Why mid-market companies should now be thinking about cybersecurity:

  • Cybersecurity is a matter for all kinds of businesses, but especially for those in the mid-market. Data protection and the protection of critical infrastructure (KRITIS) are central topics for the future – including for mid-market companies.
  • IT and digitalisation are penetrating all areas of mid-market companies. This makes protecting data and systems one of management’s central responsibilities – including at mid-market organisations.
  • The Federal Office for Information Security (BSI) and the IT Security Acts (Umbrella Law and Version 2.0) provide the framework for successful and legally watertight cybersecurity.

 

Grant Thornton is an authorised partner (advanced persistent threat responder) of the Federal Office for Information Security (BSI) for cyber-attacks.

“We’ll help you protect your organisation and your organisation’s assets. When it comes to cybersecurity, our experienced teams can always help.”

Thomas Takkin, Partner at Grant Thornton Germany 

Image
steps with a real effect

Cybersecurity 2024

We are there to help with:

  • Implementing legal requirements
  • Analysing your existing IT infrastructure
  • Safeguarding the value of your organisation against digital attacks
  • Emergencies
  • Reanimation and continuous assistance with the learning process with respect to cybersecurity

We generate a current status analysis and deliver a risk assessment using the following tools:

  • Cybersecurity health check: standardised approach to evaluating security measures. This check is based on ISO/IEC standard 27001.
  • IT risk assessment: an IT security risk assessment in which we scrutinise your organisation’s assets, data and information systems, and analyse the potential effects that threats to your systems could have.
  • Basic legal assessment: an analysis of potential legal consequences and litigation risk to your organisation.

We’ll implement specific security measures as preventive protection for your organisation using the following methods:

  • Cyber-defence centre: we monitor your IT 24/7 as required!
    Penetration and vulnerability tests: We’ll test your cybersecurity resilience regularly and specifically.
  • Information security management systems/ISMS: we’ll define and carry out regular checks on your policies, procedures and responsibilities to safeguard information security within your organisation.
  • NIST cybersecurity framework 2.0: a comprehensive approach that results in improving risk management and increasing cybersecurity.
  • The Digital Operational Resilience Act (DORA): implementation of your organisation’s duties under DORA on the harmonisation of cybersecurity in the financial sector across Europe.

In the event of a cyber-attack, we’ll help you take the right steps without delay. In this way we safeguard your organisation’s assets, help you fulfil your reporting obligations and keep you continually able to operate with the following measures:

  • Cyber-incident response – with us, take all the right steps in the event of a cyber-attack!
  • Digital forensic investigations: we’ll help you to prove the theft of data that can be used in evidence.
  • E-discovery and managed document review: we’ll use electronic investigation methods for you as a basis for evidence that can be used in court
  • Consulting on data protection law

Avoid shutdowns and stoppages from a cyber-attack and evaluate them! We’ll help you to recover your systems as quickly as possible and work with you to constantly improve your systems.

  • Disaster recovery: analysis of the cyber-attack.
  • Crisis management: check of existing processes, and improvement as necessary.
  • IT expert opinions: As the basis for potential liability claims.
  • IT, IP and data protection consulting.

Almost 80% of all organisations have registered one or more cyber-attacks within the last twelve months.

Only 23% can attest to not having registered a cyber-attack on their IT within the past year. For 18%, an attack on their IT occurs at least once a month.

About one in four organisations do not analyse any data on cyber-attacks – an indication of a false sense of security. 
(Source: Grant Thornton study)

What is cybersecurity?

Cybersecurity comprises technologies, practices and measures that can protect an organisation’s IT. Information and data are the main capital of mid-market companies. So by using cybersecurity measures they are protecting their assets. These include traditional favourites like firewalls and anti-virus programs, but also regular training courses for staff on how to use IT and data. A clear contingency plan is also needed for emergencies. In the event of a cyber-attack, who should do what and when? Who is to be informed and how?

The Umbrella Law and the amendments in version 2.0 of the IT Security Act provide the guidelines and legal basis for cybersecurity. Critical infrastructures, abbreviated to KRITIS, are a particular focus here. Critical infrastructure is defined as infrastructure that is of critical importance to society. If these organisations fail, this will have an effect on public order, safety and security. Which sectors and organisations are on the KRITIS list depends on how critical they are to public life.

Contact us!

