Criminal hackers are constantly developing new attack methods. How can companies protect their systems from the ground up and arm themselves against new threats?
Nine out of ten companies in Germany were recently affected by cyberattacks, a study by the IT industry association Bitkom found in 2020/2021. Data theft, sabotage and extortion on the internet cost the country’s economy more than 220 billion euros a year – doubling the amount just a year earlier. Not long ago, a wave of attacks hit a number of well-known companies and government agencies in several countries. These incidents were caused by Log4Shell, one of the largest known security vulnerabilities in the history of the Internet. It allows criminals to infiltrate malware into corporate and government networks. Intruders can take over websites, intercept login data, copy confidential documents or insert backdoors into the code to attack at a later time.
Even seasoned IT professionals were shocked that such a huge security issue went unnoticed for quite a long time. And yet circumstances like these are not uncommon. Targets for cyberattacks are growing in scale, as a result of major trends such as remote working or smart buildings.
We therefore recommend that companies carry out regular security checks on their IT systems. This preventive measure works regardless of current attack methods. Despite all the concern about increasing cyberattacks, there is good news: the essential fields of action can make a huge impact in fighting cybercriminals:
Working from home is now much more commonplace than it was just a few years ago. But if a larger number of employees access their corporate systems remotely, conscientious behavior is extremely important. For example, a company laptop may have a secure VPN, but the home network may not be protected. We therefore recommend regular Cyber Security campaigns and trainings, informing about risks and reminding employees of basic rules of conduct.
Companies need clear quality criteria and security rules for all IT areas that use external service providers. For example, a cloud framework and so-called whitelists to ensure data loss prevention (DLP): Which data do we need to encrypt? Who is allowed to use our systems and documents, and how? Which cloud services are provided?
Register and manage incidents
To catch data leaks or cyberattacks early, companies can set up a Security Operation Center (SOC). The SOC monitors all systems, and sounds the alarm in the event of anomalies, for example, when large amounts of data are accessed at unusual times. The organization must be well prepared for emergencies. For example, data backups should be up-to-date, and a redundant e-mail system should be in place.
Protecting critical systems
Depending on the industry, certain IT services are indispensable for day-to-day business. Here, companies should pull out all the stops, both technically and organizationally. Access rights should be strictly limited. Data must be saved in comprehensive backups. We also recommend regular penetration tests and a central control unit.
Shielding sensitive data
Classic gateways for hackers can be blocked technically, for instance, by encrypting e-mails and drives. It’s also very valuable to have a detailed user concept that classifies systems and data and defines exactly who is allowed to access them.
Productivity with a safety net
IT systems must be protected not only virtually, but also physically. Companies should host their critical infrastructure in a way that it can resists a fire, an earthquake or a flood. The ideal solution is to have a complete backup system at a different location.
The points described above are only an excerpt from a comprehensive concept that we apply in our projects: The Grosse-Hornke “House of Cyber Security” defines all the criteria to assess a company’s information security. You can derive the most important steps from this framework, to make your systems more secure, even and especially in times of crisis – and without overburdening your organization.
2021 Grosse-Hornke Private Consult