Cybercrime offences in Germany still at a record high – "The path to basic protection"

published on 25 August 2023 | reading time approx. 3 minutes

On 16 August 2023, the Federal Criminal Police Office presented the "Bundeslagebild Cybercrime 2022" together with the digital association Bitkom. According to the report, Cybercrime offences in Germany are still at a record high. Specifically, the authorities registered 136,865 cases of cybercrime last year. Based on the damage caused by cybercrime, which was estimated at 203 billion euros in the Economic Protection Report 2022, the phenomenon continues to rank in the top ranks in terms of its damage potential. With the project "Way to basic protection", the Federal Office for Information Security (BSI) is now helping municipalities to get started with IT protection. The following section looks at the extent to which Small and Mid-sized Enterprises (SMEs) can also take advantage of this approach as a low-threshold introduction.

Measures

This makes it all the more advisable for companies to take measures against cybercrime. Small and medium-sized enterprises in particular are often still very poorly positioned in this area and regularly face major challenges in the area of IT and information security. They often lack the financial, human or time resources to secure their systems against cyber attacks and to have appropriate emergency measures in place in the event of an attack. Comprehensive and cost-intensive certifications (e.g. ISO 27001) are therefore often not considered for the time being. However, experience from consulting practice shows that even a low-threshold security concept can be suitable for minimising risks and limiting damage in the event of an emergency. This applies to financial losses resulting directly from a cyber attack as well as to all indirect damages such as GDPR fines or claims for damages.

The cybercrime threat situation has also been painfully apparent to German municipalities in the recent past. The BSI has apparently taken the successful and sometimes serious attacks on municipal IT infrastructure as an opportunity to launch a project to support municipalities in establishing basic IT protection. The "Path to Basic Protection" is intended to make it easier for municipalities to get started with basic protection, which is still often perceived as a hurdle, and to provide assistance with the conception and practical set-up. The starting point of the project are 18 checklists published in August, initially as a so-called community draft. The drafts can still be commented on until 15 September; the publication of a final version is planned for October 2023.

Checklists

The lists are intended to enable municipalities to record their current status quo and identify any measures that need to be implemented. The topics of the checklists range from mobile working, backup, authorisation concepts and preparation for security incidents and thus cover all areas relevant to IT security.

Although the BSI project initially focuses explicitly on municipalities, the checklists are also suitable for SMEs for the most part (KRITIS operators are explicitly excluded). Admittedly, some aspects may be adapted to the specific circumstances and requirements of municipalities. In all other respects, however, the checklists cover essential aspects of general IT baseline security that are equally relevant for municipalities as well as private-sector companies.

The core of the checklists is formed by comprehensive test questions that depict the essential requirements for basic IT protection. These are substantiated and explained by processing instructions that provide clues as to how the requirement of the respective question can be implemented. In addition to guidance on how to carry out an IT security assessment based on the questions, the checklists also contain practical advice and refer to implementation aids and further external documents. Finally, a rough effort estimate is forecast for each audit question based on four different effort categories.

If the checklists are used in conjunction with the notes field, they can also serve as an initial rudimentary documentation tool for keeping track of checks that have already been carried out and measures that have been implemented. Once the inventory has been carried out, companies can then define and prioritise measures for safeguarding on the basis of the "open flanks" identified with the help of the checklists. Furthermore, the checklists are also suitable for the ongoing auditing of implemented measures.

Of course, the published checklists do not replace recognised certification standards for information security such as ISO 27001 or BSI "IT-Grundschutz". However, especially for small companies, they offer a low-threshold, practice-oriented and, last but not least, free introduction to the establishment of IT protection that takes into account and minimises at least basic security risks.

Establishing fundamental IT security measures based on the checklists can often have a positive side effect: In view of the ongoing threat situation, more and more companies are considering taking out cyber risk insurance, which is becoming increasingly popular. The regularly very cost-intensive policies can partly be reduced within the scope of a risk assessment often carried out beforehand on the part of the insurer by providing evidence of documented IT security measures. Depending on the insurer and the company, measures for basic protection can already be taken into account to reduce costs.

The "path to basic protection" and comparable approaches (e.g. IT security consulting for small and micro-enterprises in accordance with DIN SPEC 27076) are thus likely to be suitable, when viewed as a whole, to raise the general level of protection even for small enterprises in Germany. On the one hand, this protects the companies themselves that are specifically affected by cybercrime, but it may also be able to make a significant contribution to increasing the competitiveness of Germany as a location for innovation.

Below you will find the download link to the checklists as well as further information: