Information security in 2023 - How well are you protected?
Media reports about hacker attacks and stolen data are piling up. Information security is a much-discussed topic. But what is information security? Which areas are covered? And what does a cyber attack mean for your organization? We asked our expert.
Information security: The be-all and end-all for companies and organizations
Stefan you have over 20 years of experience in the IT industry and are a part-time lecturer in information security. Can you briefly explain what information security means?
Assets, i.e. values, are protected with security measures. The protection of information and information systems in the sense of an asset type, closely interlinked with data protection. Information systems are often and increasingly technical IT systems. But a physical filing cabinet is also an information system. If you only want to talk about the security of IT systems, you often use the term IT security. The term cyber security is also modern, although the term is sometimes used synonymously with IT security and is sometimes used in a narrower way specifically with attacks involving threats from the Internet.
IT security: Your company's shield
Which areas are covered by IT security?
Classic protection goals include confidentiality, integrity and availability. Since IT plays a role in almost every sector of the company today, however, many other assets are increasingly vulnerable to attack via information security. In this respect, the interpretation that “only” information should be protected would be a misleading distinction. In addition to finances, such as access to your e-banking, there are therefore also many vital functions that can no longer be fulfilled without running IT. Information systems themselves are therefore usually not the main target of an attacker, but only a means to an end to attack other assets.
The relevance of IT security in companies
Why is IT security important?
IT security is becoming increasingly important and relevant for all of us. This is for two reasons. On the one hand, important corporate functions depend on companies being driven into bankruptcy by successful attacks on their IT infrastructure, and on the other hand, IT can be found virtually everywhere in the company, even though this is not always obvious.
Change in the IT security sector: Challenges and progress in times of cloud systems and professionalized hacker gangs
How has the sector changed in recent years?
The sector has changed significantly in recent years. This is due to technological developments such as cloud systems, which bring new complexity to companies. At the same time, cloud systems have also brought many improvements. Systems are operated much more professionally today than they were 20 years ago. It has therefore become more difficult to penetrate a system. In this respect, one can speak of an improvement in information security.
There is a strong degree of professionalization on the part of the attackers. Today, there are ransomware-as-a-service offerings, and the hacker gangs have become companies that generate a great deal of revenue. They sell licenses and subscriptions to other hacker gangs, who then carry out specific attacks and transfer part of the ransom money to the providers.
In summary, it can be said that today, very professionally positioned companies also face professionally positioned attackers.
The consequences of cyber attacks: Information risks and threats to business-critical processes
What are the possible consequences of cyber attacks?
On the one hand, it concerns information that can be disclosed to parties who should not receive it. This is the part where information needs to be protected. On the other hand, important processes are also handled via many information systems. For example, an ERP system that triggers payments is an interesting target for trying to trigger payments and gain control over a company's financial assets.
Practical example: How attackers used sophisticated tactics to steal half a million dollars from a US community
Can you give a practical example?
There was an interesting example in the USA. There, a community was attacked. The attackers managed to penetrate the ERP system to such an extent that they were able to process a payment. So that they could then carry out this payment, they showed a very high level of criminal energy. They set up their own front company, including a website, and recruited immigrants who recently moved to the region and were not yet very familiar with the local job market. The recruitment process consisted of two interviews. The attackers then triggered a variety of smaller payments via the ERP system over several weeks during the summer vacation when only a few people were working in the administration. The money flowed to the recruited private individuals who, believing they were monitoring and processing payments for a legitimate company, forwarded the money to the attackers. As a result, the community lost around half a million US dollars. Only private individuals could be located.
Effective prevention against cyber attacks: Why a holistic approach is crucial
What is the most efficient way to prevent cyber attacks?
This is quite difficult to answer, as there are many ways in which you can be attacked. You have to be aware that security acts like a chain of measures. Every single link in this chain must be strong. An attacker will always try to get in through the open door and not attack the best defended position. Accordingly, it is important to take a systematic approach and not only limit yourself to individual measures but to approach the project holistically.
With the many new cloud systems, there are challenges in terms of employee skill and knowledge. They must be trained on the respective systems. The new systems are now professionally operated by specialized providers who know their applications and are therefore much more secure from a technical point of view than they were just a few years ago. At the moment, the trend is clear that the weakest link in the security chain is the person who uses bad passwords and introduces some viruses from phishing emails. The ransomware attacks that have recently been frequently described in the media are also usually due to human error.
Basics of effective IT security: A systematic approach and continuous development
What does good IT security look like?
As I said, the systematic approach is very important. It is essential that you maintain a safety management system in the company that covers all aspects, the technical side and also the employees. They must be aware of what they should or should not do and must be able to recognize when they are being influenced. This safety management system must then be improved step by step. It is important to recognize that security cannot be bought. You can determine the current situation and then try to improve. This is a type of arms race. You can imagine it as in the Cold War, each party is putting something on the wall and the aggressor will bring a correspondingly larger gun. It is essential that information security is alive and developed so that it remains up to date.
Cybercrime: A risk for all companies
Does good IT security guarantee that you won't be a victim of a cyber attack?
No You can see this even when you consult the media; it can affect virtually anyone. In the past, there were also companies that were in the press due to a successful attack. However, this was very rare and often the attacks were also ideologically justified. Today, cybercrime is a big business in which billions of dollars are converted. Many professional service providers, who are anything but poorly positioned in IT, are also victims of cyber attacks today. The financial incentives are now so great that any company, no matter how large, can be affected by an attack. It's no shame to end up in the press for that. This helps to increase awareness in society. It would be very bad to simply ignore the issue.
IT security: Where is the best place to start?
Where is the best place to start protecting information?
There are many areas where you can do something. The top three risks I would take on are:
- Identity and password management. Very few companies today use a password manager. Alarm signs are things like employees who work on a website and know the password by heart. Then the password is probably too short and may even be used several times on different pages. Such things are clear indications of insecure passwords.
- As a result of the home office trend, private devices are also increasingly being used. Shadow IT is created there. Official IT no longer offers support, but data is accessed from private devices that are outside the security officer's perspective. There you can try to ban anything that would be an inefficient solution. The better approach is to integrate everything. You should ask yourself how decentralized devices can also be made safe for use. Endpoint security is a suitable keyword here.
- The third problem is posed by users who fall for deceptively genuine phishing emails and thus introduce malware. Successful ransomware attacks are usually due to a training problem. Employees are not trained to recognize such attacks.