begins and ends with the company management. Managing directors and board members decide on resources and processes. At the same time, they play a key role in shaping the company’s internal rules and perceptions.
Management that motivates its employees, encourages further training and is prepared to mobilize the corresponding resources can decisively raise the level of safety in the company.
Dimensions of security
The basis for the security of modern companies is the implementation of the guarantee goals of confidentiality, availability and integrity. It creates the basis for being able to work economically at all and at the same time securely in perspective. Deficiencies in the implementation of security goals often lead to violations of legal regulations in the areas of data protection and data security. It is not uncommon for company management to be liable for serious breaches of security principles, even with their private assets if necessary.
Violations of legal bases can be costly
Companies that violate the legal principles of data security and data protection usually suffer a wide range of damages. In addition to the direct material effects, including high fines and claims for damages, indirect effects are possible that may be even more serious than the original, direct material damage. Losses of confidence among customers, suppliers or partners may weigh much more heavily in the long term and become visible in the balance sheets with some delay.
Awareness in the company
Employees matter. Social engineering has become a preferred method of operation for cyber criminals in recent years. The “human factor” in the company essentially determines the security level of the organization.
Investing in the education and training of employees in security issues pays off. It is recommended that the already legally prescribed obligations under the GDPR for training and continuing education of personnel should always include at least some content related to security. Special awareness seminars for employees supplement the mandatory training courses under the GDPR.
Management and design
Company managements are always responsible. The implementation of technical and organizational data protection and data security measures is a question of systematic operational organization. Medium-sized companies should also consider introducing information security and data protection management systems (ISMS + DSMS) if they do not already have them. Security is not witchcraft, but a question of organization.