References

Cybersecurity for hospitals

Cybersecurity for hospitals

THE CLIENT:
The client was a regional hospital with special requirements regarding data protection and cybersecurity.
THE TASK:
Set up and implement an information security management system (ISMS) according to the industry-specific security standard (B3S) for hospitals.
THE APPROACH:
Step-by-step project management consisting of: - defining all tasks on the basis of an information network for the critical services - analysis of the demands and risks - conducting a cyber-health check - a detailed assessment of existing information security and IT infrastructure measures.
THE RESULT:
Improved security and integrity of the sensitive data at the hospital as well as increased confidence on the part of patients in the hospital’s security practices. A maximum level of awareness by staff and setting up a plan to address risks/contingency plan.

Development of existing cybersecurity based on BSI IT baseline protection

Development of existing cybersecurity based on BSI IT baseline protection

THE CLIENT:
The client was a public university in North Rhineland-Westphalia
THE TASK:
Support with basis and standard security according to the BSI IT baseline protection methodology.
THE APPROACH:
The university’s IT infrastructure was complex and well-developed. It was divided into the IT of the central university administration and the university-wide IT systems for academic use. We carried out project management and the following steps: - conducting an IT baseline protection check to identify outstanding points and measures - maturity analyse according to the CMMI model to establish current status - defining all the measures needed to reach the target condition. The processes were also classified according to the BSI IT baseline protection taxonomy, followed by establishing the need to protect the objects identified.
THE RESULT:
With these measures Grant Thornton significantly contributed to putting the university on its way towards ISO 27001 certification on the basis of BSI IT baseline protection.

Conducting internal ISO 27001 cybersecurity audits

Conducting internal ISO 27001 cybersecurity audits

THE CLIENT:
The client was a leading European coordination centre for electricity transmission system operators.
THE TASK:
Adapting cybersecurity to match the specifications of the European umbrella organisation.
THE APPROACH:
- conducting audit preparation workshops and determining the measures to be taken - coordinating the measures to be taken with all the service providers involved - planning and performing an internal ISMS audit (ISO 27001) - checking and assessing documentation made available by service providers - conducting service provider audits at the operator of critical infrastructures in the energy sector.
THE RESULT:
Compiling audit reports that subsequently served as the primary evidence for compliance with the umbrella organisation’s specifications. On the basis of the comprehensive measures taken, the technical and organisational aspects of security of the critical infrastructure were inspected, assessed and continually improved.

Six steps how you can master the demands of cybersecurity with Grant Thornton

1. Carry out status analysis

Together we’ll find out how well cybersecurity is set up at your organisation and what still needs to be done.

3. Implement measures

We’ll develop a cyber-strategy together on what needs to be added to set you up for the future, taking KRITIS status into account.

5. Prepare for emergencies

Draw up the contingency plan, define contact persons and hold trainings to simulate an emergency as need be.

2. Comply with KRITIS guidelines

Is your organisation a provider of critical infrastructure? Do you have a duty to report or be certified?

4. Carry out training

Cybersecurity can only succeed if staff are aware of the risks. That’s why it’s vital to train them regularly and comprehensively.

6. Avert damage

In an attack, we’ll take care of averting the acute risks and recovering cybersecurity.

1. Carry out status analysis

Together we’ll find out how well cybersecurity is set up at your organisation and what still needs to be done.

2. Comply with KRITIS guidelines

Is your organisation a provider of critical infrastructure? Do you have a duty to report or be certified?

3. Implement measures

We’ll develop a cyber-strategy together on what needs to be added to set you up for the future, taking KRITIS status into account.

4. Carry out training

Cybersecurity can only succeed if staff are aware of the risks. That’s why it’s vital to train them regularly and comprehensively.

5. Prepare for emergencies

Draw up the contingency plan, define contact persons and hold trainings to simulate an emergency as need be.

6. Avert damage

In an attack, we’ll take care of averting the acute risks and recovering cybersecurity.

IT security and cybersecurity – effectively dealing with cyber-risks at mid-market companies

Cybersecurity is becoming ever more important. Experts today are no longer asking if companies are going to be the victims of an attack – the only question is when. This needs to be prevented and the necessary measures taken. The Federal Office for Information Security (BSI) has marked out the conditions with the IT Security Act. But even in the event of an attack, it’s not too late. The Grant Thornton experts are at your side at all times – both for prevention and in an emergency.

