Deep Dive #6: Digital Security in Berlin
Digital security is becoming increasingly important in view of digitisation. Authorities, administrations, companies and citizens all agree on this. In Berlin, the state government, municipal administrations, IT companies and associations have been involved in the ICT cluster since 2002 in order to jointly counter the risks in cyberspace. Digital security has been identified as one of the cross-cutting issues across the future industries of the capital region and has therefore been included in the innovation strategy of Berlin and Brandenburg, which has been revised in 2019.
The German federal authorities and Facebook have recently been affected just as much as the RWE Group - in times of Big Data, AI and Industry 4.0, cyberspace threats do not stop at anyone. In the past two years, around two thirds of all domestic companies have been successfully attacked by cyber criminals, according to the IDC study „IT-Security in Deutschland 2018“. The representative „Deloitte Cyber Security Report 2018“, for which the "Institut für Demoskopie Allensbach" surveyed 528 decision-makers from business and politics, paints a similar picture. Half of all German companies surveyed said they were under attack weekly or even daily. The trend is rising.
Economic damage: at least € 50 billion
Computer viruses, malware, data fraud and fake news are the strongest threats cited by business leaders and politicians in the Deloitte study. The estimates are backed up by figures: according to the „BSI“, the number of malware programs increased by 30 per cent from 2017 to 2018. But "malware, phishing and social engineering or DoS attacks" are, according to the IDC study, only some of the risk factors from cyberspace with 31 per cent. However, the greatest danger lies in companies themselves: whether the lack of security awareness or know-how among employees (37 per cent), "unsecured or poorly secured endpoints" (34 per cent), intentional misconduct or data misuse (28 per cent) or careless networking of devices with applications (23 per cent) - the effects are enormous. The security consequences are often followed by a loss of revenue and image. According to estimates by the Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution), the annual losses for German companies amount to at least € 50 billion.
In view of these consequences, digital security, which is the umbrella term for IT information security issues, should not be underestimated. Companies have recognized the seriousness of the situation: according to "Statista", sales of hardware, software and services for IT security rose in Germany last year by nine per cent to € 4.1 billion. Growth is expected to continue in 2019. Basic IT security solutions have established themselves nationwide in companies, as confirmed by the IDC study of 230 organizations with more than 20 employees. The use of endpoint security software for anti-virus and threat prevention or encryption is therefore a matter of course (88 and 70 per cent respectively); firewall appliances, network, web or messaging security software are standard for more than half of them. 22 per cent rely on security analytics technologies to detect and defend against threats in advance. In addition, more than 20 per cent use security services such as firewalls, IDS and IPS from the cloud. This is followed by email protection, web filtering, client management, data backup and disaster recovery. The majority of respondents rely on automation processes to relieve IT staff and speed up security processes. Only 21 per cent have automated less than a quarter of their processes, and only five per cent have no automated processes.
Security as a management task
However, companies cannot sit back and relax. On the contrary. According to the IDC, a uniform management system for information security as well as supplementary security concepts in companies which centrally consolidates and controls IT security solutions, technologies and services are needed to provide real protection. So far, only 58 per cent of the participants have introduced such a system. In view of the rapid technological developments in which new dangers emerge every minute, security solutions must also be constantly adapted. Innovative approaches such as automation, analytics or flexible and modular usage models are also necessary. The IDC experts also recommend that companies concentrate on strategic IT security solutions in the long term. The Deloitte Cyber Security Report 2018 comes to a similar conclusion: "IT security is no longer a secondary issue, but a central management task”, and advises a concept of resilience in addition to clear responsibilities. For the idea of being able to completely protect oneself against every type of cyber threat is unrealistic. The latter is not only due to the companies themselves. It is said that the state must create framework conditions and intervene to help in the event of a crisis. 56 per cent of the business leaders surveyed rate the effectiveness of such support in the event of cyber attacks as high. At the same time, 85 per cent are of the opinion that the state could set even more standards here - also in its own interest.
As dangerous as terrorism and organised crime
Data and identity theft, espionage and cyber warfare not only threaten the economy; they are also among the most serious national risks along with terrorism and organized crime. This was the conclusion of the "Deloitte European Cyber Defense Report 2018", which for the first time provided an overview of national strategies, actors and initiatives to counter cyber threats. In particular, the security of critical infrastructures, the creation of robust information systems and secure data transfer are anchored in the national security guidelines of all the 29 European states surveyed and the cyber superpowers USA, China and Russia. However, the report points to shortcomings, mostly in the lack of proactive measures to protect against attacks. In addition, more than one-third of the guidelines are four years or older - and thus anything but timely. Here, too, the industry is sceptical as to whether the state is armed against cyber threats. According to the Deloitte Cyber Security Report 2018, only ten per cent of business leaders believe that Germany is "as well prepared as possible" for attacks on critical infrastructures. Among politicians, the figure is not much higher at 14 per cent.
