The IT security situation in Germany remains tense - as shown by the 2024 situation report from the Federal Office for Information Security (BSI). Cyber criminals are acting increasingly professionally, critical vulnerabilities in IT systems are on the rise, and attacks such as DDoS attacks or ransomware extortion threaten companies, authorities and private individuals alike.
In this context, the introduction of appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR is becoming increasingly important. In addition to complying with data protection regulations, these measures also make a significant contribution to cyber security and help to effectively counter such threats.
Cybercrime as a growing threat to data protection and IT security
Cyber criminals are increasingly using sophisticated methods such as trading in stolen access data (access brokers) or targeted phishing attacks to gain access to company networks.At the same time, serious security loopholes in firewalls, VPNs or operating systems are becoming known again and again, which attackers use for targeted attacks.
The protection of important data in particular is at risk if companies and organisations do not have sufficient security measures in place, with Art. 32 GDPR requiring data controllers to ensure ‘a level of security appropriate to the risk’ in order to prevent data loss, unauthorised access or manipulation.
How measures under Art. 32 GDPR can ward off cyberattacks
Measures that can be derived from Art. 32 GDPR are not only relevant for data protection, but also offer effective protection against cyberattacks, as the BSI situation report shows.
Encryption and pseudonymisation of personal data play a central role here, as they prevent stolen information from being directly exploitable. In addition, the introduction of multi-factor authentication (MFA) is an effective measure to make unauthorised access to accounts and systems considerably more difficult.
Another key element is patch and update management. Regular software updates close security gaps before they can be exploited by cyber criminals. This applies in particular to firewalls, VPN systems and operating systems, which are attacked particularly frequently according to the BSI report. At the same time, companies must ensure that their IT systems remain resilient even under stress. DDoS protection measures, such as the use of traffic filtering solutions and emergency plans, help to ensure the availability and resilience of the IT infrastructure - a requirement that arises directly from Art. 32 GDPR.
As ransomware attacks in particular have serious consequences for companies, a well thought-out backup and recovery strategy is essential. Regular, offline backups allow data to be restored quickly after an attack, minimising business interruptions.
In addition, clear access and authorisation concepts should be implemented to reduce the risk of attacks spreading uncontrollably within a network.
In addition to these technical measures, the human factor also plays a decisive role. Security awareness and regular employee training play a key role in preventing social engineering attacks such as phishing. Precisely because cyber criminals are increasingly relying on deceptively genuine fraudulent messages to obtain sensitive information, well-trained staff are an effective line of defence.
Conclusion: Data protection measures as part of the IT security strategy
The BSI Situation Report 2024 makes it clear that data protection and IT security cannot be considered separately.Measures in accordance with Art. 32 GDPR are essential to protect personal data, but they also make a significant contribution to warding off cyber threats as a whole.
Companies and public authorities that develop their technical and organisational protection measures accordingly not only protect the rights of data subjects, but also significantly reduce their own risk - both in terms of data breaches and operational failures due to cyberattacks.
The full status report can be viewed at the following link on the BSI website:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2024.pdf?__blob=publicationFile&v=3