- One in three companies has no password policy
- 37.0 percent do not regularly train their employees on topics such as spam or phishing
Companies in Germany lack basic cybersecurity measures, this is one of the key messages of the current Kaspersky study “Incident Response for Prevention – Why Companies in Germany are Poorly Prepared for Cyber Attacks and How to Become More Cyber Resilient Thanks to Incident Response Methods” [1]. This is because although even simple steps can increase security levels, only 64.5 percent implement password policies, 58.0 percent create backups and 54.0 percent use multi-factor authentication.
According to the TÜV Association, decision-makers in one in nine financial organizations suffered a security incident last year [2]; furthermore, according to Bitkom, cyberattacks on German companies caused total damage of around 203 billion euros [3]. Decision-makers should therefore be aware that a preventive and sustainable cybersecurity strategy is a “must” for sustainable cyber protection. However, the status quo of security measures at some companies in Germany is sobering, as the recent Kaspersky study “Incident Response for Prevention” shows.
Password policies, backups, employee training? Not necessary
As the Kaspersky survey finds, many companies lack basic security measures: Password policies (64.5 percent), backup creation (58.0 percent) or multi-factor authentication (54.0 percent) are used by too few companies to date. These are fundamental measures that, together with a dedicated cybersecurity solution, provide basic protection against attacks.
Furthermore, 37.0 percent of companies in Germany do not regularly train their employees on topics such as spam or phishing – the classic gateways for cybercriminals to obtain access data. The crux of the matter is that the days of poorly written spam and phishing emails full of spelling errors are long gone. Today, they can hardly be distinguished from real messages. However, only slightly more than half (54.5 percent) of companies use anti-phishing software to protect themselves against this. In addition, only one in three companies (35.5 percent) currently has a patch management policy in place. Yet security vulnerabilities in applications and operating systems are among the most common attack vectors in enterprises.
“Patching is always a challenge. On the one hand, it’s relatively easy to plug security holes, but on the other hand, the process is usually a bit more complicated than you think,” says Kai Schuricht, Lead Incident Response Specialist at Kaspersky, about the lack of patch management in companies. “If companies decide to update their systems, this takes some time. This is because they first have to be tested, released and then distributed. This takes time and, of course, increases the window of opportunity for systems to be vulnerable. The time window for successful attacks is also extended. Appropriately thought-out and thus efficient patch management can provide support here and take into account the different requirements of, for example, IT security and production at the same time.”
The full Kaspersky study “Incident Response for Prevention – Why Companies in Germany are Poorly Prepared for Cyber Attacks and How They Can Become More Cyber Resilient Thanks to Incident Response Methods” is available at https://kas.pr/ir-report_de
[1] https://kas.pr/ir-report_de / The survey was conducted by Arlington Research on behalf of Kaspersky in June 2023. A total of 200 IT decision-makers in Germany, 50 in Austria and 50 in Switzerland were surveyed on the subject of incident response and cyber security.
[2] https://www.tuev-verband.de/pressemitteilungen/gut-jedes-zehnte-unternehmen-erfolgreich-gehackt
[3] https://www.bitkom.org/Presse/Presseinformation/Wirtschaftsschutz-2022
Useful links:
Kaspersky study “Incident Response for Prevention – Why companies in Germany are ill-prepared for cyber attacks and how they can become more cyber-resilient thanks to incident response methods”: https://kas.pr/ir-report_de
Kaspersky Incident Response: https://www.kaspersky.de/enterprise-security/incident-response
