Why mid-market companies should now be thinking about cybersecurity:

  • Cybersecurity is a matter for all kinds of businesses, but especially for those in the mid-market. Data protection and the protection of critical infrastructure (KRITIS) are central topics for the future – including for mid-market companies.
  • IT and digitalisation are penetrating all areas of mid-market companies. This makes protecting data and systems one of management’s central responsibilities – including at mid-market organisations.
  • The Federal Office for Information Security (BSI) and the IT Security Acts (Umbrella Law and Version 2.0) provide the framework for successful and legally watertight cybersecurity.

 

Grant Thornton is an authorised partner (advanced persistent threat responder) of the Federal Office for Information Security (BSI) for cyber-attacks.

Dr Florian Scheriau

“We’ll help you protect your organisation and your organisation’s assets. When it comes to cybersecurity, our experienced teams can always help.”

 

 

 

Dr Florian Scheriau, Partner and Head of Cybersecurity at Grant Thornton Germany

 

Cybersecurity 2024 – steps with a real effect

We are there to help with:

  • Implementing legal requirements
  • Analysing your existing IT infrastructure
  • Safeguarding the value of your organisation against digital attacks
  • Emergencies
  • Reanimation and continuous assistance with the learning process with respect to cybersecurity
Identification

We’ll generate a current status analysis and deliver a risk assessment using the following tools:

  • Cybersecurity health check: a standardised approach to assess security measures. This check is based on ISO/IEC standard 27001.
  • IT risk assessment: an IT security risk assessment in which we scrutinise your organisation’s assets, data and information systems, and analyse what potential effects threats to your systems could have.
  • Legal basic assessment: an analysis of potential legal consequences and risks of legal action to your organisation.
Prevention

We will implement specific security measures for you as preventive protection for your organisation with the following methods:

  • Managed security operations centre: we’ll monitor your IT 24/7 as required!
  • Penetration and vulnerability tests: we’ll test your cybersecurity resilience regularly and specifically.
  • Information security management systems/ISMS: we’ll define and carry out regular checks on your policies, procedures and responsibilities to safeguard the security of information within your organisation.
  • NIST cyber security framework 2.0: a comprehensive approach that results in improving risk management and increasing cyber security.
  • The Digital Operational Resilience Act (DORA): implementation of the duties of your organisation under DORA on the harmonisation of cybersecurity in the financial sector across Europe.
Response

In the event of a cyber-attack, we’ll help you take the right steps straight away. In this way we safeguard your organisation’s assets, help you fulfil your reporting obligations and keep you constantly in operation with the following measures:

  • Cyber-incident response: with us, take all the right steps in the event of a cyber-attack!
  • Digital forensic investigations: We’ll help you to prove the theft of data that can be used in evidence.
  • E-discovery and managed document review: We’ll use electronic investigation methods for you as a basis for evidence that can be used in court
  • Consulting on data protection law
Recovery

Avoid the shutdowns and stoppages of a cyber-attack and carry out evaluations! We’ll help you to recover your systems as quickly as possible and work with you to constantly improve your systems.

  • Disaster recovery: analysis of the cyber-attack.
  • Crisis management: check of existing processes and optimisation as necessary.
  • IT expert opinions: as the basis for potential liability claims.
  • IT, IP and data protection consulting.

Almost 80% of all organisations have registered one or more cyber-attacks within the last twelve months.

Only 23% can attest to not having registered a cyber-attack on their IT within the past year. For 18%, an attack on their IT occurs at least once a month.

About one in four organisations do not analyse any data on cyber-attacks – an indication of a false sense of security. 
(Source: Grant Thornton study)

What is cybersecurity?

Cybersecurity comprises technologies, practices and measures that can protect an organisation’s IT. Information and data are the main capital of mid-market companies. So by using cybersecurity measures they are protecting their assets. These include traditional favourites like firewalls and anti-virus programs, but also regular training courses for staff on how to use IT and data. A clear contingency plan is also needed for emergencies. In the event of a cyber-attack, who should do what and when? Who is to be informed and how?

The Umbrella Law and the amendments in version 2.0 of the IT Security Act provide the guidelines and legal basis for cybersecurity. Critical infrastructures, abbreviated to KRITIS, are a particular focus here. Critical infrastructure is defined as infrastructure that is of critical importance to society. If these organisations fail, this will have an effect on public order, safety and security. Which sectors and organisations are on the KRITIS list depends on how critical they are to public life.

Contact us!

References

Cybersecurity for hospitals

Cybersecurity for hospitals

THE CLIENT:
The client was a regional hospital with special requirements regarding data protection and cybersecurity.
THE TASK:
Set up and implement an information security management system (ISMS) according to the industry-specific security standard (B3S) for hospitals.
THE APPROACH:
Step-by-step project management consisting of: - defining all tasks on the basis of an information network for the critical services - analysis of the demands and risks - conducting a cyber-health check - a detailed assessment of existing information security and IT infrastructure measures.
THE RESULT:
Improved security and integrity of the sensitive data at the hospital as well as increased confidence on the part of patients in the hospital’s security practices. A maximum level of awareness by staff and setting up a plan to address risks/contingency plan.

