Over the last five years, this means an annual loss for the German economy of around 13 billion euros - as much as the German government plans to invest in the country's entire infrastructure in 2016. According to the study, companies are particularly concerned about web and cloud applications as a gateway.

For the study, which was conducted by the Center for Economics and Business Research (Cebr) on behalf of the application security specialist Veracode, decision-makers and managers from 205 large German companies (more than 1,000 employees) were surveyed in November 2015. The survey included the companies' experiences with the threat of cyber attacks and their effects, as well as general attitudes towards IT security. Based on this data, Cebr used its own research to estimate the damage to the German economy.

The most important findings of the study: on average, every company surveyed has been the victim of a cyber attack twice in the last five years. Companies in the construction industry were hit more often than average with 2.7 attacks and logistics companies with 2.5 attacks from the internet. The damage caused by these attacks in the last five years is distributed very differently across different sectors:

• The manufacturing industry has suffered the most damage with 27 billion euros in losses.

• The utilities, industrial and mining sector suffered losses of 9.2 billion euros.

• At 6.5 billion euros, the construction industry recorded the third-highest amount of damage.

The background to the high loss amounts in these sectors is the often strong networking of their businesses, for example through the advancement of Industry 4.0 technologies, as well as the valuable data that is collected here. In light of these enormous costs, nine out of ten (89%) of the companies surveyed intend to increase their IT security expenditure. For companies in the manufacturing industry alone, Cebr forecasts an annual increase of 578,000 euros over the next five years.

"We see that IT security has to change fundamentally," comments Julian Totzek-Hallhuber, Solution Architect at Veracode, on the study results and adds: "Companies today use a variety of applications for different business areas. However, these self-developed or purchased applications repeatedly have security vulnerabilities that enable cyber criminals to attack and cause major damage." Exploits, i.e. the exploitation of vulnerabilities, in cloud and web applications (66%) and mobile apps and company insiders (65% each) are of particular concern to the companies surveyed when it comes to attack opportunities for cyber criminals. In the event of a cyber security incident, just under half of the companies surveyed fear the direct costs of countermeasures, possible fines or legal disputes and loss of revenue (46%). However, the fear of long-term damage to the company's reputation is even greater (59%).

In addition to the direct and indirect damage caused by cyber attacks, the study also examines the attitude of decision-makers in large German companies towards internal company responsibility in the event of successful cyber attacks and towards IT security in general. The most important results in this regard:

• 90% of all IT security officers (CISO) think that current IT security policies are damaging their company's innovative strength. At CEO level, the figure is just over 60%.

• However, decision-makers are also prepared to take responsibility: 80% of CISOs would consider themselves responsible in the event of a successful cyber attack, compared to 44% of CEOs.

• In general, the study found that the IT decision-makers surveyed have a strong emotional attachment to their respective companies. Around 37% would therefore also see a cyber attack as a personal attack.