By Martin Domian Martin, Advisor for Information Security at EBF, applies his expert knowledge to analyze the measures that can guarantee the right level of company-wide visibility for this topic. He views IT security as a key priority and made a significant contribution to the ISO 27001 certification for EBF.
Hacker groups gain access to systems and data, and then bring companies to a standstill by encrypting this. They then demand large sums of money to release the encrypted information. That sounds like a crime story. But sadly, it is becoming a harsh reality for more and more companies. According to Bitkom, ransomware attacks of this nature caused losses amounting to EUR 24.3 billion in Germany in 2020. And the numbers are on the rise. The frequency of attacks is increasing and they are becoming more versatile and professional. They target vulnerabilities – a term that can refer to insecure employees or a lack of technology that would be able to repel the attacks.
The good news: Companies no longer need to expose themselves to these risks without protection. They could and should invest in effective technologies and raising the awareness of their employees, and they need to prepare for an emergency situation. This blog article explains why that is so important, and how it can be achieved.
Germany’s first cyber-catastrophe will certainly not be its last
In July, the District Administrator (Landrat) of Anhalt-Bitterfeld declared Germany’s first cyber-catastrophe. A ransomware attack infected the district’s IT systems with malware, encrypting data and demanding a ransom. The systems had to be disconnected to avoid any further damage. The district administration was paralyzed for nearly two weeks. It was not possible to send or receive e-mails and no social security benefits were paid out. Even long after the attack, a return to normal operations is still some way away.
This was nowhere near the first cyber-attack in Germany. And it will probably not be the only cyber-catastrophe.
The threat level is high
In a “Report on the State of IT Security in Germany 2021”, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)) clearly explains that there is a very high, real and increasing threat level emanating from cyber-attacks, and ransomware attacks in particular, for companies, hospitals and public authorities.
The BSI notes that attackers now also apply increased pressure on their victims, forcing them to act: They demand more than just a ransom. They also threaten to contact customers of the victim and publish stolen data – even selling or auctioning it. This happened to a software producer that was targeted for its program code.
On average, once the attack is discovered it takes 23 days to clean the systems and restore them completely. This has a significant financial impact and can often lead to high follow-on costs – as external specialists have to be contacted to close backdoors. And the effects may not be just financial in nature.
Attackers have countless opportunities – and sometimes it is easy going for them
There are many gateways available to attackers. Phishing, social engineering, insider attacks or vulnerabilities in IT systems pave the way for them – and access has become even easier as so many more people are currently working from home.
According to Bitkom Research, 42% of cyber-attacks in 2020 can be traced back to the unintentional actions of (former) employees. This is consistent with the findings of our EMEA survey, in which respondents rated human error as the second-highest security risk, at 47%.
In particular, sights were set on those companies where
- attackers are faced with few security precautions,
- they can target especially interesting content, or
- action is urgently required, e.g., in the healthcare sector.
Attackers can purchase the malware they require in the darknet – Ransomware-as-a-Service, so to speak.
How can you protect yourself?
Protection from ransomware attacks is based on three pillar:
Using regular trainings to raise employee awareness of the topic is of critical importance. This can significantly reduce the risk they pose. Every employee counts. This awareness training is especially important for administrators responsible for system operation and maintenance, and the IT specialists that create or develop the systems.
Companies need to invest in technology that makes use of automatic procedures and artificial intelligence to recognize and repel an attack before it takes effect. Virus scanners, malware tools and mobile threat defense solutions can be used here, for example. Updates to operating systems and applications should be installed in a timely fashion, and monitoring of data transfers and security-relevant system events should take place as a matter of course. These technologies and measures allow you to support your employees, who will still need to be aware but do not have to be constantly on alert. This is also important as training courses have no effect on attacks such as Pegasus, which require no user interaction is some scenarios.
However, as raising employee awareness and making use of technology will never achieve a 100% level of security, you need to prepare for an emergency situation. It is essential to create offline backups of critical company information, which can be restored as required. And there needs to be a clear plan for how to react to such an attack.
The challenges are considerable
Ensuring security is a complex and challenging task that requires profound expertise. This task becomes particularly difficult in an era characterized by a shortage of skilled professionals, when change is often frequent and unscheduled. Nonetheless, it is critical to deal with IT security as a matter of suitably high priority at all times. There is otherwise a risk of major losses than can have far-reaching effects, destabilizing the progress of digitalization. The increasing dependence on digitalized information puts the ability of these organizations to continue working at greater risk.
With this in mind, we would like to leave you with three thoughts that have often proved helpful, as we often see companies enjoying a false sense of security:
The guiding principle of your company cannot be hope. Don’t wait until it is too late to react!
Convenience must not prevail over security. It often feels like those two aspects oppose one another in everyday life – with regard to passwords, for example.
Proceed in a risk-based manner, first addressing the vulnerabilities that represent the greatest danger.