Corona has brought Germany a dramatic boost in digitization. From now on, many companies had to convert their business processes to networked and decentralized work. The leap into the ice-cold digital water showed: The country, which is often ridiculed for its inadequacy in the field, can definitely digitize if it has to.
However, the largely positive but uncontrolled development also has its downsides. “The attack surfaces have increased dramatically, and the trend towards using external cloud service providers has made these attacks even easier,” emphasized Haya Shulman, computer science professor at the Frankfurt Goethe University at the second WELT Summit “Vision Now – Digital Security” in Berlin’s Axel-Springer-Haus. “We measured attacks on our customers’ systems tripled from 2021 to 2022,” said Paul Kaffsack, co-founder of German cybersecurity firm Myra Security.
The main uncertainty factor is and remains the human being. “73 percent of the attack techniques still work with stolen credentials,” analyzed Rolf Schumann, Chief Digital Officer of the Black group. His job is, among other things, to secure their more than 14,000 discounter branches with local WLAN and access to the company’s own cloud. According to the French defense technology and security group Thales, the human factor is the main cause of security incidents in the cloud in 55 percent of all cases – and is therefore by far the highest security risk there as well.
The term “human factor” is usually used to describe reckless, trusting or even malicious employees whose credentials criminals use to gain access to corporate or government networks. This can jeopardize or even paralyze the safety culture of entire companies. The protection of all digital business processes must therefore be a matter of course in all areas of the organization.
“There should be an awareness of the dangers by now, so now the issue has to be anchored in the company’s DNA,” demands security expert Paul Kaffsack. And it is imperative that “the security of information technology and digital business processes is no longer perceived as the responsibility of IT nerds”.
Digital security is no longer a technical issue, but a question of attitude, as Rolf Schumann put it. “Change your mindset, the boss is responsible.” In a modern and comprehensively networked company, the integrity of the digital processes is of the highest priority, which is why the company management must make this topic its own and send out the signal that digital security is taken seriously.
Preparation is also essential for Rüdiger Trost, head of cybersecurity solutions at the German subsidiary of the Finnish security company WithSecure. “Once you have the problem and you’re under stress, you might not make the very best decisions,” said the expert with regard to extensive practical experience. He advises every company to simulate a cyber attack during quiet times. Then you can name and analyze the weak points, says Trost.
Weaknesses in the technical equipment and organization can be ironed out long before an emergency occurs. Ideally, a crisis manual should have already been created that can be pulled from the shelf in the event of an attack. “When do I communicate with my employees? When do I contact the press? When do I inform my customers,” the expert listed a series of fundamental questions that it is better not to hectically clarify in the event of a crisis.
Measures against a possible attack therefore also include a changed view of the company. In times of Industry 4.0, in which networking with suppliers and customers is a prerequisite for business success, the idea of being able to protect yourself through isolation is absurd.
Rolf Schumann reported on his own security epiphany that came to him during stays in Israel. The country is considered one of the most advanced cyber nations and is among the world leaders in both defense and the execution of attacks. Schumann chose clear words in his lecture: “Forget the rubbish that you are protected. There is no longer a protected space, there is no privacy, everything is open”.
“73 percent of attack techniques still work with stolen credentials,” analyzed Rolf Schumann, Chief Digital Officer of the Schwarz Group
What: Pascal Rohé
The sooner company management understands that they cannot keep intruders out completely, that they are probably already in the systems, the better it is. Then the only conclusion left is what really matters when defending against attacks: set priorities and protect core data and processes.
“There are 10,000 vulnerabilities in companies,” said the security expert, and advised everyone: “Finally learn that you don’t have the time and resources to work through them all.” Schumann openly admitted that company managers and traditionally educated and trained IT professionals would have difficulties with such an approach. However, it does not help to continue to rely on “castle walls, moats and drawbridges”.
However, if German companies succeed in this change of attitude, the chances are good because, contrary to popular pessimistic assessments, Germany has excellent expertise in cybersecurity. According to Israeli-born Haya Shulman, research in this field is among the best in the world.
What is lacking is the transfer into economically successful offers. This is the only reason why Germany has not played a role in the cybersecurity market so far. “Germans aren’t actually risk-averse, but I think we need fewer regulations and more incentive systems,” said Haya Shulman. German scientists and software engineers lack the incentive to implement their findings in real products, she added.
As can also be observed in other areas, the technology transfer in cybersecurity is inadequate. Improving it and establishing a thriving start-up culture in Germany that is similar to that in her home country is one of Haya Shulman’s main concerns. It remains to be seen whether the call for a more active and, above all, more intelligent role for the state in cultivating this culture will be heard. The fact is that the cybernation of Israel would never have emerged without significant government initiative.
However, a change in mentality is also necessary among German technology companies, although it is by no means the case that heavyweights such as Telekom are not looking around in hotspots of cybersecurity development such as Israel. The Schwarz Group’s successful digital commitment also began with visits to the country on the edge of the eastern Mediterranean, where a few euros had been learned, as Schumann admitted.
All too often, German companies limit themselves to buying a start-up in order to use the technology. That doesn’t work: “We shouldn’t just buy and use the products and expertise, we should bring them to Germany, expand the ecosystem here and further develop the technology,” said Shulman.
The strong cyber security research in this country would offer a viable basis for a cyber economy that is just as successful as Israel’s. In this way, a counterweight to the dominance of US technology groups could be established. Nothing could be done against their dominance in the field of operating systems. But in the area of IT security, one could then specifically rely on European manufacturers, according to Haya Shulman.
“That’s generally a good tip,” said Rüdiger Trost of WithSecure. Diversifying the sources of supply also makes sense with regard to the increasing use of cloud services. The dominant US providers are making great efforts to lure their customers into the respective cloud – and if possible to lock them there.
In the opinion of the experts, resisting the temptingly presented advances of the US manufacturers would be an important step towards European autonomy. “If we instead use the two or three big cloud providers that everyone knows, then we’ll be dependent on them in the next three, four, five or even ten years,” says security expert Paul Kaffsack.