Assuming that their own company data is of no concern to hackers, companies often underestimate the danger of a cyber attack. Negligent security measures are the result, which can have far-reaching consequences. Moritz Wappner, Team Lead Cyber Security Advisory Services at TÜV SÜD Sec-IT, knows that a quick and qualified response after an attack is essential to minimize damage.

Are German companies adequately prepared for potential cyber attacks and are their protective measures sufficient?

Wappner: Unfortunately, the reactive attitude of many companies is still a general problem. SMEs in particular often say "it won't happen to us" or "we're far too small and uninteresting for cyber attacks". But this is a misconception: German SMEs in particular have valuable expertise and should therefore not be too easy a target. Small and medium-sized companies usually do not have the extensive and effective IT security infrastructure of many large corporations. However, the question today is no longer whether you will be the target of a cyberattack, but how quickly and effectively you can react in an emergency. Economic damage and loss of trust on the customer side can quickly threaten a company's existence.

Regardless of the budget, which three security measures should companies implement to protect themselves from cyber attacks?

Wappner: Every company is structured differently and therefore has different security requirements. In general, however, it is safe to say that effective cybersecurity should always consider the triad of people, technologies and processes of an organization.

In concrete terms, this means that the "human firewall" must function well, as 90 percent of all successful cyber attacks are due to human error. Employees should therefore be continuously trained and sensitized.

On the technical side, vulnerabilities should be identified as early as possible, assessed and patched accordingly. Pentests and vulnerability scans for technical systems should therefore be carried out at regular intervals.

Finally, guidelines and policies on information security for the organization and its partners form the binding framework for the processes. Of course, these should not just be on paper, but should be put into practice.

Keyword security as a service: Should the manufacturing and process industry consider managed security services?

Wappner: If a company does not have sufficient in-house resources and expertise, it generally makes sense to outsource certain topics to external service providers. For example, when it comes to risk assessments or employee training. At the same time, however, certain structures must be established within the company so that the knowledge that is brought in from outside is also put into practice or implemented accordingly. Security is characterized by the fact that threat scenarios and potential threats are constantly changing and evolving. A service provider who is primarily concerned with this and always keeps their knowledge up to date is therefore an advantage.