According to Bitkom, the German IT and telecommunications industry association, cyberattacks cost the German economy €223 billion in 2020/21 – more than double the figure in previous years. In this interview, our IT security expert Christian Garske explains where companies’ weaknesses lie and how businesses can protect themselves against cybercriminals.
“The biggest weaknesses are complexity and superficial knowledge”
What are the main forces driving the enormous rise in cyberattacks on companies?
Christian Garske: The figures from Bitkom are just the tip of the iceberg. In reality, the damage incurred by companies are likely far higher. There are various reasons for this. For one thing, there is much more malware around today. Around 320,000 new variants are put into circulation every day. In total, there are now well over 1.3 billion different tools that can inflict damage and losses. For another thing, these malware tools are now far more capable. Over the last two years, we’ve seen cyberattackers becoming increasingly professional. The difference is that, where we were once dealing with lone wolves or smaller groups, attacks are now more organized and are sometimes carried out in the name of specific countries.
Emotet attacks have been particularly effective. What’s so special about this piece of malware?
Christian Garske: Emotet is a macrovirus that is typically spread via emails. The perfidious thing about this virus is that it records contacts and is capable of interpreting content, which enables it to address users directly and individually. This means that emails often come from known contacts and even cite past emails from the recipient, which leads us to stand down our internal warning systems. Dynamite phishing, a technique related to Emotet, has established itself and proven particularly successful. Consequently, other cybercriminals who attack using similar malware like Qakbot have now added this technique to their repertoire.
That turns individuals into one of the main ways for attackers to break in. What are the other biggest weaknesses in companies?
Christian Garske: The biggest weaknesses are complexity and superficial knowledge. This complexity exists not only in relation to specialist knowledge but also in terms of technical structures. In many cases, the skills needed to handle the multitude of technologies and malware are not sufficiently developed. Companies often also lack the necessary structural underpinnings, like an information security management system that always has the risks in view and initiates countermeasures at the right time.
The threat of data leaks has also reached a new level, as highlighted in The State of IT Security in Germany 2020 [published by the BSI, Germany’s Federal Office for Information Security]. How can companies protect their customers? And how can consumers protect themselves?
Christian Garske: Companies that work with personal data are in the same situation as any others. They need to consider what an appropriate security strategy would look like and how strong their defenses need to be to ensure an appropriate level of protection. I would advise all private citizens to be sparing in disclosing their personal data. Wherever I enter data, there is the potential that this data could be lost. If there are objective reasons to provide my data, I also need to look at who I’m sharing it with. So, if I’m ordering something online, would I order from a shop with a Trusted seal – or from a supplier I’ve never heard of before?
Most German companies are still not at the level they really need to be. These deficits have become even more pronounced in the current crisis, with companies forced to forge entirely new paths at short notice.
Christian Garske, IT security expert Lufthansa Industry Solutions
Cybercriminals react quickly to major social topics and trends, as shown by the various attacks seeking to exploit the COVID-19 pandemic. Where do the risks lie?
Christian Garske: Many companies have already taken steps in recent years to protect their IT systems more effectively. However, most German companies are still not at the level they really need to be. These deficits have become even more pronounced in the current crisis, with companies forced to forge entirely new paths at short notice. The situation forced thousands of companies to send their employees to work from home in next to no time without being able to adjust properly to these new conditions. If companies also reduce their IT capacities due to the crisis, it will become very dangerous very quickly.
At the same time, many medium-sized companies still appear to be trying to catch up with the new requirements. A recent Forsa survey of 300 medium-sized companies showed that only 8% had revised their data protection and IT security regulations in reference to staff working from home. Have companies failed to do their homework?
Christian Garske: I wouldn’t put it like that. First of all, companies need to make sure that their business is viable and can continue operating. And that’s fine to begin with. I mean, if there was a fire, the first thing I would do is reach for a fire extinguisher – I wouldn’t start by reviewing my fire safety concept. However, it would be a fatal mistake not to take a look at my fire safety concept once the fire is out. Failing to make adjustments means it’s only a matter of time until something goes wrong.
