Malware
Malware (malicious software) refers to programs that are introduced into IT systems without the user's knowledge or consent in order to steal, encrypt, or manipulate data, damage systems, or take remote control of them.
The umbrella term malware (short for malicious software) covers all programs designed to perform unwanted and harmful functions on an IT system. The main types include viruses and worms (self-propagating code), trojans (disguised as useful software), ransomware (encrypting data for extortion), spyware and keyloggers (covertly capturing information), adware, as well as rootkits and bots that persistently compromise a system and enlist it into botnets. Malware is typically delivered via phishing emails with infected attachments, manipulated websites (drive-by downloads), infected removable media, software vulnerabilities, or compromised supply chains.
Malware ranks among the most frequent and damaging threats in information security. Germany's Federal Office for Information Security (BSI) has for years named ransomware in particular as one of the greatest dangers to businesses, public authorities, and critical infrastructure. A successful infection can violate all three protection goals: confidentiality (data exfiltration), integrity (manipulated or encrypted data), and availability (operational outage). Beyond immediate financial losses, organisations face reputational damage, contractual penalties, and consequences under data protection and notification law, for example under Art. 33 GDPR or the NIS2 Directive.
Effective protection requires a multi-layered approach (defence in depth) rather than any single measure. Technical controls include up-to-date antivirus and endpoint detection and response solutions, rigorous patch and vulnerability management, network segmentation, email and web filtering, system hardening, and regular offline backups kept separate from the network as the last line of defence against ransomware. Organisational measures are equally important: security awareness training, the least-privilege principle, a documented incident response process, and regular emergency drills. BSI IT-Grundschutz and ISO/IEC 27001 provide the recognised framework for these controls.
Legal Basis
NIS2 Directive (EU) 2022/2555 and the German BSI Act (BSIG); ISO/IEC 27001 (Annex A, including protection against malware); BSI IT-Grundschutz (module OPS.1.1.4); Art. 32 and Art. 33 GDPR
Practical Example
One morning, a mid-sized mechanical engineering company receives reports that files on its file servers can no longer be opened; in their place sits a ransom note. Ransomware introduced through a phishing email has spread across the flat network and encrypted production systems. The information security officer activates the incident response plan: affected systems are isolated, the CSIRT is engaged, and the incident is assessed both as a reportable security incident under NIS2 and as a personal data breach under Art. 33 GDPR. Thanks to separately stored offline backups and a documented recovery procedure, operations can be restored without paying the ransom. In the follow-up, network segmentation, multi-factor authentication, and awareness training are tightened on a binding basis.