Development of existing cybersecurity based on BSI IT baseline protection

Development of existing cybersecurity based on BSI IT baseline protection

THE CLIENT:
The client was a public university in North Rhineland-Westphalia
THE TASK:
Support with basis and standard security according to the BSI IT baseline protection methodology.
THE APPROACH:
The university’s IT infrastructure was complex and well-developed. It was divided into the IT of the central university administration and the university-wide IT systems for academic use. We carried out project management and the following steps: - conducting an IT baseline protection check to identify outstanding points and measures - maturity analyse according to the CMMI model to establish current status - defining all the measures needed to reach the target condition. The processes were also classified according to the BSI IT baseline protection taxonomy, followed by establishing the need to protect the objects identified.
THE RESULT:
With these measures Grant Thornton significantly contributed to putting the university on its way towards ISO 27001 certification on the basis of BSI IT baseline protection.

Conducting internal ISO 27001 cybersecurity audits

Conducting internal ISO 27001 cybersecurity audits

THE CLIENT:
The client was a leading European coordination centre for electricity transmission system operators.
THE TASK:
Adapting cybersecurity to match the specifications of the European umbrella organisation.
THE APPROACH:
- conducting audit preparation workshops and determining the measures to be taken - coordinating the measures to be taken with all the service providers involved - planning and performing an internal ISMS audit (ISO 27001) - checking and assessing documentation made available by service providers - conducting service provider audits at the operator of critical infrastructures in the energy sector.
THE RESULT:
Compiling audit reports that subsequently served as the primary evidence for compliance with the umbrella organisation’s specifications. On the basis of the comprehensive measures taken, the technical and organisational aspects of security of the critical infrastructure were inspected, assessed and continually improved.

Why is cybersecurity a matter for management?

Attacks on the IT systems of organisations can be a threat to their existence. Safeguarding against cyber-attacks is therefore part of the responsibility of management. But the experience, know-how and IT expertise for this are often lacking, and this leads to wrong decisions. Directors may then face accusations of having breached their duties of care, which may involve the risk of personal liability.

Six steps how you can master the demands of cybersecurity with Grant Thornton

1. Carry out status analysis

Together we’ll find out how well cybersecurity is set up at your organisation and what still needs to be done.

3. Implement measures

We’ll develop a cyber-strategy together on what needs to be added to set you up for the future, taking KRITIS status into account.

5. Prepare for emergencies

Draw up the contingency plan, define contact persons and hold trainings to simulate an emergency as need be.

2. Comply with KRITIS guidelines

Is your organisation a provider of critical infrastructure? Do you have a duty to report or be certified?

4. Carry out training

Cybersecurity can only succeed if staff are aware of the risks. That’s why it’s vital to train them regularly and comprehensively.

6. Avert damage

In an attack, we’ll take care of averting the acute risks and recovering cybersecurity.

1. Carry out status analysis

Together we’ll find out how well cybersecurity is set up at your organisation and what still needs to be done.

2. Comply with KRITIS guidelines

Is your organisation a provider of critical infrastructure? Do you have a duty to report or be certified?

3. Implement measures

We’ll develop a cyber-strategy together on what needs to be added to set you up for the future, taking KRITIS status into account.

4. Carry out training

Cybersecurity can only succeed if staff are aware of the risks. That’s why it’s vital to train them regularly and comprehensively.

5. Prepare for emergencies

Draw up the contingency plan, define contact persons and hold trainings to simulate an emergency as need be.

6. Avert damage

In an attack, we’ll take care of averting the acute risks and recovering cybersecurity.

IT security and cybersecurity – effectively dealing with cyber-risks at mid-market companies

Cybersecurity is becoming ever more important. Experts today are no longer asking if companies are going to be the victims of an attack – the only question is when. This needs to be prevented and the necessary measures taken. The Federal Office for Information Security (BSI) has marked out the conditions with the IT Security Act. But even in the event of an attack, it’s not too late. The Grant Thornton experts are at your side at all times – both for prevention and in an emergency.

Your contact with us

FAQ cybersecurity

Why do companies need cybersecurity?

Cybersecurity is vital to safeguard company information from unauthorised access by third parties. Personal and business data are valuable. Cybersecurity measures ensure that valuable data are not lost or stolen through cyber-attacks. Cybersecurity pays off in the following aspects of company security:

  • Identity protection
  • Protection against financial losses
  • Protection from reputational damage
  • Preservation of privacy – both of the clients and staff of your organisation
  • Safeguarding of critical information
  • Compliance with legal provisions, and last but not least
  • Protection from cyber-attacks.

Companies today are under massive pressure regarding cybersecurity, and the size of the organisation is playing less and less of a role – it can affect anyone. Data and the organisation’s reputation are valuable. Making sure these are safe is a job for management with high priority.

Contact us now

What does cybersecurity cost?

