Information security as a success factor: Why it pays off!

What does information security mean?

Information security refers to the entirety of technical and organizational measures that serve to protect information and data from loss, unauthorized access, manipulation or other compromises. The aim is to permanently guarantee the confidentiality, integrity and availability of information – also known as the “CIA triad” (Confidentiality, Integrity, Availability).

Unlike pure IT security, information security refers not only to digital systems, but to all forms of information, including printed documents, conversations, prototypes and organizational knowledge.

It is not just a technical issue, but also encompasses business, legal and organizational aspects. Especially in an environment of increasing digitalization, international business activities and stricter regulation, information security is a key competitive factor – and is also legally binding.

Why is information security essential?

Protection against economic damage

• Loss of sensitive customer data or intellectual property can lead to considerable reputational and financial damage.
• Data protection violations under Art. 32 GDPR can result in fines of up to €20 million or 4% of annual global turnover.

Ensuring business continuity

• Information security reduces downtimes, protects against business interruptions and increases reliability – e.g. through backups and emergency plans (business continuity management).

Legal conformity and contractual compliance

• Companies are legally obliged to implement suitable technical and organizational measures to protect personal data (see Art. 32 GDPR).
• Increased requirements apply to the processing of particularly sensitive data (e.g. health data, trade secrets).
• Proof of an appropriate level of information security is also increasingly becoming a prerequisite in contractual business relationships (e.g. with corporations, authorities or automotive OEMs).

Confidence building and market positioning

• Information security creates trust among customers, partners and investors – especially in data-driven business models.
• It is increasingly a component of ESG ratings and corporate compliance.

Advantages of a practiced information security policy

• Reduction of the liability risk
• Strengthening customer loyalty through trustworthy data processing
• Compliance with legal requirements (e.g. GDPR, TKG, BDSG, Supply Chain Duty of Care Act)
• Reputation protection in crisis situations
• Compliance with industry-specific standards (e.g. TISAX, ISO/IEC 27001, BAIT, VAIT)

How can information security be improved in the company?

Establishment of a safety culture

• Information security does not start with the firewall, but with the attitude of the employees.
• Training, guidelines, regular awareness campaigns and clear responsibilities are essential.

Development of a company-wide security strategy

• Definition of protection goals and risk analysis (e.g. through BSI basic protection, ISO 27001, VDA ISA)
• Establishment of an ISMS (information security management system)

Technical measures

• End-to-end encryption
• Access restrictions and rights concepts
• Two-factor authentication (2FA)
• Monitoring and intrusion detection systems (IDS)

Organizational measures

• Emergency and recovery plans (disaster recovery)
• Employee training (regular and mandatory)
• Audit-proof documentation of access rights, incidents and measures

Legal requirements: When is information security mandatory?

Information security is not only good practice, but also a legal requirement in many areas:

• Art. 32 GDPR requires the implementation of appropriate technical and organizational measures to protect personal data.
• The IT Security Act 2.0 (Germany) places special requirements on companies in the KRITIS sector.
• Companies with processing operations in third countries must also provide special guarantees (Art. 44 et seq. GDPR).
• Increased regulatory requirements apply in the financial sector, healthcare, transport and telecommunications (e.g. Section 8a BSIG, BAIT/VAIT, Section 75b SGB V).

TISAX: Industry standard for information security in the automotive industry

TISAX (Trusted Information Security Assessment Exchange) is a standard developed by the German automotive industry for the assessment and recognition of information security. It is based on the ISA catalog developed by the VDA, which is based on ISO/IEC 27001, among others.

TISAX is mandatory for all companies that work with sensitive information from automotive manufacturers (OEMs) – e.g. design data, production documents, personal data or prototype information.

Objectives of the TISAX certification:

• Standardization of security requirements within the supply chain
• Avoidance of multiple security checks by third parties
• Proof of safe processing for OEMs

Companies from outside the industry are also increasingly using TISAX or ISO standards to document their security architecture to business partners.

Conclusion: Information security is not an IT issue – it is corporate management

Today, information security is an integral part of governance, risk and compliance. It affects not only the IT department, but all processes, systems and people in the company. Its implementation is not only legally required, but also makes strategic sense – and is ultimately a prerequisite for long-term competitiveness and trustworthiness.

The requirements may seem complex – but they are feasible. It is crucial to act early, to involve competent support and to see information security not as a project, but as a permanent management system.

Note: I support companies in the implementation of information security concepts, including TISAX preparations, training concepts and legal support in accordance with the GDPR. Feel free to contact me if you need support – both legally and organizationally.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.