Holistic approach to sustainable information security
Not only in large corporations, but also in small and medium-sized enterprises, digitalisation is leading to an ever-increasing networking of business and production processes. But this also increases the risk potential because complex networked infrastructures naturally offer more opportunities for cybercriminals to attack. This is why isolated security measures no longer do justice to today’s threats. Appropriate protection for business-critical information and systems requires an integrative strategic approach. This approach also considers data protection aspects, employee awareness and training, as well as all infrastructure elements – from IT and multifunctional systems in offices to IoT sensors in factory buildings and IP cameras on buildings.
Author: Florian Goldenstein, Head of IT Security, Konica Minolta IT Solutions GmbH
Small and medium-sized enterprises (SMEs) are increasingly targeted by hacker attacks: In Germany alone, according to a Forsa survey, 30 percent of all SMEs fell victim to a successful cyberattack. Although German SMEs are above-average innovators in their respective fields of business, they often lack adequate IT system protection compared to larger companies. According to analysts, this is precisely what makes them a preferred target for attacks at present. On a global average, the financial damage per successful attack amounts to around two million euros – whereby, according to Accenture, the costs caused by cybercrime rose by 27 percent worldwide in 2017.
Extortion included: attack waves according to the kill-chain pattern
This sharp increase indicates a changed threat situation: Unlike in the past, malware no longer directly damages the infiltrated system, but rather remains undetected for as long as possible. This way, cybercriminals can capture even more confidential information. All too often, a careless employee proves to be a weak point: A fraudulent click on an infectious link in a mail is enough and a malicious program installs itself unnoticed on the respective computer. The malware then attempts to infect other systems via the network in order to record screenshots or keyboard entries.
Hackers are thus getting to know and imitate the typical user behaviour in the attacked company better and better, so that nobody discovers their criminal activities in everyday business life. The longer this game of hide-and-seek goes on, for a financial services provider, for example, the more illegal money transfers the perpetrators can trigger and capture correspondingly higher sums. Europol’s current cybercrime report speaks of a business email compromise in this context and estimates the associated damage sum between 2013 and 2017 at around five billion dollars.
The Europol Report highlights the growing number of cybercrimes involving Ransomware as a further threat class that increasingly affects SMEs throughout Europe. This refers to malware that takes data and systems hostage: Ransomware either blocks system access so that programs can no longer be started or stored data is encrypted and thus rendered unusable. The perpetrators then demand a ransom for the release, usually in digital currency such as Bitcoin, to cover their tracks.
Urgent need for action: SMEs targeted by cybercriminals
According to Europol, major threats are posed in particular by the rapid spread of IoT devices, which are often inadequately protected. The infamous Mirai botnet is said to have hijacked more than 300,000 IoT components at times, including many IP cameras. This botnet can be used to launch Distributed Denial of Service (DDoS) attacks on web servers with enormous bandwidths of more than one terabit per second. Mirai is also believed to be responsible for the approximately two-hour complete outage of Internet access on the west coast of the United States in October 2016. Using DDoS, hackers can even manipulate or completely paralyse entire production facilities and, in the worst case, critical infrastructures such as the water or energy supply.
While most large companies have systematically developed their detection and defence capabilities against different cybercrime variants in recent years, the SME sector often lacks the resources to do so. According to a study condu
cted by Capgemini, around 68 percent of all companies worldwide are currently looking for IT security experts. Because there is hardly any know-how available on effective security measures, especially in small and medium-sized businesses, organised hacker gangs are increasingly targeting this company segment. Today, every company must be aware that it is highly likely that it will also be affected by a cyberattack in the future. And for medium-sized companies, a production shutdown lasting several days due to a DDoS attack or a ransomware extortion could mean drastic losses or even put the company out of business.
360-degree view of the challenge
In addition to a lack of awareness of the problem, hackers also have such an easy time with many SMEs because they usually only have to overcome isolated and therefore ineffective IT security solutions, if at all. Additional dangers are often posed by unregulated, insufficiently controlled network access and lax password handling. Multifunctional systems that are integrated into the corporate network in many places are completely underestimated, but their integrated hard disks sometimes contain strictly confidential data. Video surveillance cameras are also often connected to the network without being given further thought or protection.
All in all, an SME has to become active on many construction sites at the same time, and with a simple collection of uncoordinated security products, the actual risks can hardly be contained today. What is needed is a strategic approach that addresses the issue of corporate security as a 360-degree project: first of all, it is necessary to check all infrastructure areas for possible weak points. This applies to server, storage and network components as well as client PCs, mobile devices, multifunctional systems, network cameras and IoT sensors for machines and systems used in production.
The transparency obtained in this way allows the actual protection requirements for each infrastructure area to be determined precisely. And only under this condition can the investment funds for an appropriate level of security be used in a targeted manner. For all those companies that do not have the necessary in-house assessment expertise, it is advisable to make use of special external expertise.
Step by step to the optimal level of protection
The assessment of the initial situation should be flanked by a professional vulnerability analysis that identifies possible security gaps by means of so-called penetration tests. At the same time, simulated cyberattacks reveal the effectiveness of existing prevention and defence mechanisms. However, the analyses should not be limited to technical aspects such as firewalls, data encryption or anti-malware systems, but should also include the organisational environment: Who had access to the data centre and when and was he alone? Correctly integrated into the overall concept, security cameras can ensure seamless verifiability and at the same time facilitate tamper-proof documentation. In addition, access regulations to the network, specifications for the use of mobile devices, administration and user rights as well as, a particularly important point, the sensitisation of the workforce are necessary. At this point, it also becomes clear why there can be no universal information security concept: Every company has very specific requirements and therefore needs its own tailor-made concept.
Such a concept always requires a comprehensive overview thanks to the analysis described. On this basis, all necessary measures can then be derived for all systems, processes and actors. Step by step, companies are thus approaching a clearly defined target state, which in addition to an optimal protection level also describes documentation and audit requirements. Depending on the protection priority determined, the optimal security solution for firewalls, network access, encryption, multifunctional systems, IP cameras and all other infrastructure elements can now be selected, procured and implemented.
A major advantage of this structured approach is that, in parallel with higher information security, the organisational prerequisites for the legally required proof of the protection level achieved are efficiently created. One need only think, for example, of the General Data Protection Regulation (GDPR), which has been in force since last May, and for the implementation of which many medium-sized companies also depend on external support.
A further advantage of a holistic 360-degree security concept is usually only apparent in the case of a cyberattack because one hundred percent security is just as impossible in the digital space as it is in other areas of life. But the transparency gained through analysis improves the ability to react to the attack: The spread of malware in the network is stopped at an early stage to minimise the loss of information and possible impairment of business and production processes