Security Gaps Threaten German Medium-Sized Enterprises Amid GDPR Compliance Failures

A recent report by Trufflepig IT-Forensics reveals that over 80% of medium-sized enterprises in the DACH region face significant security vulnerabilities due to weak access controls and outdated IT structures. The study, which examined 273 penetration tests, shows that 81.8% of companies lack sufficient authentication security for sensitive systems, primarily relying on traditional passwords. Additionally, 66.7% of administrators have excessive permissions, facilitating lateral movement for attackers within networks. Alarmingly, 62.1% of these firms operate without centralized logging or SIEM systems, causing delayed attack detection.

Furthermore, 56.1% of companies maintain inadequate incident response plans that lack regular testing, and 47% fail to segment their networks properly, risking exposure of critical infrastructure. Christian Müller, CTO at Trufflepig, emphasizes that breaches typically stem from such structural weaknesses rather than advanced "zero-day" exploits.

Compounding these security challenges, a separate analysis by noyb highlights that 83.5% of GDPR data access requests remain unanswered or incomplete by companies, including major platforms like TikTok and Microsoft’s Xandr. While the EU Commission considers limiting access rights in the ongoing Digital Omnibus legislative process, critics argue this undermines transparency and data protection. Over 70% of data protection officers do not view such requests as burdensome, contradicting claims justifying proposed restrictions.

These findings underscore an urgent need for medium-sized German enterprises to strengthen both cybersecurity fundamentals and compliance with data protection regulations. Experts advocate for a proactive approach combining prevention, transparency, and active response readiness to combat escalating ransomware and espionage threats.