Digitisation in a secure, efficient and legally compliant manner
Two thirds of companies have admitted to be overwhelmed by statutory rules and regulations for IT security and data protection. Read about these rules and regulations as well as other findings from Bundesdruckerei's study.
IT Security Act, the EU General Data Protection Regulation, eIDAS, Safe Harbour Pact, the EU-US Privacy Shield, etc. Two out of three companies in Germany feel out of their depth when it comes to IT security and data protection regulations. This was found in a recent representative survey by Bundesdruckerei among CIOs of German companies with a workforce of more than 20. Smaller firms, in particular, could benefit from advice provided by external experts, says Anja Pötzsch from Bundesdruckerei GmbH.
Two thirds of companies have admitted to being overwhelmed by statutory rules and regulations for IT security and data protection. Were you surprised by this finding?
No, nor by the high number of companies. Many statutory regulations on IT, in general, and on IT security and data protection, in particular, have changed dramatically in recent months, at times without any prior notice, such as the Safe Harbour Pact that was invalidated by the European Court of Justice. Many companies now face uncertainty, especially since the wording of some regulations is quite vague. According to the survey, decision-makers at utility companies and in the ICT sectors feel particularly under pressure. As suppliers and users of IT solutions, it is software and service companies who are affected twice as often by these regulations.
How then should companies, especially those in the IT user sectors, generally respond to the many new legal requirements?
As is so often the case, the solution lies somewhere in the middle. In other words, these companies should neither assume a passive stance, i.e. bury their heads in the sand and hope that the storm will pass, nor should they suddenly take action, i.e. stop or postpone digitisation projects.
External experts can help these companies to keep a cool head. They do this by analysing the current situation and comparing the statutory target situation with the as-is situation. Then they get together with the company to find out how the two can be brought together.
Adapting to the new statutory regulations on IT security is probably unlikely to make business processes leaner...
Our practical experience has shown us that new statutory rules can be a good opportunity to achieve a better structure, improved transparency and greater efficiency for IT processes that have been running for many years. Greater security does not automatically mean more work and less convenience. Moreover, companies that also have their IT infrastructures accredited beyond the scope of statutory regulations often receive better risk ratings, and this can cut the costs of insurance and bank loans.
How can companies find the right consultant for IT security?
We asked IT security officers what they looked for in suppliers of IT solutions. Top of the list were "convincing endorsements" and "advice and ideas exchanged between equals".
What is meant by endorsements is clear. But what does "advice and ideas exchanged between equals" mean?
In today's digital transformation, entire industries now have to quickly adapt to new conditions. Bundesdruckerei has demonstrated how this can be done, transforming itself in recent years to become an IT security supplier. The company had to and still has to meet with the highest security requirements. From our own experience, we are familiar with the enormous challenges that companies have to master during digitisation, and today, we are living proof of the motto for our consultancy philosophy, i.e. 'Go digital – Stay secure'. In other words, we provide advice from practical experience for practical application, which also means involving our internal experts in our consultancy services.
What other features do you consider to be special in Bundesdruckerei's approach to security?
What's important both for us and for customers is an integrated, comprehensive approach to security and we offer technical, organisational and personnel measures from a single source. Moreover, all of our concepts and solutions are tailored to our customers: We sometimes find that staff training is all that is needed, while, at other times, a comprehensive IT security strategy will have to be drawn up and implemented and sometimes, we will recommend specific hardware components. By the way, according to the survey, every sixth company admitted to not having any IT security strategy at all. These companies should make a move soon.
Where is the real problem when it comes to IT security at companies?
In our survey, the specific IT security measures were roughly divided into three categories: technical measures, such as firewalls and encryption, personnel measures, such as training, as well as organisational/process-related measures, such as defining access rights, governance and contingency plans. According to our survey, the state of the art is already quite good, at least when it comes to baseline measures. That being said, only a minority of companies used more advanced technical measures, such as cryptographic solutions based on certificates. Companies consider organisation to be an area with the greatest room for improvement, with every second company stating that they had considerable need for improvement here.
More information related to the study can be found in our free publication entitled 'IT-Sicherheit und Digitalisierung' (available in German only).