing the landscape
At the same time, the attackers’ side is becoming increasingly professional. Ransomware groups, phishing networks and data-based extortion models now operate with a high degree of division of labour. Malware-as-a-Service, phishing kits or leaked login credentials can be traded almost on an industrial scale via criminal platforms.
This gives rise to professional attack infrastructures that enable even technically less-savvy perpetrators to carry out complex attacks. For consumers, this makes it increasingly difficult to detect fraudulent activities. AI-generated content, deceptively genuine login pages, synthetic voices or deepfake technologies further exacerbate this trend.
Cybersecurity is becoming a matter of societal resilience
The growing impact on the general public ultimately highlights that cybersecurity can no longer be viewed solely as a technical specialism. Digital security is increasingly becoming a matter of societal resilience.
It is not enough to rely solely on individual security behaviour. Rather, a multi-layered approach is required, comprising technical safeguards, minimum regulatory standards, ease of use and continuous awareness-raising.
The BSI is increasingly pursuing precisely this approach with greater vigour. In addition to prevention and education, the agency is calling for greater responsibility on the part of manufacturers and platform operators to make security measures more suitable for everyday use. For as long as secure digital use remains more complicated than insecure behaviour, many protective mechanisms will have only limited effectiveness in practice.
The current figures therefore do not merely indicate a rising threat level. They also mark a turning point in the cybersecurity debate: cybersecurity is increasingly becoming a fundamental infrastructural requirement of digital societies – comparable to road safety or consumer protection.
