Overview of the study
The result is clear: companies worldwide want to invest more in their cyber security in the future. In Germany, it is primarily geopolitical risks that are driving change in the field of cyber security. The war in Ukraine, growing dependence on China, the fragility of global supply chains – all of these developments are influencing German companies’ sense of security. 84% of them want to make more funds available for strengthening cyber security in the coming year. Only 4% want to reduce their spending in this area – 20 percentage points less than last year.
In addition to the geopolitical situation, the dynamic regulatory environment is also a strong driver for investment. This is because directives such as NIS-2, the Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA) are making managers increasingly responsible. For example, the NIS-2 directive stipulates that managers can now be held personally liable for the effective supervision of cyber security risks. 37% of companies worldwide (Germany: 40%) expect significantly higher compliance costs in connection with this issue.
Top 3 investments: Cloud, application and OT security
More than half of German companies (52%) see the greatest risk of cyber incidents in their cloud infrastructures. One of the possible main causes: the increased pace of adaptation in recent years. German companies have long lagged behind pioneers such as the USA and the UK when it comes to switching to cloud computing due to data protection and security concerns. However, circumstances have increasingly forced them into corresponding infrastructures. But the reservations remain. Accordingly, strengthening cloud security is one of the most common investments at 33%, alongside funds for application security (41%) and OT security (36%).
It is striking that German companies invest significantly more in modernising their technologies and infrastructures, with a budget share of 62% (global: 49%) – a clear indication of the switch from legacy to state-of-the-art solutions. In contrast, there is significantly less investment in ongoing security training in Germany: Only 29% of respondents from Germany intend to provide funds for this – 11% less than the global average.
Financial losses increase
The damage that companies have suffered in recent years shows that the increasing transformation of security functions is not only driven by geopolitics and regulation. Cyber incidents have cost 70% of German companies between 100,000 and 20 million US dollars. Losses of between USD 100,000 and USD 1 million have risen by 15 percentage points compared to the previous year. Only 8% of the companies surveyed have not been affected by data loss in the last three years (globally: 15%).
Integrated cyber technology platforms and AI on the rise
To minimise risks and limit financial losses, more and more companies are turning to integrated cyber technology platforms. 49% of German companies are already using such technologies (44% globally), with a further 43% (39% globally) planning to switch over in the next two years. The advantages are obvious: integrated cyber technology platforms allow companies to manage their security solutions centrally and therefore enforce policies more holistically and scale measures more quickly. They simplify software management, increase transparency and reduce complexity.
Generative artificial intelligence is also playing an increasingly important role in the technological arms race with potential threat actors. In Germany, 75% of respondents plan to use GenAI tools for cyber defence in the next twelve months (globally: 69%). At the same time, only half of managers expect the technology to lead to catastrophic cyberattacks and 27% (globally: 42%) have not integrated the risks from GenAI into their risk management.
At the same time, 35% of respondents in Germany clearly agreed with the statement that they want to use GenAI in an ethical and responsible manner. Responsible AI is therefore expected to become increasingly important, particularly in connection with the EU AI Act.