The pandemic seems to have created certain pitfalls in relation to cybersecurity, especially for SMEs. In a recent study published by a security software company, 51% of European SMEs said that they have problems making the necessary funds available. What consequences should these companies expect to face?
Christian Garske: The consequences are damage and loss, because the likelihood of damage due to cybercriminality has risen massively in the last few years. The ramifications could be production coming to a standstill or being blocked from accessing your own company’s data and knowledge. And, if you don’t pay the ransom, in the worst case scenario the attackers could offer to sell your data to a competitor. The strategic question that a company needs to ask itself is how likely such an incident is to occur. This likelihood can then determine how much you’re willing to pay to safeguard against that risk.
Is there a recommended amount or benchmark figure for how much companies should invest in risk management – a set proportion of turnover, for example?
Christian Garske: No, there isn’t a straightforward formula, because companies operate in different markets. Each company must decide where it stands. As a rough guide, the more dependent a company is on digital technologies, the more it needs to invest in IT security.
The Federal Office for Information Security (BSI) also wants to provide greater clarity. In future, manufacturers could have their IT products certified with the BSI IT Security Seal to give customers more guidance when purchasing IT products. Is this the right way to counter the current risks of cybercriminality?
Christian Garske: I am skeptical, but not when it comes to meaningful reviews of IT products. If an effective standard were established, it would be an important step forward. But I don’t think that this new security seal is an effective means of achieving that because, in practice, the requirements aren’t being checked. No specific, technical verification is required to obtain the seal. Neither are regular audits. To put it in exaggerated terms, the seal only confirms that the certified IT product could theoretically provide security.
Another recent development is the German IT Security Act 2.0, which came into force in May 2021. In addition to the operators of critical infrastructure, the scope of the law has been extended to include companies of significant importance to the national economy. Which companies or sectors does this concern?
Christian Garske: The IT Security Act was put in place because of attacks with ramifications for wider society, such as attacks on energy suppliers or the healthcare sector. The threshold above which companies of a certain size are counted as critical infrastructure has been lowered and further sectors have been added to the list, such as arms companies and waste disposal. Companies of significant importance to the German national economy include companies in the automotive, chemical and pharmaceutical industries and their supply chains. There are now also subject to specific IT security requirements.
Like all technological sectors, IT security relies on the constant development and invention of trends and technologies. What are currently the most significant trends and technologies in IT security?
Christian Garske: On the one hand, IT security is heavily dependent on general technological development, because any technology can have its weaknesses and be misused. Security specialists need to understand all of these new technologies and identify their weak points. On the other hand, the topic of artificial intelligence will become increasingly prominent. AI will solve problems in many areas, such as anomaly detection, for example. Given that we’re confronted with ever-growing volumes of data, there’s no other choice.
Speaking of artificial intelligence, LHIND is currently involved in a research project looking at automated penetration testing using AI. What exactly is being developed?
Christian Garske: In this project, we’re trying to push the boundaries of technical possibility a little further. It’s primarily focused on, firstly, automating pen tests as far as possible. On the other hand, it’s also about integrating and evaluating more context information. As part of the research project, one of our partners is developing a honeypot that charts how the environment behaves. If we incorporate this kind of information system-wide, it will open up new ways to use this context knowledge to repel attacks. We want to made it harder and harder for attackers to find a gap in IT systems.
All the same, attackers can also use artificial intelligence.
Christian Garske: Correct; it’s like the race between the hare and the tortoise. If IT security experts decide to put their feet up and relax, we’ll have lost. However, a single unit can’t do everything on its own. IT security relies firstly on intensively developing your own skills on a permanent, ongoing basis, and secondly on seeking connections with others. This is why security communities, which have been set up between companies, are enormously important. Without them, attackers would find it far easier.
Lufthansa Industry Solutions is a service provider for IT consulting and system integration. This Lufthansa subsidiary helps its clients with the digital transformation of their companies. Its customer base includes companies both within and outside the Lufthansa Group, as well as more than 300 companies in various lines of business. The company is based in Norderstedt and employs more than 2,100 members of staff at several branch offices in Germany, Albania, Switzerland and the USA.