G DATA study shows: As hierarchical levels decrease, the sense of responsibility declines significantly
NIS-2 is effective and firmly establishes cybersecurity as a management task in German companies. 77 percent of management teams in Germany feel personally very responsible for their company's IT security. This is a key finding of the latest study, “Cybersicherheit in Zahlen” conducted by G DATA CyberDefense, Statista and brand eins. However, the survey also shows that the majority of employees do not know to what extent they are personally responsible for IT security in their company.
While the second EU Directive on Network and Information Security (NIS-2) clearly places strategic responsibility at the management level, there is a significant gap within companies. Personal responsibility for IT security is closely linked to hierarchy. According to the study “Cybersicherheit in Zahlen” by G DATA, Statista, and brand eins, 77 percent of senior management feel strongly responsible, followed by three out of five division managers, just under half of department managers, and 41 percent of team leaders. This makes it clear that the intensity of the sense of responsibility follows the respective leadership role. Against the backdrop of regulatory developments such as the NIS 2 Directive or the Cyber Resilience Act (CRA), a heightened sense of responsibility can be seen, particularly at the strategic level.
“The NIS 2 Directive is having an impact: cybersecurity has now clearly become a management task in the boardroom”, says Andreas Lüning, co-founder and CEO of G DATA CyberDefense AG.
“Now we need to consistently carry this sense of responsibility throughout the entire company – because true cyber resilience only comes about when each and every individual understands IT security as part of their own job.”Security culture in companies has room for improvement Basically, there is an awareness of the importance of IT security. The picture is threefold: one-third of employees say they feel only partially responsible. Thirty-four percent of those surveyed feel strongly to very strongly responsible for IT security. Another third feel only slightly responsible or not responsible at all. While managers clearly define their role, the picture is more nuanced among employees without management positions: almost a quarter feel very responsible, but 43 percent feel not responsible at all.
This presents a clear opportunity for companies: to leverage the already strong sense of responsibility among management to establish IT security even more consistently as part of the corporate culture. Cyber resilience does not arise solely from technical measures or guidelines. It develops when employees recognize their own effectiveness, for example, in dealing with phishing emails, using secure passwords, or reporting suspicious incidents.
“Cybersicherheit in Zahlen” available for download“Cybersicherheit in Zahlen” has been published for the fifth time and is characterized by a high density of information and particular methodological depth: More than 5.000 employees in Germany were surveyed as part of a representative online study on cybersecurity in a professional and private context. The experts at Statista closely monitored the survey and, thanks to a sample size that far exceeds the industry standard, are able to present reliable and valid market research results in the magazine “Cybersicherheit in Zahlen”. In addition, the market researchers have compiled figures, data, and facts from more than 300 statistics into a comprehensive reference work on IT security.
Here you can donwload “Cybersicherheit in Zahlen”.