Ensuring cyber security in times of tight budgets

With more than half (57%) of specialists and managers in the public sector reporting insufficient cyber security budgets to fend off hacker attacks in the age of, AI Dr Barbara Korte, manager cyber security at Sopra Steria Germany asks what can decision-makers do to improve their cyber security with existing resources? 

The challenge of insufficient budgets was revealed in Sopra Steria’s recent study Cybersecurity in the Age of AI. Meanwhile, the BSI Situation Report 2024, published in the autumn, paints a clear picture of the cyber threat situation: DDoS attacks in public administration are increasing significantly, both in terms of frequency and quality. In addition, cloud infrastructures are increasingly becoming targets, especially public clouds. And the more AI models are used, the greater the potential impact on information security, including the confidentiality and integrity of information. 

In terms of the framework conditions, the European NIS2 Directive was actually intended to provide legal and planning certainty. Instead, the delayed implementation caused a great deal of confusion: draft after draft repeatedly came up with different scopes of application, requirements, references to further regulations still to be issued and estimates of the budgetary and compliance costs. 

Unfortunately, cyber security costs and there is no silver bullet for sale. Given the budget situation, here are some modest starting points to show how the public sector can use what is already available to at least slightly increase the efficiency of its own cyber security in a cost-neutral way. 

Everyone around the table 

Few will doubt that greater cooperation and exchange of information in the quadrangle of administration, science, business and civil society is required. Nor that public administration as a whole will become more secure if attack patterns are shared via the threat information portals of the federal and state governments and thus made available to all other potentially affected parties free of charge. Or that pooling Computer Emergency Response Teams (CERT) is considerably more economical than maintaining resources in each individual authority. 

However, in Germany the core characteristic of the cyber security architecture is fragmentation. Cooperation is necessary for increasing efficiency while maintaining the same level of input. And that means sitting down at a table and evaluating which institutions would be best positioned structurally and technically to take on future pooled tasks in the matter. Associations such as Bitkom, the National Alliance for Cyber Security or the Quadriga of the National Cyber Security Pact are willing discussion partners. This preparatory work is also necessary in order to prepare the necessary structural changes for the coming legislative period.  

Use free educational offers 

According to the Sopra Steria study, decision-makers in public administrations identified a lack of expertise (65%) and a lack of awareness of the threats in the age of AI as two major obstacles to improved cyber security. 

This need for knowledge is tough. However, public administration in particular is in a favourable position in several respects thanks to the information and further training offered by the Federal Office for Information Security (BSI): The relevant standards for information security in administration (BSI IT-Grundschutz Standard 200-1 to 200-4) are available free of charge, including comprehensive implementation instructions, guidelines and simplifying templates. The BSI offers the entire training material for training IT-Grundschutz practitioners free of charge and easily digestible on its website.  

A basic stock of information security personnel is already available after almost two decades of the federal implementation plan, who can receive cost-effective and high-quality further training here. At the very least, organisational measures should be able to be implemented without additional material resources after taking advantage of these free offers, thus increasing the preventive capacity of organisations. 

Addressing the human weak point 

When it comes to awareness, there are also some budget-friendly measures that can be taken. The human tendency to be lazy when implementing password policies, naivety when making business or personal phone calls in public spaces or leaving laptops unlocked makes it easier than necessary for attackers. In 2024, the human factor still led the top six threat categories in the Cloud Security Study by technology group Thales. Misconfigurations and human errors caused 31% of data incidents. These results are in line with those of the Sopra Steria study: 43% of respondents named inappropriate employee reactions to attacks such as phishing as a top risk.  

At the same time, a look at the measures taken by organisations reveals where the problem lies: Only 48% offer regular cyber security training, and only 44% had guidelines for accessing the organisation's IT infrastructure from the home office. 

The still largely unregulated use of AI in everyday life exacerbates the problem. 50% of respondents in our study stated that they use AI applications at least once a month in their day-to-day work. However, only 27% of employers have training or defined guidelines for this use. This opens the door to the risks associated with AI that the BSI has warned about. The pressure to act in terms of awareness is therefore great.