Information security

Finding security vulnerabilities: Five tips for companies

20th January 2017

Information security is the number one priority for companies in the age of Industry 4.0. After all, in these times of phishing e-mails, hacked accounts and data theft, all it takes to cause considerable damage is one click on an infected e-mail. If customer, vendor, or product databases are attacked, the damage can quickly run into the millions. To protect themselves from data crime, companies are increasingly relying on information security management systems (ISMS). Tatjana Brozat, auditor for information security and lecturer at the TÜV NORD Akademie, explains the five most important success factors.

In the age of digitisation, not only is the exchange of data is growing rapidly, but cyber-crime is also increasing exponentially. The Federal Criminal Police Office (BKA) estimates on the basis of a study carried out by the German Institute for Economic Research that there were 15 million cases of computer and Internet crime in 2015. But only a fraction of these cases are ever reported and thereby registered for the statistics. For this period, the BKA reported a total of nearly 45,800 cases of cyber-crime and combined damage of more than € 40.5 million - and the number is growing.

Companies in particular are increasingly falling victim to attacks on their sensitive product or customer data. Major companies, but also small and medium-sized enterprises, must learn in future to protect their own company data more effectively and engage more intensively with the important issue of information security. “Clients are increasingly demanding that their suppliers offer the same data security standards as they do themselves. Anyone who has nothing to show in this regard will quickly lose major customers,” says Tatjana Brozat. To ensure data protection in the long term, it is therefore essential to introduce a comprehensive ISMS: “Purely technical protection by new servers or firewall systems has long been an inadequate solution. The benefits of organisational measures which provide additional protection is unfortunately often underestimated. And it is here that you often find vulnerabilities that are mercilessly exploited by criminals.” According to Tatjana Brozat, companies that want to professionally protect their sensitive data and successfully integrate an ISMS must pay attention to the following five crucial factors:

Success factor number one: Information security is a matter for the top management

“Support from the management tier comes first,” says Brozat. The management must be involved in the implementation of an ISMS and set guidelines for information security that, among other things, define the information to be protected.

Success factor number two: Resources for information security

Without sufficient financial and personnel resources, the measure will not succeed, says Tatjana Brozat with conviction. “The important thing,” explains the expert “is that, depending on the size of the company, an employee is assigned to complete the appropriate training and, as Chief Information Security Officer, or CISO in brief, to take on responsibility for data security management”. At larger companies, this individual can be supported by Information Security Officers (ISO). This kind of training is offered, for instance, by the TÜV NORD Akademie.

Success factor number three: Cross-departmental understanding

Information security has an impact on all of a company's core business processes. Which is why it is important for internal communications to make all the employees aware of its relevance and the possible consequences of security breaches. The success of an ISMS depends to a significant extent on compliance with the requirements and their acceptance within the company.

Success factor number four: Selection of appropriate measures

Tatjana Brozat recommends that the selected measures introduced by the ISMS be appropriate for the size of the company and economically viable. It is for this reason that organisational measures should be defined right from the start - such as, for example, a role and authorisation concept. Only then will the technical implementation, such as the introduction of multiple-factor authentication using smart cards in combination with passwords, be able to follow.

Success factor number five: Define the measurement methods

To verify the success of an ISMS, it is important to determine measurable “key performance indicators”. They can be used to review information security in the company on an annual basis to determine whether or not it has improved. One possible indicator is the number of information security incidents, increases or decreases in which are recorded in an annual management report.

About Tatjana Brozat

Tatjana Brozat is a lecturer at the TÜV North Akademie.


IT security, data protection, data security and information security - some of the many similar-sounding terms in the age of Industry 4.0 which can’t always be clearly separated from one another.

And yet, exactly what “Information Security” means is set out in the international standard ISO 27001. The term principally refers to the protection of information - both digital and analogue. The standard defines three basic objectives of protection:

  • Confidentiality,
  • Availability and
  • Integrity.

Companies looking to provide professional security for their company data and information systems can have their information security management system certified on the basis of the international standard.