Connected and Vulnerable
Author: Markus Strehlitz
With increasing digitization, numerous examples show that the risk of online attacks is also on the rise. Companies need sophisticated security concepts to protect themselves. DEKRA offers support.
The threat from cybercriminals has never been greater, as evidenced by the regular reports of online attacks on businesses. “43 percent of companies recorded an increase in cyberattacks in the past twelve months,” according to a study by market research company IDC, which surveyed security managers from more than 200 German companies. 51 percent of respondents expect a further increase in attacks in the future.
As recently as February, the German Federal Office for Information Security (BSI) reported a global ransomware attack in which thousands of servers were encrypted. The regional focus was on France, the USA, Germany, and Canada. According to the BSI, a mid three-digit number of systems were affected in Germany.
In ransomware incidents, attackers gain access to a company’s network and encrypt its data. They only release the data in exchange for a ransom. Companies that are not prepared to pay, must fear that their data will end up on the dark web and sold there. This also includes sensitive information – for example, a company’s production data.
Cybercriminals are also increasingly targeting companies in the manufacturing sector. This is evidenced by recent examples such as the attacks on a German defense contractor, a supplier of construction materials, and a machinery and plant manufacturer. Such incidents have drastic consequences. The affected companies’ IT systems are often paralyzed for a relatively long time after an attack.
Attacks on critical infrastructures also have a serious impact, as a recent cyberattack on a clinic in Barcelona shows. Because of the attack, the clinic had to cancel 150 surgeries and around 3,000 patient appointments. In September 2020, the University Hospital of Düsseldorf was the target of a ransomware attack. Central systems were down for days. The hospital had to log off from emergency care and treatments were canceled or postponed. In the US, cybercriminals attacked an oil pipeline. The operator, Colonial Pipeline, which maintains a network of approximately 8,000 kilometers, had to temporarily suspend pipeline operations. This caused regional bottlenecks and hoarding purchases – for example of gasoline.
Ransomware is a profitable business
The threat of online attacks is also so great because they are a profitable business. Ransomware is the most popular business model in cybercrime because cybercriminals often succeed with their extortion attempts. According to the IDC study, more than half the companies are willing to pay. This motivates hackers: 70 percent of companies have been the victim of a ransomware attack in the past twelve months, according to IDC. Only a good half of them were able to fend off the attack or isolate it in time.
What is more, while advancing digitization does offer companies a lot of benefits, it also increases the opportunities for cybercriminals. Anything that is networked can theoretically be attacked from the outside. The targets are no longer just the classic office computers. Devices from the Internet of Things (IoT) have also become the target of hackers, because many companies are now trying to tap into the great potential of IoT for themselves. For example, products being used by customers deliver data to their manufacturers. Monitoring systems are interconnected. And sensors on machines in factories collect information to optimize production processes.
All these IoT components must therefore be protected. However, the people responsible for security in companies are faced with the major challenge of reconciling devices from different manufacturers with different security prerequisites and requirements. Two thirds of experts surveyed by IDC report that their security landscapes have become more complex. 71 percent expect this to increase further.
Attacks require sophisticated security concepts
But the good news is that companies are paying more attention to protecting their own digital infrastructure. Surveys and experts repeatedly report that companies want to invest more in their Cyber Security. The market observers at IDC also talk about the fact that almost half of the organizations are planning to adapt their cyberdefenses.
Yet attacks are becoming increasingly sophisticated, meaning that companies require suitably sophisticated security concepts. To protect a digitized company’s flexible network architectures, various security measures must work together. These include strict access rules and a zero trust concept, in which every user and every device is distrusted, regardless of whether they are located inside or outside the company’s own network. All network traffic is monitored and all users or services must authenticate themselves.
Companies should also be paying attention to the security features of selected IoT devices. The devices should have Cyber Security certificates and come from manufacturers that place particular emphasis on information security. Ideally, this is supplemented by a so-called vulnerability management, which involves routinely recording the most important data on vulnerabilities – for example in the devices’ firmware – in order to be able to react to them with appropriate protective measures.