Your contact with us

FAQ cyber security

Cybersecurity is vital to safeguard company information from unauthorised access by third parties. Personal and business data are valuable. Cybersecurity measures ensure that valuable data are not lost or stolen through cyber-attacks. Cybersecurity pays off in the following aspects of company security:

  • Identity protection,
  • Protection from financial loss
  • Protection from reputational damage
  • Preservation of privacy – both of the clients and staff of your organisation
  • Safeguarding of information that is critical to business
  • Compliance with legal provisions and, last but not least
  • Protection from cyber-attacks

Companies today are under massive pressure regarding cybersecurity, and the size of the organisation is playing less and less of a role – it can affect anyone. Data and the organisation’s reputation are valuable. Making sure this is safe is a job for management which has a high priority.

Contact us now

The overall cost of cybersecurity cannot be estimated. It depends on the size of the organisation and the number of staff. The business model, sector and current digital status also play a role.

The costs are affected by the scope of the security measures to be taken, internal and external personnel expenses, technology costs for software and hardware solution, legally prescribed compliance requirements on the industry (also see KRITIS requirements), the organisation’s risk management system, training and awareness of staff and steps necessary to identify incidents.

Experience shows, however, that the costs for prevention and setting up cybersecurity are always smaller than the costs that an attack can create.

We recommend undertaking to record the current status by means of a comprehensive survey and a risk assessment. This will allow you to identify vulnerabilities in your digital infrastructure. Focus on your most critical assets and data and implement clear security guidelines. Train your staff regularly. A disaster recovery plan should also be prioritised in order to be able to deal with a cyber-attack quickly. Cybersecurity insurance can also offer additional protection. We will be glad to assess the conditions and effectiveness of this kind of insurance for your organisation.

To be able to give an accurate recommendation, we first have to establish which systems are in use. This requires undertaking a comprehensive survey of the IT infrastructure, followed by a risk assessment and action. KRITIS guidelines also need to be complied with and questions answered, such as: is your organisation a provider of critical infrastructure? Do you have a duty to report or be certified? We recommend drafting a contingency plan that defines contact persons and includes simulated emergency training (penetration tests, vulnerability scans).

Legislation like the General Data Protection Regulation (GDPR) and the liability of directors are relevant to companies and management. Sector-specific regulatory requirements such as ISO/IEC 27001, KRITIS, MaRisk, VAG, TISAX, the BSI Act also have to be complied with.

A cybersecurity consultant is an expert in the development, implementation and maintenance of effective cybersecurity measures at an organisation. His or her job is to protect information systems, networks and data from threats in the virtual realm.

In selecting cybersecurity consultants, you should make sure that they are up-to-date with the latest technical developments. The internet changes fast and hackers across the globe are creative – and so cybersecurity experts have to be too in order to work effectively.

The phrases cybersecurity and IT security are often used interchangeably. But there small differences between the two terms. IT security includes physical measures that prevent the loss of data. This also involves access controls and security guidelines – online and offline. Cybersecurity primarily concerns itself with attacks from outside by hackers or malware.

Both IT security and cybersecurity need to have their place and have to be kept up-to-date.

Today, cybersecurity is a crucial part of business security. It is a part of things today just as much the alarm system on the company premises and is the result of increasing digitalisation. It serves to:

  • Protect from financial loss
  • Safeguard information that is critical to business (including intellectual property)
  • Preserve the company’s reputation
  • Comply with legal provisions
  • Prevent interruptions to operations
  • Protect against data and identity theft, and
  • Prevent breaches of data protection.

Digital networking makes it necessary for organisations to also protect and secure themselves in the virtual realm. Cyber-attacks are a part of everyday life today and no longer only affect large multinationals, but organisations of every size. Customer data, intellectual property, and even the organisation’s reputation are at risk.

Cybersecurity today is part of every organisation’s basic security measures. It provides protection from cyber-attacks, financial and data loss, ensures the continuity of business and the security of personal data. It preserves the organisation’s reputation and compliance with legal provisions. Cybersecurity is particularly crucial for organisations included under critical infrastructure (KRITIS). With these, there is a public interest in cybersecurity and the requirements on them are particularly strict.

Get in touch, without any commitment.

If you have any questions, need advice or have been affected by an attack, contact us. Our experts are ready for you right away with all the competence you need.

Your advisory team for all technical, business and legal questions.

Thomas Takkin
Thomas Takkin
Partner
Munich
View full profile

    Emergency number for cyber-attacks

    We provide assistance 24 hours a day in the event of cyber-attacks. You can reach us at:

    0800 1701000

    Our awards

    We’re proud of the awards we’ve won. And we’re just as happy that our clients give us top ratings! We’re working hard to keep it that way. And that’s a promise!