Managers beware: How you can immediately improve IT security in your company

IT security is the responsibility of the boss and not just the IT department

IT security must be a matter for the boss in times of digital transformation. It is not enough to invest in protective measures. Good IT security requires a cultural change. There is hardly any time for that. That’s why this article provides practical tips on how to improve IT security immediately.

The last line of defence must be in place – there is no way around it. Virus scanners, firewalls and regular updates are a must. But only the last line of defence. If your home is burgled, you are extremely reluctant to rely on the police being called in quickly enough to apprehend the thieves. The focus here is on preventing the burglary before the culprits have set foot over the threshold, and the same applies to IT security.

If we digitise this burglary scenario in our minds, it becomes clear that here, too, precautions must be taken that can detect or ward off a potential burglary before it is attempted. By the way, this applies equally to small businesses, medium-sized businesses and large companies.

Why should I concern myself with this? Isn’t IT security a matter for the IT department?

NO! Digital transformation and the increasing networking of business processes place increasing demands on IT security and therefore affect everyone in the company. Which process in your company can still manage 100% without IT and networking? Not only attacks from the outside, but especially attacks from the inside, whether caused deliberately or through negligence, lead to high economic damage year after year – and that’s just the beginning. IBM estimates that around 60% of all attacks on IT systems happen within its own infrastructure. Verizon even found that successful phishing attacks were the reason for around 90% of all security-related incidents.

Employees as the root of all evil?

“Employees are the greatest potential threat to IT security!”

This is often quoted as a blanket statement. We have all read this sentence or something similar, if not said it ourselves. That is not very helpful. If you change your perspective and see employees not as a danger but as the first line of defence, the call for better security training quickly becomes loud. This is justified, but not a panacea. The best training and the most sophisticated security concept are of no use if they are too complex and do not provide easy-to-implement, effective, easy-to-remember routines. This criticism starts with password guidelines. Upper and lower case, numbers, special characters and at least 8 characters – and the whole thing must be new every month, please, and under no circumstances must one of the last passwords be used. Everyone is probably familiar with such or similar organisational instructions. It is exhausting, demotivating and leads to an inner rejection attitude.

Make it practical and give tips instead of preaching what must and must not be! In the case of passwords, for example, think of a sentence and use the first letters as a password. Or use a combination of words chosen at random. This increases security exponentially and is firstly more secure and secondly more memorable than passwords à la J9$rtzhd123. The latter probably only lead to the good old piece of paper under the keyboard not finally disappearing.

But let’s take another step back. When companies think of their employees as the first line of defence, they often forget something or rather someone crucial! The CEO and his management colleagues. Expensive training, education, security concepts. The inclined boss, who is often too busy to take part in the training himself, pats himself on the back and mentally ticks off the subject of IT security. Well? Caught? That’s like the mother who preaches to her child to put on a bicycle helmet and then doesn’t put it on herself so as not to ruin her hairstyle. Upper management is a particularly popular target for attackers, as this is where the most valuable data can be stolen. Appropriate IT security means building an awareness culture in the company. And that can only be done by setting an example. Incidentally, this also includes admitting mistakes. If you don’t dare to tell someone that you clicked on a suspicious link, the potential for damage is all the higher.

But culture change takes time – how can I improve my IT security immediately?


Knowing your own infrastructure allows you to choose which components and information are particularly worth protecting. This should be the main focus instead of installing security mechanisms with a watering can.

Healthy mistrust!

Our mothers already taught us: Never trust a stranger who approaches you. Social engineering and phishing require Mum’s threatening index finger 4.0: people tend to trust others first. Call for blanket mistrust! This is the only way to prevent employees from unsuspectingly clicking on links in emails or giving away sensitive information on the phone simply because the person on the other end of the line was so trusting and friendly.

Trust the cloud!

Cloud storage can be a real alternative. Depending on the provider, the security standards are extremely high; so high that an individual company would have to dig very deep into their pockets to achieve anything similar. Added to this are availability, low maintenance and scalability.

Reduce the attack surface!

Analyse which IT infrastructure components have access to which systems, databases, networks, etc. and question every link! Necessary for the work or not? The IT department can only help to a limited extent – only the boss knows what is really necessary. Links that are not needed should be cut. Where there is no way, there is not enough will.

A matter for the boss!

IT security is a matter for the boss – not only when it comes to approving orders for firewalls, but especially when it comes to familiarising oneself with the latest attack methods. Sensitisation does not stop with the employee, bosses are often more in the focus of criminals than clerks.

Prof. Dr. Ina Kayser ist seit Oktober 2016 an der IST-Hochschule schwerpunktmäßig für die Wirtschaftsinformatik verantwortlich. Zuvor war sie unter anderem beim VDI und Deloitte erfolgreich tätig. Sie ist zertifizierte Projektmanagerin nach PRINCE2 und verfügt über Zertifizierungen nach den IT-Management-Standards ITIL und COBIT. Während ihrer Promotion war sie als wissenschaftliche Mitarbeiterin an der Universität Duisburg-Essen beschäftigt und forschte unter anderem zu Akzeptanzentscheidungen der E-Government-Partizipation und zur Digitalen Agenda der EU. Frau Prof. Dr. Kayser studierte Wirtschaftsinformatik an der Universität Essen mit den Schwerpunkten Wirtschaftsinformatik der Produktionsunternehmen, Statistik und Ökonometrie. Zusätzlich absolvierte sie ein Masterstudium in internationaler Wirtschaft und Politik an der University of Sydney in Australien.

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More