Many companies – especially medium-sized ones – are overwhelmed with these manifold tasks. That is why there are service companies that take on a variety of these security tasks. DEKRA, for example, offers audits and risk assessments as well as training courses for employees to raise their Cyber Security awareness. After all, people are often the weakest link in a company’s security chain (see interview). In addition, there are so-called penetration tests. These can be used to uncover vulnerabilities in IT systems and architectures so that the corresponding gaps can be closed.
While companies cannot assume that the number of cyberattacks will decrease, with the help of external support they can ensure that they are better prepared for them.
“The Human Factor Plays an Important Role in any Security Strategy”
Andy Schweiger is Senior Vice President at DEKRA and responsible for Global Cyber Security Services. In this interview, he explains why mid-size companies are increasingly affected by online attacks, how they can protect themselves, and how DEKRA can help them.
Mr. Schweiger, what do you think about the current threat situation, especially for medium-sized industrial companies?
Small and medium-sized enterprises (SMEs) are increasingly becoming targets of cyberattacks because they often lack the resources to invest in robust Cyber Security measures. According to recent reports, more than half of all small businesses have been the victim of a cyberattack, the most common being phishing attacks, ransomware, and malware. These types of attacks can cause significant harm to SMEs – including financial losses, reputational damage, and even legal liability. Therefore, it is important for SMEs to prioritize Cyber Security by implementing basic security measures such as strong passwords, regular software updates, and employee training to identify and deal with potential threats.
What are the most common gateways for cybercriminals?
There are several common gateways that cybercriminals use for their attacks. One of the most common is phishing, where fraudulent emails or messages are sent to individuals to trick them into revealing sensitive information such as login credentials or credit card details. Another gateway is unsecured WiFi networks, which can be exploited by hackers to intercept data transmitted via the network. In addition, outdated software and operating systems may have vulnerabilities that cybercriminals are able to exploit to gain access to a system. Finally, cybercriminals can use social engineering tactics such as subterfuge and bait to gain access to sensitive information or systems.
In your opinion, what role does the human factor play in security strategies?
The human factor plays an important role in any security strategy. While technologies such as firewalls and encryption can provide important protection against cyberthreats, employees remain the weakest link in the security chain. Many attacks rely on social engineering tactics to trick individuals into disclosing sensitive information or downloading malicious software.
How can companies protect themselves?
To protect themselves, companies must prioritize training and awareness programs that teach their employees how to recognize and respond to potential threats. This should include regular training on topics such as phishing, password management, and privacy policies. Companies should also implement access controls and other measures to limit the amount of sensitive data employees have access to.
Finally, organizations should regularly review their security policies and procedures to ensure they are keeping up with the latest threats and best practices. This includes conducting regular vulnerability assessments and penetration tests to identify potential weaknesses in their systems before they can be exploited by cybercriminals. By taking a proactive Cyber Security approach that incorporates both technological and human factors, organizations can significantly reduce their risk of falling victim to a cyberattack.
How does DEKRA support companies with this issue?
DEKRA supports companies in various ways when it comes to Cyber Security. Among the most important services DEKRA offers audits and risk assessments: DEKRA provides auditing services to help companies identify vulnerabilities in their IT systems and assess risks. Organizational aspects such as policies and processes on various security levels are also taken into account. Another service is training and awareness: DEKRA offers employee training to raise awareness of Cyber Security and teach best practices in handling data processing and storage. DEKRA also conducts penetration tests to identify vulnerabilities in specific IT components, systems, and architectures for specific applications (consumer goods, industrial plants, automobiles, and the like) and to close security gaps. Certification programs, which DEKRA also offers, can help companies improve their IT security standards and demonstrate their compliance with regulations. Overall, DEKRA can help companies develop or improve their Cyber Security strategy by providing them with a wide range of services tailored to specific corporate use cases.