As helpful and efficient as digitized processes are, they create a very high dependency on IT systems in companies and organizations.
The support instruments have moved to the centre of entrepreneurial activity and are now a core element of the value chain. Of course, this dependency is associated with a high risk: once the IT is down, it can no longer be produced, distributed, informed and mailed, time-critical supply chains are no longer served. Such a stop may cause a loss of turnover, but in reality the threat of damage to a company's reputation represents the greater risk.
If a company is successfully hacked or if data is lost for other reasons, the downside of digitization, the "dark side of power" so to speak, is quickly revealed. The quality and quantity of cyber-attacks regularly make even professional cyber security teams sweat. Here, IT teams (with limited resources) face well-organized hackers with mature tools or malicious insiders. Comprehensive, non-technical preparation for an emergency is therefore necessary. Management, as the ultimate responsible body, plays a key role here, on the one hand with regard to the role model effect, and on the other hand with regard to liability issues following the discovery of a cyberbreach.
An English case shows how far the liability issue is to be understood under the current GDPR regulation: The data protection authority Information Commissioner's Office (ICO) has promised an international tourism company a fine of almost 100 million pounds because the company had not sufficiently examined the IT systems when taking over a competitor. Due to the lack of cyber due diligence, a data leak that had existed since 2014 and caused millions of customer data to be stolen was not discovered. Even after the transaction had been completed, the vulnerability remained open. The leak was not discovered until 2018, two years after the takeover – far too late from the point of view of the authorities.