Information security only works with a holistic approach

Interview with Florian Goldenstein, Head of IT-Security, Konica Minolta IT Soutions GmbH

Mr. Goldenstein, what security risks are companies currently facing?
In recent times, criminals have increasingly succeeded in penetrating corporate networks via weak points. Whereas in the past a virus was only supposed to cause damage, today intelligent malware aims to remain undetected for as long as possible and to extract as much data and information as possible. Ransomware is also dangerous: with this blackmail software, data is complexly encrypted by hackers and only released for ransom. The damage caused by these attacks is already in the multimillions.

It is also conceivable that hackers could paralyze entire production facilities in companies, in the worst case even critical infrastructures on a national level. Attacks are becoming more and more sophisticated and more difficult to trace. In addition, criminals are using the advantages of artificial intelligence for their activities. The associated danger is that companies affected will suffer major financial losses. Small companies are even threatened with bankruptcy. There is also the threat of serious damage to their image. The situation is therefore threatening.

Can medium-sized and smaller companies still lull themselves into security because they are not interesting for criminals?
No, not at all. It is no longer the question of whether a company will be attacked, but when. Regardless of the size of the company. Large companies have become better and better prepared for cyber attacks. In the past, data loss or costs due to ransomware extortion were too painful. This is why cyber criminals are increasingly focusing on small and medium-sized enterprises (SMEs) and networked control devices in the IoT sector where they expect a less sophisticated security infrastructure. In this way, they hope for a higher chance of success for their attacks. The potential victims must therefore become aware of the adapted strategies of the attackers and, due to the frequent lack of human resources and insufficient know-how, look for experts to support them in effectively and efficiently protecting their company.

Where do you see the greatest dangers?
The fundamental problem is that many managers in companies have not yet developed an awareness of the existing dangers and do not consider and approach security strategically. This often leads to no or wrong security solutions being available or existing ones not being used correctly due to a lack of know-how. Further sources of danger are missing access controls and regulations to the network or insufficient password guidelines. Multifunctional systems are often underestimated, which are usually integrated into the corporate network and can contain confidential data on integrated hard disks and main memories. Without access control and security certificates, they are easy targets. The same applies to video surveillance cameras, which often hang on the network unnoticed and without adequate protection. Another major vulnerability is the human factor: lack of security awareness causes attachments infected with malware to be opened, dangerous links to be clicked or passwords to be used that are easy to decrypt.

That sounds like a lot of building sites. How can companies address this challenge properly and protect themselves from security risks?
Today’s cyber threats can no longer be contained by a simple collection of security products. It is important to take a strategic approach. This means viewing corporate security as a 360-degree project and checking all security-relevant areas - from infrastructure and information security to multifunctional systems and video security for buildings, the environment and production - for weak points and creating transparency. This is the only way for companies to discover systems worth protecting, security gaps and incidents that are otherwise easily overlooked. Greater transparency shortens response times, increasing security levels and reducing the risk of potential damage. It is important to start with a detailed analysis, i.e. answer the questions “What do we need to protect and where can we be attacked?” Only then does a suitable, individualized security system with strategically placed solutions and continuous monitoring make sense.                                               

What does the concrete procedure look like? Is there a standard solution?
There is no one-size-fits-all solution for optimum security. Depending on the company, an individual mix of measures is necessary to successively increase security. Ideally, you start with an ACTUAL analysis at the beginning. Based on this analysis, companies and corresponding security service providers have a clue as to the challenges they are confronted with. A so-called penetration testing (pentest) is helpful here. This allows the hardship case to be simulated under conditions that are as realistic as possible. The pentest shows how well the protection mechanisms already in place work. The analysis then focuses, among other things, on the organizational basics, employee sensitization, basic security (e.g. firewall, antivirus, etc.), access to the network, mobile systems, admin & user authorizations, encryption concept, IoT, logging or security in virtual environments.

What steps will be taken after the analysis?
The analysis gives us an overview of existing security gaps. On this basis, a comprehensive concept is developed that includes all participants, systems and processes - including an emergency plan with a precise definition of who, when and what to do in the event of an attack. In the downstream process, the identified weak points can now be closed step by step and with suitable measures in order to achieve the target state. This defines how external access to the respective company is to be secured and how companies can meet existing audit and documentation requirements. On the one hand, it is necessary to implement the appropriate security solutions in the company environment as smoothly as possible for the respective case. These can be new IT security solutions such as AV or firewall solutions or security concepts for multifunctional systems or video security systems. On the other hand, encryption and authorization concepts must be created. In addition, the large number of companies requires the introduction of processes that are prescribed by legislation. At present, for example, several companies are still struggling to meet the requirements of the latest Basic Data Protection Regulation. Here, too, external help is necessary in most cases.

Apart from the technical and organizational side, is there anything else to consider?
A very central point is the human factor, through which - consciously or unconsciously - a large number of security breaches occur. This makes it all the more important to create appropriate awareness. Security training courses, for example, help to raise awareness among employees and reduce human error. Classic examples are not to click without hesitation on all attachments and links in e-mails or to use 1,2,3,4,5 or one’s own date of birth as a password. Technical measures such as sensible network segmentation and strict access controls and authorization concepts for access to devices, machines and data can contribute to a noticeable increase in corporate security.

Are companies completely protected?
No one can guarantee absolute security, as new vulnerabilities are constantly emerging that can be used as gateways by cyber criminals. This makes it all the more important to take a holistic, sustainable and continuous approach to security. This means that management, IT and specialist departments as well as production must work closely together and understand this holistic protection as a process that also requires its annual “update.” The IT security environment of companies must not only constantly withstand new attacks from outside; changes are also constantly taking place within the company, such as through the use of new hardware systems or software updates. Such changes to systems and processes make it necessary to continually re-evaluate the overall condition and to initiate the necessary measures. Of course, this also applies if a company has become a victim of a cyber attack. But even without a current reason, regular analysis should take place as part of the 360-degree approach. In this process, which exceeds the know-how and resources of most companies, experienced consultants and service providers such as Konica Minolta can help to address the highly complex issues of comprehensive corporate security.