Last year, the Lukas Hospital learned the importance of cyber security the hard way. When ransomware crippled several computers, management at the facility in Neuss, near Düsseldorf, took the precautionary step of shutting down the entire IT system and bringing out clipboards again. Other hospitals were also affected, and the incidents demonstrated that criminal hackers are expanding their range of targets beyond corporations.
A year later, however, this insight still has not been fully appreciated by managers around the country. Though increasingly threatened by cyber crime, the Mittelstand, made up of the small- and mid-sized companies that form the backbone of the Germany economy, are not spending more on IT security. That’s according to a survey of 400 private and 100 publicly traded companies by auditing and consulting firm PwC.
“There is a wide gap between the threat situation and companies’ assessments of their own security situations,” said Peter Bartels, a member of the management board at PwC and head of the firm’s family business and Mittelstand division. “At any rate, we are not seeing an IT security boost among Mittelstand companies.”
But given the massive push toward digitalization in the economy, larger investments are necessary, he added. The threat of cyber attacks is also a topic at the Munich Security Conference taking place this weekend.
Despite the growing threat, many Mittelstand companies have reduced their IT security budgets.
In the PwC survey, two out of three companies stated that the threat had increased in the last 12 months, in terms of both quality and quantity. There were more cyber attacks, but there was also an increase in new threats, such, as Denial of Service attacks on IT systems, as well as ransomware, a software that blocks access to computers in a company and only allows access in exchange for a ransom. This conclusion coincides with the results of other contemporary studies. A 2016 situation report from the German Federal Office for Information Security (BSI), for example, warned against a “new quality of threat” as attackers become more professional.
But despite the growing threat, many Mittelstand companies have reduced their IT security budgets. Only 10 percent of the companies surveyed spent €100,000 ($107,000) or more on IT security, compared to 22 percent last year. The majority (58 percent) budget only €50,000 or less a year for information security. The one bright spot is that 51 percent of survey respondents now intend to increase their budget.
The scarce resources are also reflected in staffing. One in three Mittelstand companies have only one or two employees devoted to information security.
Larger companies are in significantly better shape. In accordance with the lack of security awareness, this is probably also attributable to a shortage of skilled personnel. According to a survey by IT industry association Bitkom, in the fall there were 51,000 open positions for IT experts, including many IT security jobs.
Companies themselves do not view the situation quite as dramatically. Of those that recognize the heightened threat, 37 percent rate their systems to detect cyber attacks as no more than average, while 11 percent believe their systems are below average. Still, 71 percent of the private companies believe their IT is well protected or very well protected. PwC believes this is a miscalculation, saying that hackers and cyber criminals have already set their sights on Mittelstand companies. “The attackers stopped distinguishing between major corporations and the Mittelstand long ago,” said Derk Fischer, a cyber security expert at PwC.
The auditing firm sees IT security as a growth industry. Some 150 PwC employees work in the field in Germany and 3,000 do so worldwide. The company expects to triple its capacity in the coming years. Additional acquisitions to expand the business are possible, PwC Germany chief Norbert Winkeljohann recently told Handelsblatt. But the market is hotly contested, and other consulting firms, like Deloitte, Accenture, T-Systems and Capgemini, also offer IT security services.
Christof Kerkmann covers the IT industry for Handelsblatt and is based in Düsseldorf. To contact the author: firstname.lastname@example.org