Cyber attacks are a constant threat to companies, yet security measures are often seen as a mere formality. With an average delay of 150 days in security patches and millions of attacks every month, it is high time for a change.
Companies must keep up with the rapid development of modern attack techniques and also identify potentially new vulnerabilities.
The figure is alarming: 67 million cyber-attacks were recorded by Telekom on its honeypots within a month. This number illustrates how acute the threat situation is. But that's not the only problem. On average, it takes 150 days for security patches to be applied in companies. This means they remain unprotected against potential hacker attacks for almost half a year. It's time for German companies to focus more intensively on this issue. However, the way things are currently run is not working.
Security as a formality—Why that doesn't work
Current analyses of software security are often not systematic and targeted enough. The digital transformation and the increasing use of technology in business processes require a holistic and meaningful digitization with absolutely secure systems that companies and customers can trust. However, in practice, an unfavorable pattern repeatedly shows itself: Software is examined due to security issues, experts find vulnerabilities and write reports. After that, nothing usually happens. The effort is high, the benefit low. Security tests are still seen more as a formal necessity today and less as a practical tool. Critical questions in this context remain unanswered:
What are we even investigating and why?
What do we do with the results?
How do we manage to implement security checks continuously and with little effort?
Cybersecurity in companies: What do we need to test?
Companies are daily targets of cyber attacks. To effectively counter these threats, a systematic and targeted analysis of IT security is essential. Firms must keep up with the rapid development of modern attack techniques and also identify potentially new vulnerabilities. These include:
Outdated or unpatched systems
Weak access controls, such as poor passwords or lack of two-factor authentication (2FA)
Insecure configurations of systems and networks
Missing or incorrect data encryption
Vulnerabilities in web applications and lack of audits
Insufficient awareness of security issues and lack of employee training
Insecure network architecture, such as open Wi-Fi networks or privileged networks without appropriate access protection
Insufficient processes in the event of an attack
Ideally, the process begins with a comprehensive inventory of the entire IT infrastructure and software environment. All relevant systems, networks, and applications are captured and analyzed. Subsequently, a detailed review of the security architecture follows, including access controls, encryption methods, network configurations, and other security-relevant parameters. The investigation should include both automated tools and manual examinations by experienced security experts to uncover complex or previously overlooked vulnerabilities. Throughout the process, clear documentation of results and effective communication with all stakeholders are crucial to enable a quick response to identified risks. But what happens afterwards?
Out of the drawer: How can companies properly use the results?
After a security analysis, the report is already a detailed documentation with risk assessment and recommendations for addressing the vulnerabilities. This is usually the auditor's task. The key point after "out of the drawer" is, on one hand, to be able to comprehend and understand the identified vulnerabilities at all. In part, the attacks are technically complex, so that even experienced software developers need a moment to understand an attack scenario and the corresponding countermeasures. Once this step is accomplished, clear action plans should be developed to determine which vulnerabilities need to be addressed first and how this can be done most efficiently.
In addition, communicating the results to all relevant stakeholders is crucial. This includes not only the IT security team, but also developers, management, and possibly external service providers or auditors. The results should be presented in an understandable format that clearly conveys the urgency of the measures and the required resources. Regular updates and feedback on the progress of implementation are also important to ensure that security issues are continuously and effectively addressed.
How can it be implemented with little effort?
To implement security checks continuously and with minimal effort, companies should focus on automation and integration. Whether they rely on specialized service providers or implement their own strategy depends entirely on their expertise and capacities. In any case, three key strategies should be at the center:
Automated security tools: These enable regular scans and tests that run continuously and can quickly identify potential vulnerabilities.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
DevSecOps approach: Integration of security checks into the development process from the beginning to address security aspects early on.
Management support: Provision of resources and training to ensure that security measures can be continuously improved and updated without disrupting ongoing business processes.
