IT Security - the journey is the reward

IT security has been rising up the IT agenda for years because the targets are getting bigger and the attackers' tools and structures are becoming more and more professional. About 46 percent of German companies were exposed to a cyber attack in 2021, says a study by Forrester Research and Hiscox. The number of unreported cases, however, is likely to be much higher. According to the IT association BITKOM, the German economy suffered damages of around 203 billion euros in 2022 due to theft of IT equipment and data, espionage and sabotage.

The more IT expands into other areas of life and work, the more diverse the possibilities for an attack become. Whereas in the past data was taken via printers or floppy drives on site, today this is achieved via people, networks, smartphones, satellites, production facilities and gaps in applications. The list of well-known organisations that (have to) publicly admit to an intrusion into their systems grows longer every day. And respondents to our IT Agenda 2022 survey indicated that their security budgets are increasing by around 20 per cent per year on average.

Fortified walls are no longer a solution

In view of the dynamics and dimension of IT attacks, it is hardly surprising that the subject matter sometimes becomes quite complex for most observers. In addition, the focus has shifted from blocking the attacks to detecting them, responding adequately (incident management) and restoring the systems. The complexity is also reflected in the fact that many terms are now used synonymously, even if they are not actually congruent. Data protection and information security are worlds apart, which is why we briefly explain the most important technical terms related to the protection of confidentiality, integrity and availability here.

Data protection refers to personal data: The aim is to protect the general personal rights of natural persons. Primarily, specifications and rules are used for this purpose.

Data security deals with the protection of all data of persons (marital status) and organisations (constructions, plans, etc.). Technical measures are primarily used for this purpose.

IT security or IT security refers to the protection of information on IT systems, i.e. primarily networks, servers, storage and peripherals. The aim is to reduce risks from threats and vulnerabilities to an acceptable level with appropriate measures. Countermeasures include access controls, encryption and firewalls.

Product security defines and implements measures to protect digital or digitally enriched (end customer) products and services from attacks and errors.

Information security refers to the protection of information in both digital and analogue form. This can be a printout of the wage tax as well as an Excel file with the dimensions of a new car. Organisational measures and clear instructions ensure that unauthorised persons cannot access the information, but authorised persons can.

No IT security out of the box

Despite the relatively clear distinction in theory, there are always overlaps. And since there are no off-the-shelf technical protection mechanisms for the various security requirements, external security standards are used as a guideline. Legal requirements, standards or regulations for certain sectors are intended to ensure at least a uniform minimum level of protection. These include the standards of the ISO 2700 series or the directive on measures for a high common level of cyber security (NIS 2).

Is my IT security level appropriate?

However, the standardisation approach does not answer the question of whether an organisation's security level, and thus its investments, are fundamentally adequate. This applies, for example, to any gaps in the defences that may have been overlooked. After all, security is not set in stone, but is an evolutionary process. To determine the appropriate level, a consortium benchmark with similar peer companies, for example, provides further help.

If services in the area of IT security are purchased externally "as a service", these expenses can at least be evaluated in a data-based comparison with other IT organisations. Security sourcing is becoming increasingly important as IT organisations open up more and more - the cloud is just one example. Such market comparisons also make it possible to optimise an organisation's security in a targeted manner - from the efficiency of the measures to their effectiveness. Regardless of the initiative, however, the following always applies in IT security: the journey is the reward.