The cost of cybersecurity cannot be estimated as an overall figure. It depends on the size of the organisation and the number of staff. The business model, sector and current digital status also play a role.
The cost is affected by the scope of the security measures to be taken, internal and external personnel expenses, technology costs for software and hardware solutions, legal compliance requirements on the industry (see also KRITIS requirements), the organisation’s risk management system, the training and awareness of staff, and the steps necessary to identify incidents.
Experience shows, however, that the costs for prevention and setting up cybersecurity are always smaller than the costs that result from an attack.

Contact us now

How can I set up cybersecurity at my company for a good price?

The cost of cybersecurity cannot be estimated as an overall figure. It depends on the size of the organisation and the number of staff. The business model, sector and current digital status also play a role.
The cost is affected by the scope of the security measures to be taken, internal and external personnel expenses, technology costs for software and hardware solutions, legal compliance requirements on the industry (see also KRITIS requirements), the organisation’s risk management system, the training and awareness of staff, and the steps necessary to identify incidents.
Experience shows, however, that the costs for prevention and setting up cybersecurity are always smaller than the costs that result from an attack.

Contact us now

Where should I start with cybersecurity and what do companies have to look out for?

We recommend starting with a comprehensive survey and a risk assessment of your current status. This will allow you to identify vulnerabilities in your digital infrastructure. Focus on your most critical assets and data and implement clear security guidelines. Train your staff regularly. A disaster recovery plan should also be prioritised in order to be able to deal with a cyber-attack quickly. Cybersecurity insurance can also offer additional protection. We will be glad to assess the conditions and effectiveness of this kind of insurance for your organisation.

Contact us now

What specific steps can provide protection from cyber-attacks?

To be able to give an accurate recommendation, we first have to establish which systems are in use. This requires undertaking a comprehensive survey of the IT infrastructure, followed by a risk assessment and action. KRITIS guidelines also need to be complied with and questions answered, such as: is your organisation a provider of critical infrastructure? Do you have a duty to report or be certified? We recommend drafting a contingency plan that defines contact persons and includes simulated emergency training (penetration tests, vulnerability scans).

Contact us now

Are there any regulatory requirements on the cybersecurity of my organisation?

Legislation such as the General Data Protection Regulation (GDPR) as well as the liability of directors are relevant to companies and management. Sector-specific regulatory requirements such as ISO/IEC 27001, KRITIS, MaRisk, VAG, TISAX, and the BSI Act also have to be complied with.

Contact us now

What is a cybersecurity consultant?

A cybersecurity consultant is an expert in the development, implementation and maintenance of effective cybersecurity measures at an organisation. His or her job is to protect information systems, networks and data from threats in the virtual realm.

In selecting cybersecurity consultants, you should make sure that they are up-to-date with the latest technical developments. The internet changes fast and hackers across the globe are creative – and so cybersecurity experts have to be, too, in order to work effectively.

Contact us now

Is cybersecurity the same as IT security?

The terms cybersecurity and IT security are often used interchangeably. But there are minor differences between the two. IT security includes physical measures that prevent the loss of data. It also involves access controls and security guidelines – online and offline. Cybersecurity primarily concerns itself with attacks from outside by hackers or malware.

Both IT security and cybersecurity need to have their place and must be kept up-to-date.

Contact us now

Why do companies work so much on their cybersecurity?

Today, cybersecurity is a crucial part of business security measures. It is a part of things today just as much the alarm system that guards the company premises, and is the result of increasing digitalisation. It serves to:

  • Protect from financial losses
  • Safeguard critical information (including intellectual property)
  • Preserve the company’s reputation
  • Comply with legal provisions
  • Prevent interruptions to operations
  • Protect against data and identity theft, and
  • Prevent breaches of data protection.

Digital networking makes it necessary for organisations to also protect and secure themselves in the virtual realm. Cyber-attacks are a part of everyday life today and now not only affect large multinationals, but organisations of every size. Customer data, intellectual property, and not least the organisation’s reputation are at risk.

Contact us now

Why is cybersecurity important?

Cybersecurity today is part of every organisation’s basic security measures. It provides protection from cyber-attacks, financial and data loss, ensures the continuity of business and the security of personal data. It preserves the organisation’s reputation and compliance with legal provisions. Cybersecurity is particularly crucial for organisations included under critical infrastructure (KRITIS). With these, there is a public interest in cybersecurity and the requirements on them are particularly strict.

Contact us now

Get in touch, without any commitment.

If you have any questions, need advice or have been affected by an attack, contact us. Our experts are ready for you right away with all the competence you need.

Your advisory team for all technical, business and legal questions.

Dr. Florian Scheriau
Dr. Florian Scheriau
Partner
Düsseldorf
View full profile
Dr. Dominique Hoffmann
Dr. Dominique Hoffmann
Partner
Düsseldorf
View full profile
Klaus Brisch, LL.M.
Klaus Brisch, LL.M.
Partner
Köln
View full profile

    Emergency number for cyber-attacks

    We provide assistance 24 hours a day in the event of cyber-attacks. You can reach us at:

    0800 1701000

    Just the mail your business needs.

    Take advantage of tailor-made updates with our free newsletters and webinars. Bring your business on for the long-term.

    Our awards

    We’re proud of the awards we’ve won. And we’re just as happy that our clients give us top ratings! We’re working hard to keep it that way. And that’s a promise!