Bonus: Involve experts: Specialized service providers are generally a good idea here because they can combine the best practices of all client companies into a powerful security strategy. This saves trial-and-error scenarios and frees up capacities.
These measures help companies respond efficiently to security threats and protect their IT infrastructure in the long term. This is already well documented—for example, in Microsoft's Security Development Lifecycle (SDL). With a secure present, companies can then look to the future.
Essentials for secure software
To prepare for future threats and challenges, companies should pursue several key strategies:
Regular risk assessments and the application of threat modeling help to identify potential risks early and address them appropriately.
At the same time, compliance with all relevant regulations and best practices is crucial. Here, contracts with customers and service providers, data protection regulations, and last but not least, the company's reputation play a role.
The use of modern technologies such as artificial intelligence and automation helps companies efficiently identify and close security gaps.
Continuous training of employees in the field of IT security promotes a strong security awareness and ensures that security practices are firmly anchored in the company.
An open approach to security issues and the disclosure of security incidents are important to learn from mistakes and continuously improve the security strategy.
Regular security audits enable a systematic review of security measures and identify vulnerabilities before they can be exploited.
The development and implementation of an emergency plan ensures that the company is prepared for potential security incidents and can respond quickly.
Own research and development activities in the field of security, as well as the study of current research results, help companies develop innovative solutions and introduce new security technologies early.
By proactively implementing these measures or having them implemented by service providers, companies can secure their IT infrastructure robustly against future threats and promote a strong security culture within the organization. This is crucial not only to protect their own data and systems but also to strengthen the trust of customers and business partners in the company's security standards.
*Ben Fuhrmannek is the managing director of Sektion Eins and an IT security consultant at Taktsoft.
:quality(80)/p7i.vogel.de/wcms/9c/c1/9cc103887017ef58ccef3918281eb6c2/screenshot-202025-12-19-20150025-457x257v1v1.png "Various parts as produced by Kleiner in Pforzheim. (Image:Image: Kleiner)")
:quality(80)/p7i.vogel.de/wcms/34/52/3452bdfb14441ee0832ae2cbddfad975/0128849606v1.jpeg "Signing of the partnership in Chicago: Dr. Daniel Castro (center), Dean of Purdue Polytechnic, Sebastian Seitz (left), CEO of Eplan, and Jochen Trautman (right), CEO of Rittal Automation Systems (front row). (Image:Eplan)")
:quality(80)/p7i.vogel.de/wcms/19/dd/19dda8e146c3ed1f0d3739d913734734/0128815410v1.jpeg "Finished products are held by Thyssenkrupp Materials Processing Europe. The Essen-based company will in the future source large quantities of non-prime steel (second choice) from the Swedish manufacturer Stegra. (Image:Thyssenkrupp Materials Services)")
:quality(80)/p7i.vogel.de/wcms/c6/4e/c64e217a9fff02fa80dfe81621f9c4b5/swd-technologien-stator-segmentierung-04-500x281v1v1.jpeg "Stator segmentation. (Image:SWD)")
:quality(80)/p7i.vogel.de/wcms/a4/d5/a4d50ff81ccd24c8247d64f12bec7fdf/0113143253v1.jpeg "In our China Market Insider, we regularly provide you with relevant information directly from China. (Image:© Eisenhans - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/76/74/76741895df02ffd13e8844aee3572155/0128805929v1.jpeg "The KMP 1500P is used in the Krone plant in Werlte to minimize forklift traffic. (Image:Kuka)")
