(summarized from "Der Personalrat" 06/2025)
Author: Ben Buelow, CTO and CISO, Bund-Verlag Frankfurt am Main
Cyberattacks on hospitals, authorities, and critical infrastructure repeatedly show how vulnerable public institutions are. The public sector in particular is a popular target for hackers. However, effective protective measures can be taken with simple means. Even if works councils do not bear IT responsibility themselves, they should be well-informed as the interface between management and staff.
The Threat Situation in the Public Sector
Cyberattacks can have serious consequences: from IT failures to the loss of sensitive data to reputational damage and loss of trust among employees and citizens. In addition to direct financial damage, intangible consequences must also be addressed.
Simple Means – Great Effect
No system is absolutely secure, as digital environments are constantly changing. Sophisticated concepts like "behavior-based threat detection" are important, but often it's the simple basics that provide the most effective leverage. Common mistakes like missing updates, inadequate backups, and weak passwords repeatedly lead to major damage.
10 Tips for Minimizing IT Security Risks
If the following basics are followed and awareness of dangers is sharpened through regular training and awareness programs, the probability of successful attacks can be massively reduced:
1. Install Updates Promptly
Many incidents could have been prevented by using already available updates. Outdated systems are a gateway for attackers.
2. Clear Password Policies & Multi-Factor Authentication
Strong and unique passwords are mandatory. IT should implement policies, promote password managers, and introduce multi-factor authentication.
3. Regular Training
74% of cyber attacks are due to the human factor. Security awareness programs are one of the most effective levers for raising awareness of security risks.
4. Be Prepared with an Emergency Plan
Every agency should maintain an emergency plan that documents all relevant information and is regularly tested.
5. React Quickly When Security Gaps Are Suspected
A clear process for reporting and handling security incidents helps minimize damage.
6. Establish Transparent Reporting and Communication Structure
Simple and transparent ways to report security incidents as well as an open error culture increase security.
7. The 3-2-1-1 Backup Strategy
At least three copies of data, on two different media types, one copy outside the facility, and one offline copy protect against data loss.
8. Clearly Regulate Access Rights
Strict access management according to the "need-to-know principle": Only authorized persons receive access to sensitive data.
9. Secure Mobile Devices and Home Offices
Mobile devices and home offices must also be encrypted and protected by secure network connections and firewalls.
10. Conduct Regular Audits and Consistently Implement Results
Regular vulnerability scans and penetration tests help find and fix weaknesses.
Conclusion
Lack of awareness of information security, structural inertia, and neglect of basic security practices lead to protective measures being too easily circumvented. IT security can only succeed if every single person understands the urgency and key points and makes their own contribution.
Author's Note:
"There is no glory in prevention" – As long as nothing serious happens, the role of IT security experts is often marginalized. But in an emergency, everyone is affected. Working together toward the same goal is crucial to strengthening security and minimizing risks.
Practical Tip:
Carefully check email attachments and links! All employees must be sensitized to the dangers of phishing and email-based attacks. Suspicious emails and attachments should be recognized, noted, and reported.
Sources: Bitkom Research, Statista 2025; Verizon Data Breach Investigations Report 2024; Full article in "Der Personalrat" 6/2025 – Published by Bund-Verlag GmbH