Cyberattacks on data and network security are a serious threat to companies worldwide, including small and medium-sized enterprises. IT security expert Johannes Mattes and Alexander Gronwald, a specialist in digital transformation, explain the vulnerabilities that attackers abuse, and which defense strategies companies can use for protection. They also discuss why employee training plays a major role when it comes to cybersecurity.
To what extent have cyberattacks increased in number and intensity?
Alexander Gronwald: When working with medium-sized companies, we have seen an increase in attacks over the course of the past few years, in some cases this increase was quite significant. The statistics confirm this development: according to the Cyberthreat Defense Report (CDR), the number of companies that have been affected by at least one successful cyberattack rose to 86 percent in 2021. (Source: cyber-edge.com). The current geopolitical situation is further catalyzing the number of attacks.
How have the methods of attack changed? In what ways are attacks carried out today?
Alexander Gronwald: Cybercriminals are increasingly networked these days and work in a highly professional manner. In most cases, the attacks are carried out on a broad front – with the aim of identifying vulnerabilities and security gaps in the IT infrastructure of companies. One common tactic, for example, is to gain access to company networks via phishing emails. These fake e-mails are intended to convince unknowing employees to pass on sensitive login data; they also encourage the infiltration of malware by clicking on contaminated links sent along with the e-mail. The actual cyberattack usually takes place later. In this way, malware can sit unnoticed in the system for months – with fatal consequences for the affected company.
Johannes Mattes: Cybercrime has become an international business in which attackers go about their tasks as if they were doing a day job. They develop attack strategies that are easily scalable and can be used on a large scale against different victims. A successful attack on corporate networks usually involves multiple actors, each with a special focus. This is evident, for example, in ransomware attacks, where the goal is to encrypt corporate data and then extort a ransom for its release. In this context, for instance, one actor creates the malware, the other breaks into the corporate network, and a third party carries out the extortion.
Alexander Gronwald, www.tvconsult.com
Which areas of the company are particularly vulnerable? And how do attackers abuse these vulnerabilities?
Alexander Gronwald: The most significant attack surface remains the company’s own workforce. If employees are not or only insufficiently informed about risks from the cyberworld and thus not empowered to defend themselves, cybercriminals have an easy game. Attackers use various gateways for unauthorized system access, such as the aforementioned phishing mails, USB sticks contaminated with malware and put into circulation, or fictitious remote access. In this case, attackers pretend to be internal IT service employees in order to support colleagues in the home office. In reality, however, confidential data is stolen and used for criminal purposes.
Johannes Mattes: It should also be kept in mind that cybercriminals can gain access via the supply chain: In supply chain attacks, suppliers with an even lower security level are compromised in a first step in order to gain access to the network of the actual target. In many cases, it therefore makes sense to optimize IT security across companies.
Further, outdated IT systems or software solutions are vulnerabilities that have caused considerable financial damage in the past. In the spring of 2021, for example, a vulnerability in Exchange servers caused a stir. Immediately after the vulnerabilities became known, large-scale scans could be observed on the Internet. They were used by attackers to search for vulnerable Exchange servers of companies. Due to the high prevalence of vulnerable servers on the one hand and the ease of taking advantage using exploit kits on the other, the German Federal Office for Information Security (BSI) classified the situation as extremely critical. In this context, professional patch management proves to be important.
Johannes Mattes, www.byght.io
How well prepared are medium-sized companies for the increasing threat situation?
Johannes Mattes: When we talk to medium-sized companies, we often hear statements like: “Hackers are not likely to attack us. After all, what could they possibly want from us?” This assumption is dangerous, as the statistics speak for themselves: all sizes of companies are affected by cyberattacks. Since security precautions are often inadequate in SMEs, attackers frequently have a particularly easy game.Alexander Gronwald: Many medium-sized companies are hardly or insufficiently prepared for the increasing threat situation. The biggest challenges in this context include a long time until an attack is detected, a lack of specialist expertise in the area of cybersecurity and the absence of a concrete emergency plan. Often, the level of awareness among employees is quite low, as well.
Why is the IT security awareness of employees important and how can it be improved?
Alexander Gronwald: Establishing a common awareness for IT security is one of the most important measures, as employees tend to be the lowest barrier to attackers. In many companies, however, security awareness is still perceived as a nuisance and thus it’s just not prioritized. To change this, valid concepts, the support of management and an increased focus on the topic through regular training, information days and other awareness-raising activities are needed. If necessary, external experts should assist.
Johannes Mattes: Employees are often referred to as the “weakest links in the chain”. Yet well-trained employees in the company are the most important line of defense against cyberattacks – their involvement is crucial for IT security. Therefore, they should be invited and motivated in order to acquire the necessary knowledge for a successful defense. Communication is a key factor in this context: according to a study conducted by Goethe University, phishing attacks tend to be more successful in larger teams than in smaller ones, where communication tends to be better.
Which aspects should companies consider when optimizing their IT security and what is the role of an information security management system (ISMS) in this context?
Johannes Mattes: The introduction of an ISMS creates a basic framework for continuously improving information security, addressing risks and constantly questioning the status quo. In view of the current threat situation, ever more companies are attaching importance to information security in their collaboration with suppliers: An information security management system verified with an ISO 27001 certificate can be a real competitive advantage in this context.
In a nutshell: What is your most profound advice to medium-sized companies with regard to IT security?
Johannes Mattes: Companies should act according to the principle of getting the basics right. By implementing basic measures, the majority of automated attacks can be prevented or at least the damage can be limited. I advise our customers to start with the following measures: activating multi-factor authentication, patching IT systems immediately, conducting regular (offline) backups and, last but not least, training their employees with regard to cyberthreats and means of protection.
Alexander Gronwald: IT security must be firmly anchored in the DNA of the company. Decision-makers should secure the IT infrastructure in the same way they protect the company against burglars on site.
Mr. Mattes and Mr. Gronwald, thank you for the interview!
Johannes Mattes is the Co-Founder of Byght GmbH and leads startups and SMEs quickly and resource-efficiently to ISO 27001 certification. An informative offer on the topic of ISO 27001 and cybersecurity is available free of charge at www.byght.io.
Alexander Gronwald advises and supports companies in all matters relating to digital transformation, data analysis and the use of digital technologies. More information is available here: www.tvconsult.com