:quality(80)/p7i.vogel.de/wcms/1e/7a/1e7a774e63ca0ef438faf9d04dced5fa/0128774222v1.jpeg "LG Electronics aims to bring robotics into homes with LG Cloid. The machine is designed to handle everyday household tasks, such as cooking or doing laundry. (Image:LG Electronics)")
:quality(80)/p7i.vogel.de/wcms/ad/da/adda2b0237d0167d79524dc8845649b8/0128720455v1.jpeg "Pepsico is digitizing selected production facilities and warehouses in the USA using Digital Twin Composer. (Image:Pepsico)")
:quality(80)/p7i.vogel.de/wcms/77/f4/77f40a3ea0c8f9f18d72a42336e57104/0128775363v1.jpeg "Shunts with aluminum connectors are a perfect match for aluminum cables, which have long been the standard when it comes to weight reduction in mobile applications. (Image:Wickeder)")
:quality(80)/p7i.vogel.de/wcms/fa/65/fa653385df43d7b47543882ab3a89b79/0128816209v1.jpeg "Images on displays can now be touched. (Image: ©Lush Diaries - stock.adobe.com / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/e5/00/e500dd46cc77693709f8600b20f233fb/0127794630v1.jpeg "Rolls-Royce has optimized an engine component using a seamless digital process with Siemens' help. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/c7/20/c7202bea5eafd354796ef4bbe1e69954/0128850938v1.jpeg "Not least thanks to the support of Leybold, test tracks for the Hyperloop to transport people and goods could be successfully planned and implemented. Speeds of up to 621 miles per hour (1000 km/h) are possible in the vacuum tunnel. (Image:Leybold)")
:quality(80)/p7i.vogel.de/wcms/02/3c/023c94dfee7083f51d9821a4e8dd7085/0128898758v1.jpeg "An empty factory as a symbolic image for the next failed battery factory. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/47/8e/478e8d86c55178db8084e7a585499d59/iaa-20mobility-202025-jf-1-14603-7921x4455v1v1.jpeg "At the IAA 2025, companies from China were represented in large numbers, including many highly regarded startups. (Image:Image: IAA Mobility/Messe München)")
:quality(80)/p7i.vogel.de/wcms/a9/d1/a9d1deb0858e24c2e5f237c0b1b02763/0128892744v1.jpeg "Autonomous vehicles can massively improve the quality of public transportation, according to a study commissioned by DB Regio. (Image:Deutsche Bahn)")
:quality(80)/p7i.vogel.de/wcms/3d/d5/3dd50e300bf8af537882d9a31d3268b8/0128891096v1.jpeg "Wolfspeed has produced a single-crystal 300-mm silicon carbide wafer. (Image:Wolfspeed)")
:quality(80)/p7i.vogel.de/wcms/2e/be/2ebe7a3fd5bc91773110a9b66e3e95cf/86592347v1.jpeg "Quantum computers exploit quantum mechanical effects such as superposition and entanglement to deliver enormous computing power. (Image:public domain)")
:quality(80)/p7i.vogel.de/wcms/0b/9b/0b9b8b3adce7884d20b74abc1d6bfa90/0126467542v1.jpeg "The Cheongju campus of SK Hynix. The memory manufacturer is investing the equivalent of $13 billion in expanding its high-end chip packaging facilities in South Korea. The new plants are expected to begin operations by the end of 2027. (Image:SK Hynix)")
:quality(80)/p7i.vogel.de/wcms/b5/0f/b50fdf6e9de3851c1659b521a856f35a/0128794769v1.jpeg "An NPU is an economical, energy-efficient solution designed for efficient AI inference and neural network calculations in embedded systems. (Image:Yuichiro Chino / MathWorks)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/68/a4/68a47beec75ce/logo-cmyk-de.jpeg "logo-cmyk-de (https://www.datatec.eu/)"){kind=logo}
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/56/a0/56a0b540c47f6131d98539ff0648dcee/0128235887v1.jpeg "New EU laws such as the Cyber Resilience Act and NIS-2 require companies to systematically protect their digital infrastructure. (Picture: ©AD - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/18/cb/18cb26e570eabb146e0503b468c864a8/0128555555v1.jpeg "To ensure cybersecurity, transparency throughout the entire supply chain is particularly relevant. Security gaps can arise not only from one's own employees. (Image: ©tippapatt - stock.adobe.com)")