Information security in 2023 - How well protected are you?
Media reports about hacker attacks and stolen data are on the increase. Information security is a much-discussed topic. But what is information security? Which areas are covered? And what does a cyber attack mean for your organization? We asked our expert.
Information security: the be-all and end-all for companies and organizations
Stefan, you have over 20 years of experience in the IT industry and are a part-time lecturer in information security. Can you briefly explain what is meant by information security?
Assets, i.e. values, are protected with security measures. The protection of information and information systems in the sense of an asset type, closely interlinked with data protection. Information systems are often and increasingly technical IT systems. But a physical filing cabinet is also an information system. If you only want to talk about the security of IT systems, the term IT security is often used. The term cyber security is also modern, whereby the term is sometimes used synonymously with IT security and sometimes narrowed down to specifically refer to attacks from the Internet.
IT security: your company's protective shield
Which areas are covered by IT security?
The classic protection goals are confidentiality, integrity and availability. However, as IT now plays a role in almost every area of a company, many other assets are also increasingly vulnerable via information security. In this respect, the interpretation that "only" information should be protected would be a misleading delimitation. In addition to finances, such as access to e-banking, many vital functions that can no longer be performed without functioning IT are also protected. Information systems themselves are therefore usually not the main target of an attacker, but only a means to an end to attack other assets.
The relevance of IT security in companies
Why is IT security important?
IT security is becoming increasingly important and relevant for all of us. This is for two reasons. On the one hand, important business functions depend on it, companies have been driven to bankruptcy by successful attacks on their IT infrastructure, and on the other hand, IT is virtually everywhere in the company, even if this is not always obvious.
Change in the IT security sector: challenges and progress in times of cloud systems and professionalized hacker gangs
How has the sector changed in recent years?
The sector has changed significantly in recent years. This is due to technological developments such as cloud systems, which bring a new level of complexity to companies. At the same time, cloud systems have also brought many improvements. Systems are now operated much more professionally than they were 20 years ago. It has therefore become more difficult to penetrate a system. In this respect, we can speak of an improvement in information security.
On the attacker side, there has been a strong professionalization. Today, there are ransomware-as-a-service offerings; the hacker gangs have become companies that generate a lot of revenue. They sell licenses and subscriptions to other hacker gangs, which then carry out specific attacks and transfer part of the ransom money to the providers.
To summarize, it can be said that today, very professionally positioned companies are also facing professionally positioned attackers.
The consequences of cyber attacks: Information risks and threats to business-critical processes
What are the possible consequences of cyber attacks?
On the one hand, it is about information that can be disclosed to parties who should not receive it. This is the part where information needs to be protected. On the other hand, many information systems also handle important processes. For example, an ERP system that triggers payments is an interesting target to try to trigger payments and gain control over a company's financial assets.
Practical example: How attackers used sophisticated tactics to deprive a US community of half a million dollars
Can you give a practical example?
There was an interesting example in the USA. A municipality was attacked there. The attackers managed to penetrate the ERP system to such an extent that they were able to process a payment. In order to execute this payment, they displayed a very high level of criminal energy. They set up their own dummy company, including a website, and recruited immigrants who had recently moved to the region and were not yet familiar with the local labor market. The recruitment process consisted of two interviews. The attackers then triggered a large number of small payments via the ERP system over several weeks during the summer vacation when only a few people were working in the administration. The money flowed to the recruited private individuals who, believing they were monitoring and processing payments for a legitimate company, forwarded the money to the attackers. The community lost around half a million US dollars. Only the private individuals could be traced.
Effective prevention against cyber attacks: Why a holistic approach is crucial
What is the most efficient way to prevent cyber attacks?
This is quite difficult to answer, as there are many ways in which you can be attacked. You have to be aware that security is like a chain of measures. Every single link in this chain must be strong. An attacker will always try to get in through the open door and not attack the best defended position. It is therefore important to take a systematic approach and not just limit yourself to individual measures, but to approach the project holistically.
The many new cloud systems pose challenges in terms of employee skills and knowledge. They need to be trained on the respective systems. The new systems are now operated professionally by specialized providers who know their applications and are therefore much more secure from a technical perspective than they were a few years ago. At the moment, there is a clear trend that the weakest link in the security chain is the person who uses bad passwords and introduces viruses from phishing emails. The ransomware attacks frequently described in the media in recent times are also generally due to human error.
Fundamentals of effective IT security: a systematic approach and continuous development
What does good IT security look like?
As I said, the systematic approach is very important. It is essential to maintain a safety management system in the company that covers all aspects, the technical side and also the employees. They must be aware of what they should or should not do and must be able to recognize when they are being influenced. This safety management system must then be improved step by step. It is important to realize that you cannot buy security. You can determine the current situation and then try to improve. This is a kind of arms race. You can imagine it like in the Cold War, each party puts something on the wall and the attacker will bring a correspondingly larger cannon. It is essential that information security lives and is developed further so that it remains up-to-date.
Cybercrime: a risk for all companies
Does good IT security guarantee that you won't fall victim to a cyberattack?
No. You can also see this if you consult the media, practically anyone can be affected. There used to be companies that were in the press from time to time due to a successful attack. However, this was very rare and the attacks were often ideologically motivated. Today, cybercrime is a big business that generates billions of dollars. Many professional service providers, who are anything but poorly positioned in IT, are now also victims of cyber attacks. The financial incentives are now so great that any company, no matter how large, can be affected by an attack. There is no shame in ending up in the press because of this. This helps to raise awareness in society. It would be very bad to simply ignore the issue.
IT security: where is the best place to start?
Where is the best place to start protecting information?
There are many areas where you can take action. The top three risks where I would start are:
- Identity and password management. Very few companies today use a password manager. Alarm signs are things such as employees who work on a website and know the password by heart. Then the password is probably too short and may even be used several times on different pages. Such things are clear indicators of insecure passwords.
- Due to the home office trend, private devices are also increasingly being used. This creates a shadow IT system. Official IT no longer provides support, but data is accessed from private devices that are outside the view of the security officer. You can try to ban everything there, but that would be an inefficient solution. The better approach is to integrate everything. You should ask yourself how decentralized devices can also be made secure for use. Endpoint security is a suitable keyword here.
- The third problem is users who fall for deceptively genuine-looking phishing emails and thus introduce malware. Successful ransomware attacks are usually due to a training problem. Employees are not trained to recognize such attacks.