An end to hostile takeovers
With the IT Security Act, the German government wants to make Germany a pioneer in digital personal security. To this end, IT processes of so-called critical infrastructures are to be monitored more closely. This affects more than 2,000 companies nationwide. If risks arise here, this can also endanger personal data. But which companies will be affected and what do they need to be prepared for?
Germany must protect itself better against criminal attacks from the web. This has not just been known since the repeated cyber attacks on the Bundestag network. But these incidents reinforce how urgent the matter is. According to a recent Bitkom study digital attacks cost the economy around 51 billion euros a year. According to the report, automotive manufacturers, chemical industries and the financial sector are most frequently affected.
More trust in data security
The IT Security Act provides for better monitoring of companies with critical infrastructures. These are companies in the fields of finance, transport, health and IT. Personal data is to be better protected as a result and citizens' confidence in digitization strengthened. The latter is important, for example, to drive online commerce. Many Internet shoppers still take a critical view of the provision of personal data in the ordering process. In addition, the law transfers more rights to the Federal Office for Information Security (BSI) and the Federal Criminal Police Office (BKA). This is necessary to ensure uniform precautions. Many companies still believe their IT is up to future network attacks. According to Verizon's Data Breach Investigation Report takes almost 70 percent of incidents months to be detected.
In the future, affected areas will have to prove to both the BSI and the BKA that their IT meets the minimum requirements stipulated in the law. In principle, they should ensure that attacks of any kind are not possible. In most cases, however, the reality is different, because of course criminal hackers are also getting better and better. That's why the German government is demanding a minimum level of precautions from companies. Accordingly, those responsible should ask themselves what happens in the event of a cyber attack, what is at stake? Will only harmless systems be affected, or will operations be at a standstill for weeks? Depending on the situation, improvements must be planned and implemented now.
Rapid response to safety deficiencies
There is nothing in the law about the state of the art and the effort required for implementation. Companies must report to the BSI every two years on what measures have been taken and what deficiencies have been discovered. The BSI can demand that the deficiencies be remedied.
If a digital attack does occur, those responsible must report the incidents to the BSI in writing as quickly as possible. This requires detailed protocols relating to the technology, the cause and the sequence of events. The BSI should be able to derive public warnings from this, for example about software errors. The reporting requirements are anonymous, but anyone who fails to comply and possibly causes serious security leaks will face fines in the six-figure range.
What affected companies can do to improve their IT in accordance with the new security law is to here retrievable.
Press release Interflex