The fact that legal and regulatory frameworks are in demand in view of the growing threats is something that is recognised at all levels. The Network and Information Security (NIS) Directive of 2016, for example, created measures to ensure a high common level of security for network and information systems in the European Union. The EU Cybersecurity Act requires, among other things, manufacturer declarations from companies, and the EU General Data Protection Regulation (EU-GDPR) is intended to secure the processing of private information by companies. But it is not only Europe-wide that regulations have recently been implemented for digital space or are in the planning stage. The German IT Security Act 2.0, which is currently being coordinated by government departments, calls for an extension of the powers of the BSI, a tightening of cyber criminal law and an intensification of consumer protection, including IT security labelling. The latter makes a further challenge of digital security clear: as necessary as compliance guidelines are, but also as evidence for the protection of critical infrastructures (Kritis), their specifications make the already comprehensive IT processes even more complex.
Berlin model: cooperation between administration and industry
Whether public administration, manufacturers, providers or users - no group can master this increasing complexity alone. This is the conclusion reached by all the studies, and they recommend an intensified dialogue among the groups. While the "National Cyber Security Pact" was recently launched in order to integrate this networking for digital security throughout Germany and thus implement a requirement of the coalition agreement, Germany's IT capital Berlin recognized the potential of joint responsibility for digital security years ago. Since 2002, administrative and economic promotion agencies have been highlighting the topic "security with IT" as one of the focal points of work in the ICT cluster. In 2011, digital security was then firmly anchored as a cross-cutting issue for various industries in the joint innovation strategy of the states of Berlin and Brandenburg (innoBB) and updated in 2019 as innoBB 2025. In addition, there is probably no other German city with as many specialist committees with IT and cyber security focal points as Berlin. Trade events and congresses such as the "Potsdam Conference for National Cyber Security" (HPI), the "Public IT Security PITS" (Behördenspiegel) and the "Annual Cybersecurity Conference" (Handelsblatt) ensure a lively debate on the topic in the capital region.
”it’s.BB“: IT security concerns us all
According to the latest study by the Senate Department for Economics, Energy and Public Enterprises from 2016, the digital security industry comprises around 3,000 people employed in more than 100 companies. In addition, a growing number of joint initiatives and cooperations such as the "Bundesverband IT-Sicherheit e.V. (TeleTrusT)" (Federal Association for IT Security), the "Digital Security Netzwerk Berlin e.V. (DSNB)" or the association "Sichere Identität Berlin-Brandenburg e.V." (Secure Identity Berlin-Brandenburg) is advancing the topic of digital security through joint projects and information and network work. At the end of 2018, the IT security network Berlin-Brandenburg „it´s.BB“ was added as the latest initiative, in which ten well-known companies from the cyber security sector joined forces to strengthen and network the sector and make the capital region even more attractive as an IT security location.
The network, whose members include „becon“, „iABG", „HiSolutions AG“, „Nexenio“ and „iSQI GmbH“ sees itself as a coordinator and link in projects and cooperations. Above all, exchange with universities is high on the agenda of it’s.BB. There is a lot of potential for optimisation here: according to the latest “Fachkräftemonitor” of the Chamber of Industry and Commerce, there will be a shortage of around 4,500 skilled employees in the ICT professions in Berlin in 2019. Broken down into the specialist area of IT security, estimates are based on around 350-400 experts. Eliminating the shortage of skilled employees is not the only goal of it’s.BB. In addition, the network wishes to promote the visibility of the IT security community in the capital region and thus further increase Berlin's attractiveness as a working location for skilled workers in this area. Another particular concern is to establish itself as the central specialist contact point for administration, politics and business for questions relating to digital security. In particular, small and medium-sized enterprises (SMEs), which according to a Bitkom study from 2018 are particularly affected by these threats, should have an immediate contact point for damage minimisation in the event of a cyber threat. After all, digital security does not only affect federal authorities, Facebook or the RWE Group - it affects us all.
With the "Deep Dive" series Projekt Zukunft regularly gives an insight into current technologies in the digital, media and creative industries and provides information about actors, trends and applications from Berlin.