“The biggest weaknesses are complexity and superficial knowledge”

Christian Garske: The figures from Bitkom are just the tip of the iceberg. In reality, the damage incurred by companies are likely far higher. There are various reasons for this. For one thing, there is much more malware around today. Around 320,000 new variants are put into circulation every day. In total, there are now well over 1.3 billion different tools that can inflict damage and losses. For another thing, these malware tools are now far more capable. Over the last two years, we’ve seen cyberattackers becoming increasingly professional. The difference is that, where we were once dealing with lone wolves or smaller groups, attacks are now more organized and are sometimes carried out in the name of specific countries.

Christian Garske: Emotet is a macrovirus that is typically spread via emails. The perfidious thing about this virus is that it records contacts and is capable of interpreting content, which enables it to address users directly and individually. This means that emails often come from known contacts and even cite past emails from the recipient, which leads us to stand down our internal warning systems. Dynamite phishing, a technique related to Emotet, has established itself and proven particularly successful. Consequently, other cybercriminals who attack using similar malware like Qakbot have now added this technique to their repertoire.

Christian Garske: The biggest weaknesses are complexity and superficial knowledge. This complexity exists not only in relation to specialist knowledge but also in terms of technical structures. In many cases, the skills needed to handle the multitude of technologies and malware are not sufficiently developed. Companies often also lack the necessary structural underpinnings, like an information security management system that always has the risks in view and initiates countermeasures at the right time.

Christian Garske: Companies that work with personal data are in the same situation as any others. They need to consider what an appropriate security strategy would look like and how strong their defenses need to be to ensure an appropriate level of protection. I would advise all private citizens to be sparing in disclosing their personal data. Wherever I enter data, there is the potential that this data could be lost. If there are objective reasons to provide my data, I also need to look at who I’m sharing it with. So, if I’m ordering something online, would I order from a shop with a Trusted seal – or from a supplier I’ve never heard of before?

Christian Garske: Many companies have already taken steps in recent years to protect their IT systems more effectively. However, most German companies are still not at the level they really need to be. These deficits have become even more pronounced in the current crisis, with companies forced to forge entirely new paths at short notice. The situation forced thousands of companies to send their employees to work from home in next to no time without being able to adjust properly to these new conditions. If companies also reduce their IT capacities due to the crisis, it will become very dangerous very quickly.

Christian Garske: I wouldn’t put it like that. First of all, companies need to make sure that their business is viable and can continue operating. And that’s fine to begin with. I mean, if there was a fire, the first thing I would do is reach for a fire extinguisher – I wouldn’t start by reviewing my fire safety concept. However, it would be a fatal mistake not to take a look at my fire safety concept once the fire is out. Failing to make adjustments means it’s only a matter of time until something goes wrong.

Christian Garske: The consequences are damage and loss, because the likelihood of damage due to cybercriminality has risen massively in the last few years. The ramifications could be production coming to a standstill or being blocked from accessing your own company’s data and knowledge. And, if you don’t pay the ransom, in the worst case scenario the attackers could offer to sell your data to a competitor. The strategic question that a company needs to ask itself is how likely such an incident is to occur. This likelihood can then determine how much you’re willing to pay to safeguard against that risk.

Christian Garske: No, there isn’t a straightforward formula, because companies operate in different markets. Each company must decide where it stands. As a rough guide, the more dependent a company is on digital technologies, the more it needs to invest in IT security.

Christian Garske: I am skeptical, but not when it comes to meaningful reviews of IT products. If an effective standard were established, it would be an important step forward. But I don’t think that this new security seal is an effective means of achieving that because, in practice, the requirements aren’t being checked. No specific, technical verification is required to obtain the seal. Neither are regular audits. To put it in exaggerated terms, the seal only confirms that the certified IT product could theoretically provide security.

Christian Garske: The IT Security Act was put in place because of attacks with ramifications for wider society, such as attacks on energy suppliers or the healthcare sector. The threshold above which companies of a certain size are counted as critical infrastructure has been lowered and further sectors have been added to the list, such as arms companies and waste disposal. Companies of significant importance to the German national economy include companies in the automotive, chemical and pharmaceutical industries and their supply chains. There are now also subject to specific IT security requirements.

Christian Garske: On the one hand, IT security is heavily dependent on general technological development, because any technology can have its weaknesses and be misused. Security specialists need to understand all of these new technologies and identify their weak points. On the other hand, the topic of artificial intelligence will become increasingly prominent. AI will solve problems in many areas, such as anomaly detection, for example. Given that we’re confronted with ever-growing volumes of data, there’s no other choice.

Christian Garske: In this project, we’re trying to push the boundaries of technical possibility a little further. It’s primarily focused on, firstly, automating pen tests as far as possible. On the other hand, it’s also about integrating and evaluating more context information. As part of the research project, one of our partners is developing a honeypot that charts how the environment behaves. If we incorporate this kind of information system-wide, it will open up new ways to use this context knowledge to repel attacks. We want to made it harder and harder for attackers to find a gap in IT systems.

Christian Garske: Correct; it’s like the race between the hare and the tortoise. If IT security experts decide to put their feet up and relax, we’ll have lost. However, a single unit can’t do everything on its own. IT security relies firstly on intensively developing your own skills on a permanent, ongoing basis, and secondly on seeking connections with others. This is why security communities, which have been set up between companies, are enormously important. Without them, attackers would find it far easier.