21% of SMEs without a review of their IT cyber security
Over two thirds of companies in the DACH region neglect to assess their operational cyber risks, even though this is required by the upcoming legal regulations. This is according to the latest Cyber Security Report DACH 2024, which is based on a sample of 300 companies in Germany, Austria and Switzerland. According to the report, only 30% of the companies surveyed regularly carry out a risk assessment of their IT infrastructures to find out how vulnerable they are to hacker attacks.
Serious cyber problems
The ongoing assessment of operational cybersecurity is an integral part of the upcoming legal requirements for IT security, from the Cyber Resilience Act CRA to the new edition of the Ordinance on the Network and information security NIS2. Neglecting to check the company’s cyber resilience can lead to serious compliance problems with a corresponding legal risk for those responsible, from IT managers to management and board members.
Are you prepared for cyberattacks?
Book a DEFENDERBOX test installation now and find out!
Dangerous neglect of cyber security
Just under a quarter of companies are apparently aware of their own cyber weaknesses, as the survey revealed. Although 23% of the companies surveyed do not currently carry out a cyber risk assessment, they do plan to address this issue in the future. 15% of the companies are satisfied with an annual risk analysis.
In view of the fact that an average of 70 vulnerabilities* are discovered every day in common software programs, it seems downright adventurous to check your own computer network once a year for exploitable vulnerabilities and other security gaps. It’s like having a car inspected every hundred years.
Negligent handling of cyber risks
According to the study, 21% of companies do not review their protection against cyber attacks at all, and 13% do not intend to change this in the future. Just under a tenth (8%) see no need to do so. Just under another tenth (9%) make it particularly easy for themselves and answer in the survey: “We have no cyber risk that we know of.”
In large parts of the economy, an ostrich policy is the order of the day when it comes to cybersecurity. Companies install common defense software such as firewalls and the like and simply rely on these to keep attacks of all kinds away from the IT network. Penetration tests to check the effectiveness of these measures are rarely carried out.
This probably explains why 28% is the one used by Horizon3.ai of the companies contacted did not even know whether they had fallen victim to a hacker attack in the last two years. And this despite the fact that, according to the study, 60% of the companies were affected.
Grossly negligent
In cases where companies carry out annual or more frequent risk assessments, this is done internally at 42%. 34% commission external service providers with the review. Penetration tests (pentests) are used in 40% of all cases. In a pentest, a general attack is carried out on the company’s entire IT infrastructure in order to test cyber resilience in practice. While this procedure has been a mandatory exercise in the financial sector for years under the name “stress test” by the European Central Bank (ECB), only 40% of companies across all sectors carry out pentests according to the survey.
According to horizon3.ai the economy in Germany, Austria and Switzerland relies far too heavily on the fact that the defense systems “will work” if the worst comes to the worst. But without systematically checking for themselves. From October 17, this will be the case for around 30,000 companies, mainly SMEs, which will then be subject to the NIS2 Implementation and Cybersecurity Strengthening Act horizon3.ai refers to estimates that around 40% of all companies with 50 or more employees use the NIS2 regulations are subject to.
Be with the DEFENDERBOX One step ahead of cyber threats: strengthen your company’s resistance to hacker attacks.
Would you like to know how secure your company is? Find out with a test installation!
EN 
DE