Cyber Security in 2023: Interview with IT Director Andreas Fey
easy is a member of the Alliance for Cyber Security of the BSI (German Federal Office for Information Security). What does this commitment mean and why is high sensitivity to cyber security becoming more important with each passing year?
what dangers await us and companies in general that take cybersecurity lightly?
In the past, cyber criminals primarily craved fame and recognition or specifically wanted to harm individual parties. Today, the picture has changed and, in addition to political groups, we increasingly see professional companies offering their services as a service and making considerable profits.
The idea of absolutely perfect cyber security is a myth. Just as in real life, it is almost impossible to shield oneself from every conceivable threat in the digital world. Attackers selectively choose the easiest victims or those who bring them the greatest possible profit. Even if absolute security remains an illusion, it is therefore worth working towards being at least as well protected as other companies – ideally even better, by ensuring that our security precautions are sound.
what are the benefits of working together as an alliance for cyber security?
As a member of the BSI’s Alliance for Cyber Security, we have access to training, materials and resources that help to constantly expand knowledge and skills in the field of cyber security. This is of great importance as the IT landscape is constantly changing and up-to-date knowledge is essential.
Particularly significant is access to the high-quality cyber security alert channel provided by the National IT Situation Center. This provides all members with timely information about emerging vulnerabilities and threats that could affect their systems.
Last but not least, participation in the strong alliance helps to strengthen the confidence of customers, business partners and stakeholders in a company’s safety practices.
What contribution can easy make to the Alliance for Cyber Security as a member?
First of all, as participants, we also participate as users of the information provided and thus contribute to the general improvement of cyber security. In addition, we have the opportunity to actively bring further multipliers into play as partners.
This could be, for example, events on the topic of IT security, with which we create a valuable platform for the exchange of knowledge and raise awareness for security issues.
Publications such as technical articles, guides or white papers shared within the alliance also enrich the overall knowledge and in turn help other organizations improve their security strategies. An ambitious multiplier could also be the development of innovative tools or solutions that contribute to the overall strengthening of cyber security.
Overall, then, membership in the Alliance for Cyber Security offers several opportunities to not only benefit from the resources provided, but also to actively contribute to the protection and awareness of all other companies – including customer and partner companies.
Asked in general terms, what kind of companies will be affected by cybercrime in 2023?
Unfortunately, cybercrime has now become a highly relevant issue for a large number of companies. Public institutions in particular are increasingly in the spotlight. Recent examples illustrate this threat – including well-known German universities that have been the victims of large-scale attacks.
But medium-sized companies are also increasingly being targeted by attackers. In fact, the number of smaller companies affected by attacks is so high that not every incident is even mentioned, and only major attacks with media impact are still mentioned in the general public.
are there typical weak points in companies when it comes to cyber attacks?
Common vulnerabilities basically fall into two categories: technical ones and human ones.
Technical vulnerabilities include inadequately secured networks and weaknesses in access management that could grant unauthorized access. Likewise, regular patch management and password management play an important role in closing known security gaps.
On the human side, social engineering attacks are particularly problematic, with attackers exploiting characteristics such as curiosity or trust. Here in particular, it is important to sensitize employees accordingly.
what are the aspects that companies often underestimate when it comes to cybercrime?
It is often assumed that defense against attackers is exclusively a technical problem, where it suffices to install antivirus protection. But the reality is more complex.
Many companies underestimate the importance of the human factor. In the vast majority of cases, social engineering is the origin of cyberattacks. Attackers exploit human behavior patterns to gain access to sensitive information or systems. Be it through phishing emails, manipulative phone calls (vishing) or even by deceiving employees on site.
That is why there is a growing appreciation of the relevance of awareness training. More and more companies are realizing that they need to educate their employees about the risks of social engineering and other attack methods. This makes every individual an essential part of IT security. It is therefore worthwhile to invest more in training and awareness campaigns for employees rather than just in hardware and tools.
what measures can all employees take, even those without technical knowledge, to prevent cybercrime?
An important component is to think about how confidentially information must be treated and what exactly the recipient list looks like before sharing anything; a standardized information classification helps here, for example. It is equally important not to blindly trust messages received, whether e-mails or phone calls. Of course, it is also important to be careful on the immediate personal level when unexpected guests show up at the office.
In addition, knowing and following the company’s IT security policies should be a given. Reading the policies or watching informational videos can teach basic security practices and promote an understanding of secure behavior.
andreas, would you say that cyber security is more important today than it was a few years ago?
Definitely! And the overwhelming majority of companies are aware of this fact. Attacks are not only becoming more frequent, but also more sophisticated and targeted.
Especially with the introduction of remote working, new challenges arise: Networks and devices are often less well protected outside the office; this creates new potential attack vectors. Mobile working brings many advantages and is also in keeping with modern times. But it can also mean that you don’t read your e-mails with the same concentration when you’re standing at the checkout in the supermarket, for example, and are more likely to click on links or attachments than in the focused office atmosphere.
how exactly have cyber attacks changed over the years?
Cybercrime is now top of mind as a business risk. Attacks have become more diverse and sophisticated. The power of artificial intelligence (AI) and natural language processing tools (as used in ChatGPT) has led to social engineering attacks aimed at manipulating humans becoming increasingly complex. The emergence of deep fakes – AI-manipulated digital imitations of humans – is also contributing to this development, which will soon become far more significant.
The fact that there are still so many “simple” attacks is due to the sad fact that, as of today, enough people still fall for strategies without AI and the like. Overall, however, it remains a constant race between attack and defense.
how will the issue of cybercrime aimed at companies develop over the next few years?
We must assume that extortion groups will continue to professionalize and use more sophisticated methods to achieve their goals.
Companies and organizations must therefore work harder to optimize their security strategies. Since attack methods are constantly evolving, all security measures must also be continuously improved and adapted. This in turn leads to an increase in financial and personnel expenses.
For us as a software company, the security of the software supply chain is also becoming increasingly important. Regulatory authorities such as the BSI want to become more active themselves in the future and not just offer information. Measures are planned to ensure software updates by law and even to intervene in the management of critical companies. The topic has thus also reached the political arena and, together with new defense technologies, closer cooperation between law enforcement agencies, and offerings such as the Alliance for Cyber Security, provides room for optimism.