At the Retail Banking Day hosted by Börsen-Zeitung, Tobias Kasch and Dirk Koch joined a panel discussion to explore new approaches to managing cyber risks. Their key takeaway: IT security isn’t about individual tools – it’s an ongoing strategic responsibility.

„We’re seeing a false sense of security in many companies“, said Tobias Kasch from auditing firm BDO, quickly setting the tone for the discussion. Although many banks and businesses have established comprehensive compliance frameworks, real IT security often remains an illusion.

Together with Dirk Koch, partner at the specialist law firm ByteLaw, Kasch explained why technology alone is not enough, how human error is systematically underestimated, and how law and technology must interact meaningfully.

Kasch emphasised that BDO’s work goes beyond technical consulting. It supports banks in embedding security strategies holistically. It’s not about ticking boxes, he said, but about developing a security culture where every employee plays a role. „Security is not an IT issue – it starts with each individual’s awareness“, noted Kasch. Particularly in banks, where risk management is traditionally strong, the final step – consistent implementation in everyday operations – is often lacking.

„Compliance is important, but it’s not an end in itself“, stressed legal expert Koch. Many organisations rely on well-crafted policy documents while overlooking the reality of human error. According to Koch, around 15% of employees regularly fail to comply – a risk that can only be mitigated with effective technical controls.

Systems like Endpoint Detection & Response (EDR) or behaviour-based anomaly detection are essential. But even the best systems are useless if alerts are missed or ignored – especially outside regular business hours.

Both experts addressed the promise of AI-based security systems like KANI (Artificial Anomaly Detection). Kasch praised their ability to detect unusual behavior, such as unexpected use of scripting languages. However, he cautioned against overreliance: „AI is a tool, not a solution.“ Without integration into processes and human oversight, the benefits remain limited. Koch added that clear legal frameworks for AI use are still lacking in many companies – causing considerable uncertainty.

A core issue: Many banks don’t have a clear overview of where their sensitive data is stored or which systems are most critical. This lack of visibility hampers targeted protection and leads to inefficient use of resources. Additionally, organisations often invest in technical solutions without establishing response protocols – especially for incidents occurring over the weekend. Kasch and Koch advocated for realistic planning, continuous review, and the use of external service providers when necessary.

The panel’s consensus was clear: Anyone treating IT security as a one-off project is bound to fail. „It’s not about individual tools, but a strategic interplay of technology, organisation, and law“, concluded Koch. „Security means knowing what needs protection – and being able to respond to threats even on a Sunday“, added Kasch. For banks, that means moving away from reactive approaches and toward integrated, proactive security strategies. Only then can digital risks be managed sustainably.