Together Against Cyber Insecurity
Das Wichtigste in Kürze
- The ISG reporting obligation affects operators of critical infrastructures and their suppliers too. Without proof of cybersecurity, companies risk losing contracts
- Burgwinkel’s five-step recommendation: clarify whether you are affected, run a GAP analysis, implement measures, provide evidence, review regularly
Companies should not take the obligation to report cyberattacks lightly. At the Baggenstos Breakfast on 1 July, Dr. Daniel Burgwinkel from the consulting firm KRM spoke on this topic and made his position clear: “Proactively engaging with the new Information Security Act (ISG) and its European counterpart NIS2 is not a tiresome obligation, but a strategic necessity. It not only protects your company from attacks and fines, but also secures your place in tomorrow’s supply chain.”
Which companies are affected by the new Information Security Act (ISG)? In just under eight minutes, Daniel Burgwinkel sums up the current situation – for everyone who couldn’t attend the Baggenstos Breakfast.
The trade magazine Inside IT asked the Federal Office for Cybersecurity (BACS). The reporting obligation is working: according to the BACS, reports mainly concerned DoS/DDoS attacks. Often a single report lists several attacks at once. Particularly in focus: public administration and the financial sector.
A resilient economy
To protect critical infrastructures and make digital Switzerland more resilient, the federal government is tightening the reins and, from autumn onward, will also impose fines if a company fails to comply with its reporting obligation.
But who is affected? Obviously the operators of critical infrastructures. The relevant industries are listed in the ISG. Anyone not listed there should not breathe a sigh of relief: companies in the supply chain are also subject to the obligation – they are indirectly affected.
Loss of contracts looms
Companies in the energy, healthcare or financial sectors, for example, are legally obliged to ensure the cybersecurity of their entire supply chain and to require evidence from suppliers. Those who cannot provide it lose the contract.
Voluntary reporting is therefore reserved for only a smaller share of companies. But they would do well to report attacks too. In doing so, they also help strengthen resilience, by enabling the BACS specialists to identify trends early and nip attacks in the bud through awareness-raising.
Daniel Burgwinkel recommends the following measures:
- 🔍 Clarify whether you are affected (directly or indirectly through the ISG, NIS2 or the supply chain act)
- 📊 Carry out a GAP analysis (take stock of existing security measures)
- 🛠️ Implement measures (information and security management system, employee training)
- 📋 Provide evidence (documentation, where applicable certification under ISO 27001 or an industry-specific assessment)
- 🔄 Regularly review effectiveness and adapt to new threats
At Baggenstos we support companies of all sizes, as a Microsoft partner, in building and documenting the necessary cybersecurity. Our team of experts helps them secure their place in the supply chain and become resilient against cyber threats.
