In times of increased digitization, companies have no choice but to optimize their own IT security measures. So what do they need to pay particular attention to this year? An interview with Matthias Nehls, managing partner and founder of the DGC, about the biggest security challenges companies will face in 2022 – and how to deal strategically with rising risks.
Matthias Nehls, in its latest report on IT security, the German Federal Office for Information Security (BSI) emphasized the seriousness of the situation for commercial enterprises, public authorities and other institutions, as well as private individuals. What is your forecast for 2022 – will the general security situation improve or will the trend described continue?
In view of the fact that the digitization and networking of people, machines and devices – also due to the pandemic and increased remote working – is progressing at a greatly accelerated rate, this development will definitely continue to come to a head. In particular, companies for which digitization was a foreign word before Corona have digitized analog processes on a large scale. To enable employees to access systems, applications and data remotely, security measures such as firewalls have been downgraded. This created countless new security gaps, many of which have not been closed to this day. In the private sector, too, the mass of networked devices that contain potential risks and can be misused for attacks is growing continuously. Cybercriminals are responding to this overall development with concentrated force.
In addition, it can be said that the hacker scene has so far operated according to a scatter principle, i.e., attacks take place across all industries. There is a real danger that criminal activities will be more strongly channeled in the future, which could lead to widespread failures in selected industries.
According to the Bitkom digital association, 20 percent of the IT budget should be spent on security. In reality, however, the picture is different. Why do so many companies still invest too little in cyber security?
The World Economic Forum has declared cyberattacks as the second most common risk for companies this decade – many CEOs know this. Nevertheless, a large proportion of companies are still inadequately protected because IT security is difficult to grasp. Unlike finance or legal departments, for example, where a lot of data and facts are available, decision-making in IT is often emotional. The management’s question: “Are we secure?” is hastily answered in the affirmative due to insufficient measured values. In addition, it is hardly possible to make internal comparisons of the security situation with regard to competitors. Decision-makers are therefore lulled into a false sense of security – why should they invest more than before if the company is supposedly protected? In order to be able to realistically assess one’s own risk situation, controlling is required, and this in turn is made possible by solutions and the expertise of specialized providers such as the DGC.
Those who optimize IT security are investing in the digital future of their company. This is illustrated by a recent Bitkom study, according to which nine out of ten companies were affected by theft, espionage and sabotage in 2020/2021. The amount of damage has risen to 223 billion euros and has more than doubled compared to 2018/2019. If affected companies had spent just a fraction of this money on security, many incidents could have been avoided.
Are there any industries that are particularly affected by the increasing threats from the web?
In general, all industries are affected by the worsening security situation. Decision-makers should bear in mind that not only office software is vulnerable, but also machinery in industrial companies, for example. Exponentially at risk are those industries that have slept through the digital transformation, such as government agencies. If security incidents occur here, important areas of social life are affected. This is illustrated by the recent attack on municipal IT structures in Schwerin and in the Ludwigslust-Parchim district: Malware caused servers to be encrypted, as a result of which a large proportion of citizen services were subject to restrictions.
The importance of industry-wide rethinking can also be illustrated by the media landscape: Large media companies initially focused on the editorial area when introducing and securing digital processes. Less thought was given to the fact that digital connections to print shops, archives and other players also need to be protected. A widespread wake-up call came in 2020 – after the systems of a well-known media group were encrypted nationwide. The cyber attack affected several central IT systems, and the blackmail group behind it demanded a ransom of 50 million euros.
Cyber security should become a top issue in boardrooms and comprehensive protection a necessary obligation. Because the fact is: If a company is not adequately protected, managers are liable with their private assets. Instead of paying extortion money, it is more effective for companies to provide preventive all-round protection for their IT infrastructures.
So what should companies be prepared for – what do the biggest cyber risks look like in 2022?
The trend toward ransomware, or encryption Trojans, will continue with great publicity. Cybercriminals quickly generate enormous sums through the use of the extortion software: Bitkom reports that related financial losses have increased by 358 percent since 2019. Meanwhile, there are even hacker groups that offer ransomware as a service. Cybercriminals are thus able to rent a complete infrastructure to send millions of emails with a Trojan attached. This perfidious business model involves the ransomware renters financially – it is imperative that IT security counteract this with tailored solutions.
In expert circles, the increasing number of ransomware attacks is nevertheless treated more as a fad.
Professional hackers pose a far greater risk because they act covertly and cause more extensive damage. In 2020, it took an average of 207 days for a data leak to be discovered. By then, hackers are engaging in large-scale data theft, creating two to three points of access to repeatedly penetrate the system and manipulate data. The consequences for affected companies are immense: In addition to selling millions of confidential data records, a professional hacker can manipulate financial flows, spy on trade secrets such as patents or research results, and operate on the stock markets on the basis of confidential board information.
What measures should companies take to meet the increasing demands on their own cyber security in 2022 and to manage the threat situation?
Every company should make IT security a management issue. Managing directors are encouraged to regularly exchange information with their own IT team and to involve external consultants, who are necessary for the targeted optimization of the security situation. In theory, large companies in particular are often already quite well equipped with firewalls and IT software – but there is a lack of human resources and “in-house understanding” to analyze displayed danger indicators.
For example, one of our new customers suffered a serious cyberattack in the past. Although the firewall had reported suspicious activity days earlier, no IT employee noticed the warning message. The attackers were able to search servers for data undisturbed, delete backups and ultimately paralyze the company in order to extort a ransom in the millions. Our security analysts, who provide comprehensive attack monitoring and mitigation at the Cyber Defense Operation Center (CDOC), would have reported this threat within minutes of the firewall message and the extortion would never have occurred.
This incident is not unique and shows that isolated individual solutions are hardly effective, but that 360-degree security should be strived for. Only in this way will companies be able to fully exploit the potential of new technologies and successfully shape their own digital transformation.
Last but not least, it is also important for data protection reasons to place cyber security at the top management level. In the event of a data breach, companies are required by law to report it within 72 hours. After the reporting deadline has passed, there is the threat of fines of up to 20 million euros or up to four percent of the total annual revenue generated worldwide in the previous fiscal year. These enormous risks can be minimized with a well thought-out security strategy.
Thank you very much for the pleasant interview.