And yet companies can definitely do something to protect themselves. Senior executives still pay too little attention to IT security in their company, however. This is a mistake, because if members of management are found to be in breach of their duty to ensure appropriate IT security, they are personally at risk of claims for damages being brought against them by their employer. What is more, personal recourse is increasingly being taken against directors when fines are imposed by the state data protection commissioners. While cases like Sony Pictures receive widespread media coverage, the much greater risks lie within the company itself – inadequate authorization concepts, a lack of physical security measures or insufficient controls within the IT processes provide a wealth of opportunities for data theft. The publication of the “Grundsätze zur ordnungsgemäßen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff” (GoBD – Principles for the Proper Keeping and Retention of Books, Records and Documents in Electronic Form and for Data Access) on November 14, 2014 has put further pressure on companies. The GoBD clearly discusses, for the first time, the topics of the internal control system, data security and procedural documentation. In cases of doubt, external tax auditors may reject the accounting and estimate the tax base. What does this mean for you? Do not wait until disaster strikes to act, but tackle the issue of IT security in your company proactively. Treat information security as an important part of your corporate strategy and give it the same priority. The upcoming annual financial statements may give you the opportunity to throw out the first pitch, because when reviewing the IT system the financial statements auditor will look at the accounting-related internal control system (for example, authorization concepts of the IT systems). Five steps to greater IT security
- Analyze your current security standards as regards processes, systems, people and infrastructure and identify weaknesses.
- Develop a holistic security concept with an effective early warning system.
- Focus on future-proof information and take abnormalities seriously.
- Use the skills of an expert who has already successfully developed and implemented concepts in other companies.
- Ensure that your standards are complied with. In cases of doubt punish offenses so as to underline the issue’s importance and priority.