The digital transformation is proving to be an opportunity for companies to position themselves for the future – but this also means that IT security requirements are increasing. Many companies still have some catching up to do. In comparison to the financial impact of a cyber attack, the measures of a smart IT security concept are much more cost-sensitive, as Dino Huber, CEO Germany at DGC, points out in an interview:
IT security concept: How likely is it for companies to fall victim to a cyber attack?
Former FBI Director Robert Mueller summed up the likelihood a decade ago: “There are two types of companies – those that have already been hacked and those that will be.” His words still have current poignancy. Cybercrime continues to rise in the wake of increasing digital connectivity and remote work. In the process, hackers are becoming more professional and quickly adapting their attack tactics to technological innovations. In this respect, companies of all sizes are affected by this very high and real risk across all industries. Dangers lurk everywhere in the digital world and should urge decision-makers to take action.
We are repeatedly asked by our customers when they will be attacked. It’s hard to predict the exact moment. But companies can reduce their own attack surface from the outset and close existing vulnerabilities to minimize the potential for danger. The best way to do this is by implementing an IT risk management system that identifies and assesses risks and implements targeted countermeasures.
Which IT risk scenarios should companies be prepared for?
As an IT security provider, we observe three main scenarios in practice that pose the greatest risk potential. First, there are the companies that have already been infiltrated, i.e., are unwitting victims and know nothing about it. Professional hackers exploit this situation to spy on large amounts of data and trade secrets and turn them into money.
Then there are companies that are blackmailed during a phishing attack and are expected to pay cybercriminals large ransom sums to release their frozen data and systems.
The third scenario, arguably the worst for companies, results from arbitrary action. Here, cybercriminals hit their target – such as an organization with inadequately protected IT infrastructure – more by accident as part of a broad-based cyberattack. These companies are hit particularly hard because they usually have not yet developed a contingency plan for the rapid recovery of their business operations.
What costs and consequences must companies be prepared for in the event of a cyber attack?
In the event of a successful cyber attack, companies must be prepared for extensive economic damage. It is common for extortion sums to be in the hundreds of millions of US dollars. If confidential data is stolen, there is also the threat of lost sales and claims for damages from customers, suppliers and business partners. In addition, the damage to a company’s reputation and image can be considerable, often lasting for years and having an extremely damaging effect on business.
An attack is particularly critical if there is no proven emergency plan. This plan specifies who is to conduct measures to restore operations and in what order. If such a plan is missing, a service provider should be called in as fast as possible to specify a standardized procedure to avoid errors when repairing the damage. There is a considerable risk of aggravating the damage by acting on one’s own authority. For example, backups must not be imported too early, because companies then run the risk that this data will also be frozen by the hackers.
In the event of blackmail, companies need experts who can quickly and comprehensively assess the risk situation, negotiate with the attackers and ensure, for example, that the ransom sum – which is often demanded in cryptocurrency – does not increase further.
Experience and knowledge are essential for the right damage-containment response to such an attack scenario. IT experts call this incident response and disaster recovery. In the event of an emergency, it is also important to proceed in a planned manner regarding any cyber insurance that may have been taken out, so that any damage incurred is covered in the end.
Are IT security measures generally less expensive than the costs incurred by cyber attacks?
Yes, they are – definitely. However, since the amount of damage in the event of a cyber attack always depends on the type of attack as well as the company affected, the best way to calculate the costs is to use a case study:
Consider a company that has become victim of a ransomware attack and is expected to pay the extortionists around $4 million to regain access to frozen data and systems. If this company had opted for a continuous vulnerability service of 20,000 to 30,000 euros per year in advance and proactively closed existing vulnerabilities, it is very likely that the attack would not have occurred. Here, the return on investment (ROI) is clear: The $4 million ransom is offset by IT security costs in the low five-figure range.
This is certainly an extreme scenario – but one that has already occurred in our day-to-day business. That’s why we recommend that our customers proactively close existing security gaps. Vulnerabilities in systems are the number one gateway for cybercriminals. This is closely followed by the second vector of entry, social engineering – i.e., errors that can be traced back to untrained employees, for example when they pass on confidential data in the course of phishing e-mails. Companies should make targeted investments in both areas.
Want to learn more about how to protect your IT infrastructure with vulnerability prevention and increase the security awareness of your employees?
Contact us – we will be happy to advise you.
How should companies proceed to strengthen their IT security and act economically at the same time?
If you want to invest strategically in your company’s cybersecurity, you first need an overview of the existing IT landscape. Even in large companies, it happens that large, expensive products and consulting services are purchased without having identified business-critical areas. IT managers should free themselves from the idea of wanting to protect everything. To identify core systems and processes, assess dangers and propose targeted measures to minimize risks, we at DGC always start our cooperation with new customers with an assessment including risk analyses. After that, suitable measures can be taken.
In addition to the IT analysis, it is important to establish an IT security organization. This should include not only managers and the IT team, but the entire workforce. IT security is not only about data and processes: It will only be effective if all employees are educated about current risks and empowered to defend against them. Continuous security awareness training is therefore the key.
There are many other aspects to consider when creating an IT security concept. These include recovery plans: These include renting external emergency rooms in which core teams can continue to work if necessary and creating core IT landscapes at a third-party provider that can be booted up after an incident.
For operational implementation, it is worth considering critically who can be responsible for which tasks. Working with external experts is often more cost-effective than covering all the steps internally. IT security is particularly successful when you cooperate with specialized partners to bundle knowledge and innovations.
How much budget should managers have for IT security solutions?
In general, it is advisable to allocate around 20 percent of the overall IT budget to IT security. This is also confirmed by the German Federal Office for Information Security (BSI).
Taking the example of an international corporation with 80,000 to 90,000 employees and 70 locations worldwide, which allocates a central IT budget of 900 million euros per year, which would be 180 million euros for IT security. This figure may seem high to some decision-makers, but it is a realistic value given the number of employees and locations. Finally, cyber security should be seen as an important investment in the future of one’s own company due to the dynamic threat situation.
With which solutions does DGC support companies to advance their IT security in a cost-optimized way?
We offer our customers smart solutions for optimizing existing IT security measures and assist them in defending themselves against cyber attacks. Our products and services range from vulnerability analysis and penetration tests to security awareness training and incident response in our Cyber Defense Operation Center (CDOC). We also provide advice and support in the development of emergency concepts.
Many of our customers enter a cyber security partnership with us. In this way, depending on the initial situation and requirements, they receive a flexible cyber security package – and thus precisely the products and services they need for ongoing IT monitoring. This approach has been proven to be successful because risks and costs are always weighed up on an individual basis. Especially since there is no standard response to IT threats and potential attacks from the network, as these are constantly changing.
We also ensure a cost-optimized approach through a high degree of automation in the field of vulnerability analysis – especially at the beginning. Our IT security tool cyberscan.io® provides a comprehensive overview of the existing IT infrastructure and identifies open vulnerabilities in just a few standardized steps. With these facts, we proceed to manual analysis with our customers and identify core systems to protect them in a targeted manner. This enables us to invest optimally in IT security and to identify, assess and eliminate threats in good time.
To always offer the highest security standards as well as innovations, we also bundle our competencies with other specialists. For example, we have formed an alliance for greater IT security with the network security provider CISCO and developed a joint solution approach. This combines the strengths of cyberscan.io® with those of CISCO’s Extended Detection & Response Platform. With the mutual tool integration, we offer a strong added value in the continuous monitoring of IT system landscapes and the responsive closing of open vulnerabilities.
Thank you very much for the informative interview.