D: IT security problems within German companies

The results of a recent study published [1] by the German Federal Statistical Office (Destatis) showed that in 2009 in 11% of all companies with more than 10 employees IT security problems arose.

Of particular interest is the fact that the employees themselves were responsible for the disclosure of sensitive data in 10% of the cases – only every fourth company offers its employees IT security training. Strict password regulations are, however, used in at least 45% of all companies.

This shows that the topic of IT security still hasn’t been properly acknowledged by all of those in charge. However, it is worth noting at this stage that the published figures do not even come close to representing the tip of the iceberg. In comparison to other crimes, the Internet and computer crime rate still continues to increase rapidly [2], so that it can be assumed that (successful) attacks on company systems will cause even greater damage in future.

A glance at the log files of a Firewall or Webserver confirms that, today, non-successful attacks are occurring permanently, with the result that the estimated number of unreported cases of successful attacks is probably even higher.

Destatis also states that 75% of all IT security incidents can be attributed to hardware and software problems, resulting in a loss or alteration of data, which may lead to legal problems (e.g., breach of retention periods). The technical-organizational measures stipulated in the Appendix to § 9 BDSG (Federal Data Protection Act) include, among other things, an ”availability check”, which also covers protective and back-up measures.

Of course, it is impossible to completely cover all relevant security aspects. Nevertheless, it is imperative that all employees receive regular training in IT security matters to ensure that security problems caused by the employees themselves are reduced to a minimum. Furthermore, it is important that IT security is not considered separately from legal requirements such as the BDSG as this could have serious legal consequences.