Digital Trust Insights 2025 Study

Study overview

The priorities for risk mitigation have shifted compared to the previous year: Cyber risks now have the highest relevance at 56% (2024: 43%), closely followed by digital and technological risks (50%). In contrast, macroeconomic uncertainties were much less frequently cited as a risk management priority (-19% compared to the previous year). This shift reflects the increasing reliance on technology and the associated potential risks. At the same time, less focus on macroeconomic uncertainties indicates that companies are increasingly strategically adapting to such crises.

Cost driver: Data theft

The increasing relevance of cybersecurity is also related to its potentially high financial impact. 83% of respondents in Germany estimated the cost of a single incident of data theft or misuse (data breaches) in the last three years to be up to $9.9 million. Around 8% reported damages of between $10 and $20 million or even higher. Only 5% of the German companies surveyed were unaffected by data breaches in the last three years, in contrast to the overall global figure of 14%. 

AI increases attack surface 

Generative AI (GenAI) offers many new opportunities for companies but also brings certain cybersecurity risks. Cybercriminals can misuse the ability to create texts, images, and videos to conduct convincingly authentic phishing attacks, disinformation campaigns, and identity theft. Generative AI models themselves can also become targets of attacks, endangering the integrity and confidentiality of the generated data. Accordingly, 67% of the German respondents said that generative AI had increased the attack surface in the last 12 months. At the same time, many companies plan to use the technology to improve their cyber defences. Security professionals in Germany want to prioritise the use of GenAI for threat intelligence (17%), endpoint security (15%), and vulnerability management (14%).

Gaps in cyber resilience

In addition to the growing attack surface due to GenAI, German companies are particularly concerned about hack-and-leak attacks (16%), cloud-related threats (16%), and attacks on connected products (e.g., IoT and OT, 15%). The responses revealed that they are least prepared for ransomware attacks (15%) and third-party breaches (12%). Moreover, many respondents have only rudimentary or no cyber resilience measures implemented in key areas. For example, only 42% could identify their critical business processes across the entire organisation. Only 30% of German companies have fully completed the documentation of technological dependencies, with 63% lacking such documentation at least partially. Almost all companies worldwide have such gaps, which they need to close to strengthen their resilience against cyber-attacks in the long term.

Data protection and regulation drive investments in cybersecurity

The study results show that most companies are aware of their cybersecurity deficiencies and are accordingly increasing their budgets for this area: 72% of German companies plan to increase their funds in the coming year. As in the previous year, they are prioritising investments in data protection and data security as well as technology modernisation (including cyber infrastructure). Regulatory changes are also a driver for these investments. Almost all respondents have observed that legal regulations on cybersecurity have impacted their investments over the last 12 months – 89% of German organisations report a moderate, large, or even significant impact on the increase in cyber expenditure (globally: 83%).

Looking to the future, companies primarily aim for faster response times (14%), improved customer and employee experiences (12%), and greater confidence in their leadership's ability to handle cyber threats (11%). This is because less than half of the German respondents (44%) believe that their board’s cyber expertise is very effective. These numbers underscore the need to build trust by developing cyber expertise. However, this requires close collaboration between security and business leaders. The study shows that there are also deficiencies here: globally, for example, less than half (45%) of CISOs take an active leadership role to a high degree when it comes to providing technology and infrastructure – in Germany, even less frequently (35%). CEOs globally, on the other hand, are primarily involved in discussing key metrics at the board level and the implications of cyber and privacy issues on future business strategy.