IT security is a top priority

X
WhatsApp
LinkedIn
email
Facebook
Telegram

A Guide for Board Members and CEOs

Foreword: Why IT Security Has Become a Management Responsibility

Imagine receiving a call at 6 a.m. on Monday morning: Your entire IT infrastructure has been encrypted. Customer data is no longer accessible. Operations have come to a standstill. Extortionists are demanding a ransom. Your employees are left helpless, staring at black screens.

This scenario is not dystopian fiction—it is a harsh reality for hundreds of German companies every year. And the question that prosecutors, insurers, and regulatory authorities then ask is not: “Did your IT department have the right tools?” It is: “Did you, as management, fulfill your duty of care?”

IT security has evolved from a technical niche issue into a core governance responsibility. Today, cyberattacks pose the greatest threat to business continuity, reputation, and management liability. Yet many board members still treat the issue as a technical detail that “IT will take care of.”

This booklet is designed to help you understand IT security for what it really is: a strategic management responsibility that directly impacts your business success, your legal standing, and your customers’ trust.

Chapter 1: A False Sense of Security

The most dangerous sentence in the executive office

“Nothing has happened here in 20 years. Why should we invest now?”

This statement is based on a fundamental fallacy: yesterday’s security situation bears no resemblance to today’s.

The reality in numbers:

  • 86% of German companies have been the target of cyberattacks in the past two years (Bitkom 2023)
  • The average loss for small and medium-sized enterprises is 1.3 million euros
  • For 60% of affected SMEs, a serious cyberattack leads to bankruptcy within six months

The invisible is often overlooked

Cybercriminals remain undetected in networks for an average of 287 days. A medium-sized automotive supplier lost access to 15 years’ worth of design data in a single night—resulting in a direct loss of 8 million euros, a production shutdown lasting over three weeks, and the loss of two major customers.

The questions leaders need to ask

  • What data is essential to our business model?
  • How long can we go without IT?
  • Who is liable if sensitive customer data is leaked?
  • Are our backup systems really secure?

Chapter 2: Liability, Reputation, and Economic Consequences

Personal Liability: The Board in the Crosshairs

Legal Basis:

  • Section 93 of the German Stock Corporation Act (AktG) / Section 43 of the German Limited Liability Companies Act (GmbHG): Members of the executive board and managing directors are liable for breaches of duty
  • GDPR: Fines of up to 20 million euros or 4% of annual turnover
  • NIS 2 Directive (effective October 2024): Expanded personal liability for executives

The burden of proof is on you. “I didn’t know about that” is not an excuse.

Economic Consequences: The True Costs

  • Production downtime: Every hour of downtime costs revenue and customer loyalty
  • Emergency IT Services: Six-figure sums for forensic analysis and data recovery
  • Legal disputes, insurance premiums, damage to reputation

Average total cost: 4 to 7 times the amount of direct damage.

Chapter 3: Facts and Myths

Myth 1: “We’re too small to be targeted by hackers”

Wrong. Modern attacks are automated. 80% of successful ransomware attacks target companies with fewer than 1,000 employees.

Myth 2: “A firewall and antivirus software are enough”

Modern attacks use social engineering, zero-day exploits, and encrypted channels. Standard tools are of no help here.

Myth 3: “That’s what our IT department is for”

IT security is a distinct field that requires specialized knowledge and 24/7 monitoring.

Myth 4: “The cloud solves the problem”

Cloud providers secure their infrastructure, not your data. The responsibility and liability remain with you.

Myth 5: “IT security is too expensive”

A professional security architecture costs 3–8% of the IT budget. A ransomware attack costs 20–50 times that amount.

The 3 biggest entry points:

  • Human error (82% of incidents)
  • Unpatched systems (67%)
  • Lack of network segmentation (54%)

Chapter 4: The 7 Responsibilities of Management

1. Conduct a risk analysis – Commission a systematic assessment of critical assets.

2. Define a security strategy – Have the strategy approved by the board of directors, not by the IT department.

3. Allocate resources – Dedicated security budget: 3–8% of the IT budget as a guideline.

4. Clarify responsibilities – Appoint a CISO or engage external expertise.

5. Establish a reporting system – Require quarterly security reports to be presented at board meetings.

6. Raise employee awareness – Regular security training for everyone, including management.

7. Develop and test an emergency plan – Conduct emergency drills at least once a year with management participation.

Business Case: Sample Calculation

  • Annual investment in security: 150,000 euros
  • Risk of a serious attack without protective measures: 15% per year
  • Average loss: 1.8 million euros → Expected value: 270,000 euros/year

As expected, the €150,000 investment will save significantly more than it costs.

Chapter 5: Axsos as a Strategic Partner

Axsos sees itself as a strategic partner for medium-sized and large companies that want to implement IT security in a professional and business-oriented manner.

The Axsos Security Concept: 4 Pillars

Pillar 1: Analysis & Strategy – A thorough assessment of the current situation and a customized security strategy, presented in a clear and understandable way for management.

Pillar 2: Technical Security Measures – Defense in Depth, Network Segmentation, Identity and Access Management, Encryption, Secure Backup Strategies.

Pillar 3: Monitoring & Incident Response – SOC with 24/7 monitoring, automated threat detection, and penetration testing.

Pillar 4: Compliance & Training – GDPR compliance check, NIS 2 readiness, security awareness training, management workshops.

Flexible entry-level models

  • Quick Security Check (1–2 weeks): A quick assessment
  • Security Roadmap (4–6 weeks): Multi-year security strategy
  • Managed Security Services: Axsos as an Extended Security Team
  • CISO as a Service: Experienced CISO on a part-time basis

Chapter 6: Take Action Now

Free Security Quick Check

In a 90-minute workshop, Axsos analyzes the key risk areas of your business—with no obligation and no fine print.

Schedule an appointment now: security@axsos.de | www.axsos.de

Checklist: Is Your Business Secure?

Strategy & Organization:

  • A documented IT security strategy is in place
  • IT security on the agenda at regular board meetings
  • CISO or Security Officer Appointed
  • Dedicated security budget established

Technical measures:

  • Multi-layered firewall implemented
  • Backups are created daily and tested regularly
  • Systematic Patch Management
  • Multi-factor authentication as the default

Monitoring & Compliance:

  • 24/7 network monitoring enabled
  • Incident Response Plan Tested
  • GDPR requirements met
  • Employees receive regular training

Results: 12–16 points: Good foundation | 8–11: Action needed | Below 8: Critical gaps – take immediate action

Scroll up