“The Failures in IT Security Are Massive”

Many SMEs put their own cybersecurity at risk with their lack of knowledge, which leads to more successful ransomware attacks. Unfortunately, IT security will probably have to be reinforced in the future by companies, says Gökhan Kurtbay in an interview with eco.

How well do companies in Germany protect themselves against cyber attacks?

The reputation of German SMEs in terms of cybersecurity is poor and rightly so. Responsible parties are being dangerously ignorant. According to surveys, many of those responsible rarely take action even if sensitive company data, construction plans, personal information of customers or other valuable information is stolen or if their own IT systems are encrypted by cyber criminals. The damage caused by extortion software at German companies is correspondingly high and is increasing, as a recent report by the German business publication Wirtschaftswoche shows.

How can companies be encouraged to adopt a higher level of protection?

The only option I see at the moment is compulsion. Especially when you see how TISAX (Trusted Information Security Assessment Exchange) is being pushed by the German automotive industry. As a supplier for the German OEMs, you either have a functioning ISMS (Information Security Management System), which you have to have checked regularly, or you simply don’t get any more orders. And all of a sudden, it becomes feasible and is sorted.

What obligations do you think companies will face?

The EU is currently preparing on a bill to make the managing directors of companies directly responsible for any cyber incidents, particularly if no measures have been taken in advance, similar to the GDPR. The topic of information security will become an integral part of the corporate structure, similar to the former ISO9001. It is indeed to be expected that there will be legal requirements for the very reasons described in the aforesaid Wirtschaftswoche article. There will be uproar, of course, but eventually, corporate leaders’ massive failures in IT security leave them with no other choice.

Gökhan Kurtbay is the Head of Information Security Consulting at CNXConsulting Partners GmbH. As part of ISD 2022, he will speak on “Information Security in Industry The Next MustHave?” (a German-language event) on 29 September at 12:30 pm.


Experts 2022 1