Although the potential threat posed by cyberattacks is increasing, the risk is still underestimated. According to a survey conducted on behalf of Lufthansa Industry Solutions (LHIND), every second employee in Germany believes that a cyberattack on their company is unlikely. At the same time, the more than 1,000 employees surveyed admitted that their own carelessness and lack of knowledge are the greatest weaknesses in the fight against cybercrime.

Against this backdrop, the latest LHIND white paper "Cyber security - from the NIS2 obligation to IT resilience" shows how companies can still manage to implement the NIS2 legislation, which comes into force later this year, in good time.

Christian Garske, Business Director IT Security & Privacy at Lufthansa Industry Solutions (LHIND explains: "In the course of implementing NIS2, companies must put their systems and processes to the test. The goal is a robust IT architecture that ensures business operations and internal communication even in an emergency." In future, non-compliance with NIS2 could result in fines of up to 10 million euros or 2 percent of total global turnover. A special feature of the new directive is that managing directors or board members can now also be held personally liable for possible violations. Security expert Garske advises a combination of technical solutions and raising employee awareness: "Our survey of more than 1,000 employees reveals negligence in German companies and also shows that the actual threat situation is underestimated. Two thirds of those surveyed identified carelessness and ignorance as the greatest weakness in the company. Nevertheless, half of those surveyed consider a cyberattack on their own company to be unlikely."

However, neither employees nor management should be complacent. According to the latest figures from the industry association Bitkom, more than every second company in Germany was affected by digital sabotage in 2022. The total annual damage already amounts to more than 200 billion euros. According to LHIND consultant Garske, this situation is likely to worsen in the coming years.

EU urges SMEs to rethink and act with NIS2

"The original NIS Directive from 2016 was a milestone, but was aimed at large companies and operators of critical infrastructure. However, as cybercrime threatens the stability of the entire economic system, the EU has extended the regulation to more sectors and company sizes," says Christian Garske.
As part of NIS2, medium-sized companies with 50 or more employees must also take more effective measures against IT attacks this year. According to Garske, these include risk analyses, crisis management, data backup, access control concepts and employee training: "The responsibility for these measures can no longer be delegated to IT departments or service providers without restriction; the management must take action itself and perform its control tasks."

5 steps to cyber risk management - Download whitepaper

In their latest white paper "Cyber security - from the NIS2 obligation to IT resilience", the experts from LHIND explain which measures can be used to strengthen IT resilience and how AI influences security in the company. The document also contains a roadmap on how to achieve NIS2-compliant cyber risk management in 5 steps.