The topic of information security is not new. The dangers threatening the extensive information landscape in organizations have long been known. According to the April 2019 BSI "Cyber Security Survey," 43% of large companies reported being affected by cyber security incidents in 2018.
For small and medium-sized enterprises, the figure was 26%. And according to the "Situation Report on IT Security in Germany 2021" from the German Federal Office for Information Security (BSI), cases of cybercrime have once again increased significantly. In the reporting period from June 1, 2020, to May 31, 2021, not only was there an increase of a good 22 percent in new malware variants (around 144 million), but the quality of the attacks also continued to rise considerably. In the process, many perpetrators exploited the Corona distress of many companies and people.
However, the security of confidential company information is still neglected. There is often a lack of caution and forethought when processing and storing information. Awareness of the consequences of data theft and its like is also far from sufficiently developed everywhere. In some places, companies are also reluctant to invest the time and effort required to effectively protect their sensitive information.
Step by step to more information security
But the effort required for data security doesn't have to be that great. The good news is that many companies do not have to implement a comprehensive information security management system in one fell swoop. For critical infrastructures (CRITIS), on the other hand, this is required by the German IT Security Act.
A step-by-step approach is also conceivable. This means that the first step, at least in companies that have a quality management (QM) system in accordance with ISO 9001, can be an update of the required risk-based approach - but already with a view to the corresponding requirements of the important information security standard ISO 27001.