eco Association: Prepare Employees Better for Cyber Attacks

  • One in four German companies (26 percent) had a serious security incident last year
  • 43 per cent of companies solved the problem internally; only 12 per cent turned to law enforcement agencies
  • Too few companies focus on employee sensitization and emergency planning

Last year, around every fourth German company (26 percent) was the victim of a cyber attack. This is shown by the current IT Security study undertaken by eco – Association of the Internet Industry. This means that the proportion of hacked companies has increased compared to the previous year: in 2018, only around 18 percent stated that their company had been subject to a successful attack by cyber criminals in the previous 12 months. Ransomware, DDoS attacks, and CEO Fraud lead the list of attacks, ahead of website hacking and data theft.

The handling of security problems has also changed: While in 2018, just under 25 percent said that they solved security problems internally with their own staff, by 2019 this figure had risen to 43 percent. There is still just a minority of companies (9 percent in 2018, 12 percent in 2019) who press criminal charges. For the first time, the payment of ransom (2 percent) was measurable in 2019. Companies want to protect themselves against attacks in particular by sensitizing employees, implementing the IT security legislation, and by mobile device management.

 Assessing security risks realistically

“Many small and medium-sized companies still underestimate the risk of being targeted by cyber criminals,” says Oliver Dehning, Leader of the Competence Group Security with eco – Association of the Internet Industry. Only 41 percent of the companies surveyed regularly train their employees, the study finds. However, 38 percent train employees irregularly, 7 percent are still just planning appropriate training, and 14 percent never engage in training or sensitization of their employees. “The figures are still too low in light of the growing number of threats,” says Dehning. Regular sensitization of employees should be a matter of course in every company.

Of essential importance for Dehning is a security emergency plan that defines processes in the event of a cyber crime incident. 57 percent of the companies already have such a plan in place. In another 27 percent of the companies, such an emergency plan for the future is being considered. 16 percent have not yet broached the topic. “Every company should consider early enough how it will react in the event of a serious security incident in order to minimize the damage if the worst comes to the worst,” says Dehning.

Emergency planning and employee sensitization are imperative

Despite increasing efforts to address these security issues, only a minority of respondents rated the security of their own company as very good (11 percent) or good (35 percent). A further 35 percent believe their security is merely sufficient, while 19 percent consider their security to be insufficient.


For the eco Survey IT Security 2019, the eco Association surveyed 242 IT security experts on their companies’ current security situation.

eco Association: Prepare Employees Better for Cyber Attacks