More digitization means more cybercrime. Logically, more cyber attacks on companies are reported every year – especially since the central expert office for the crime. And the Internet knows no national borders, so the attacks come everywhere. There is a tendency to ignore warnings if they repeat themselves often. However, that would be a big mistake in this case: If you don’t create your own IT security, nobody else will do it for you.
Theft of digital identity – both a criminal offense and a starting point for a large number of additional illegal activities (keyword: phishing)
According to the federal management report, DDoS attacks (the deliberate overloading and paralyzing of servers or networks) have increased significantly in quality and quantity.
“Cybercrime-as-a-Service” is spreading as a criminal business model and now enables a broad user base without in-depth IT knowledge to commit cybercrimes (keyword: Darknet)
In particular, small and medium-sized companies often fall victim to ransomware: These programs use encryption Trojans (i.e., viruses) to paralyze the company’s IT and create the basis for blackmail.
Malware enables tailor-made attacks on specific computer systems; it can also download additional malware as soon as it has penetrated a system.
Therefore, anyone who runs a company in one of these areas has a special duty to report cyber attacks (or the suspicion that one has occurred) on the company to the Federal Ministry for Security and IT (BSI). In addition, companies that meet specific criteria must comply with exceptional security standards.
Warning: Just because you don’t fall into these industries doesn’t mean you are less at risk – just that paralyzing your business doesn’t directly affect the general good of society. You can use the same resources to increase your IT security. The BSI assists with introducing the BSI security standard and the so-called IT baseline protection. The security guideline VdS 10000 is especially suitable for smaller companies (less than ten employees), and it is presented in our information security guidelines for small and medium-sized companies.
Absolute Minimum Protection
As an absolute minimum, you should meet the security standard in your industry to not stand out from the crowd as a desirable target. However, this will only help you if targeted attacks are carried out on specific companies. However, the vast majority of attacks, e.g., through ransomware or phishing, are untargeted – they reach millions of companies simultaneously, including yours, with a high degree of probability. Because companies often do not even notice successful cyber attacks.
In an interview with us, a cyber security expert recommended that entrepreneurs take the first step to overview the threat situation. Understand where and how your company uses IT and where it depends on IT to continue functioning. In this way, you can also find out which systems should have an exceptionally high priority when introducing protective measures and which can be postponed. In the next step, you will work out what kind of attacks could occur at the respective vulnerability and how you want to react in an emergency. You have to instill these rules of conduct in your employees because many measures fail when employees do not know they have to report anomalies or don’t dare to act, thanks to a disturbing corporate culture. The above security guidelines help with this process as well.