A comment by Marc Schieder, CIO of DRACOON
Regensburg, 20th January 2020 – At the beginning of the week, the subsidiary of the insurance group Allianz, AGCS (Allianz Global Corporate & Specialty) presented its new “Risk Barometer“. It is published for the ninth time in a row and is based on a survey of more than 2,700 risk experts from over 100 countries regarding the most important threats to companies. The study shows that for the first time, cyber incidents represent the most important business risk for companies worldwide. Other threats include business interruption and “legal changes” – with customs duties, sanctions, brexite and increasing protectionism cited as key concerns for businesses. Climate change ranks seventh worldwide for the first time and is one of the three biggest business risks in Australia, Hong Kong and India, among others.
Cybercrime is not only the most significant risk worldwide, but also ranks among the top three in Germany and numerous other countries. In some countries, IT security incidents even occupy first place – for example, in Belgium, France, India, South Africa, South Korea, Austria, Sweden, Switzerland, Spain, the UK and the USA. According to the AGCS, the threat situation in this area has worsened because, in addition to increasingly expensive data breaches, the number of ransomware and spoofing incidents has also increased. In addition, companies must expect ever higher fines for violations of data protection laws such as the GDPR. The insurer quotes a study by the Ponemon Institute according to which a serious data theft costs companies an average of 42 million dollars. This refers to a loss of several million data records and corresponds to an increase of 8 percent compared to the previous year.
The survey makes it clear that companies should make data protection and IT security their top priority. Today, no company can afford to ignore the risks and treat them “on the side”. Rather, a security culture must be established within the company – this starts at the top, i.e. from the CEO or the supervisory board, and all employees in all departments pull together. Training on the correct handling of sensitive data and how to behave in the event of incidents is important, but can only be supportive. In order to prevent serious data loss on a technical level, the company should also be technically up-to-date. Thus, a comprehensive modernisation of the IT infrastructure is definitely worthwhile. Finally, the “current state of the art” is also explicitly mentioned in Article 25 (“Data protection through technology design and through data protection-friendly default settings”) of the DSGVO. In concrete terms, companies can replace file servers, USB sticks, VPN or FTP with modern solutions for file services. All in all, it is important that companies take care when choosing their applications to ensure that data protection has already been taken into account during product development. One concrete example is that encryption has been integrated so easily that users no longer have to worry about what exactly they need to be aware of when saving or editing data. Likewise, the key for decrypting the files must always remain with the owner. If companies continuously work on internal security procedures and also have the highest technical demands on IT security, they are well prepared for times of growing threats.