How can SMEs protect themselves against cyberattacks?
You advise SMEs on cybersecurity issues. So I have to ask: have you ever been hacked yourself?
I personally have not.
This means that you can effectively prevent cyberattacks.
I'm rather too small for attacks. But I know that even my rudimentary website is constantly being attacked, depending on where the address appears. I can see that.
So whether a company is attacked depends on its size, its economic importance?
I don't think you can put it that simply.
The question is rather: Are you part of the cybercriminals' target group? And what kind of footprint might you be leaving behind on the Internet to attract attention?"
When hacking attacks are carried out, people also look for weak points, according to the motto: "If someone is weak now, then I'll go in there." This can motivate an attack, especially in the case of state institutions.
But the conclusion "I'm a small company, I'll never be hit" is simply wrong. I can see that from my website. It's being fired up, even though there's nothing there that would hurt me if it were lost to a cyber attack.
"It's just destructive quality"
How do you assess the current threat situation? Has the number of cyber attacks increased?
Yes, they have increased massively.
This of course also has to do with February 24, the start of the war in Ukraine. Since then, cyber attacks have taken on a different quality and have certainly increased again. This is also shown by the Cybersicherheitsagenda of the BMI for the 20th legislative period.
These are no longer the type of attacks that we were already familiar with. In the sense of: We're going to do a "funny prank". Or: We encrypt the victim's data and extort a ransom.
Those days are over, we don't bother with that anymore.
Cyberattacks now look like this: We steal data and delete it directly. That's just destructive quality.
And if you're not prepared, you'll end up with nothing.
But those affected tend to keep a low profile.
Unfortunately, people are very shy about not communicating publicly: We have been hacked.
At the same time, the affected companies are not the only ones to whom this happens, but are "in good company" - also because the issue is becoming increasingly complex. As a result, things can slip through the cracks.
Smaller companies in particular often don't have a specialist dealing with cyber security - and then part-time. To put it bluntly: the employee then does security a little on the side. But this also happens in medium-sized companies.
And then it's easy for something to slip through: A system was not updated and that was then unfortunately the gateway.
"The real question is: Can the incident still be managed?"
How well prepared are German companies for cyber attacks?
Hard to say.
If you can trust the trade press: poorly. But if you look a little closer, a more differentiated picture emerges. I do believe that a lot of things are good.
On the other hand, if some places are still operating pre-Christian systems that do not receive security patches - often for supposed cost reasons - then that is problematic.
It is true that the extent of the damage suffered by German companies is extremely dependent on the quality of their preparation: firstly because of their relatively high degree of networking, but also because they are heavily involved with high technology in one way or another.
But the real question is not so much how well an incident can be prevented. The real question is: Can the incident still be managed? And that could be difficult.
What should you do first if you have been hacked?
The very first thing to do if you have been hacked is to report it to the police. They will then block the system as part of their investigation, which means I won't be able to restart the system for at least three days. That's the catch, so to speak. But there's no getting around it.
Then inform the data protection officer and, if necessary, other regulatory authorities. Whether the latter is necessary depends on what kind of organization I am. If I process a lot of personal data, such as hospitals, I will have to report to the data protection officer in my region or federal state relatively quickly.
I should also inform my cyber insurance company, if I have one.
"So to what extent can I even restore the state before the attack?"
And finally, run through the internal playbook:
Convene the crisis team.
Then find out: How much data loss have I suffered? What is the quality of the data I still have? What about the backup? Has it been encrypted - e.g. in the course of a ransomware attack? So to what extent can I even restore the state before the attack? That's also something you have to realize first.
Then clarify: What is the actual problem? Is that all I can see? Or are there other problems?
But above all, you should do the same as in the event of a fire: stay calm.
You mentioned cyber insurance. Should you take out one?
I think: yes.
Some damage can be covered by insurance. And as a customer, the insurance also gives me good access to service providers and experts - some of whom charge high hourly rates.
But that won't cover me against everything. The business interruption may be partially covered. But depending on the impact of the attack, it can easily be several months before you start writing invoices again. No insurance company will fully cover this.
So the be-all and end-all of cyber security is prevention?
Prevention, prevention, prevention - as far as possible. there is simply no such thing as 100 percent security.
One part of this is updating systems. Every second Tuesday of the month is "Patch Tuesday", when Microsoft releases its patches that close security gaps.
But you have to make sure that you close the important gaps that are classified as highly dangerous as quickly as possible.
This has to be regulated. For example, if I have agreed in my SLA, the service level agreement: I want the critical security gaps closed no later than ten days later, the order will go out to my IT or the external service provider too late.
In addition, my IT or the external service provider will usually tackle the PC systems first. This is where gaps occur most frequently. But I can't always try to keep every PC 100 percent leak-proof.
This also applies to the mobile systems, which are often not rebooted at all, but only go to sleep and are restarted in the morning. Then they come back up without booting. If the patch needs a boot, you have to make sure that this happens.
Then there are the servers. They also need a downtime from time to time to update them.
This issue therefore extends to all systems, from cell phones to servers. And the question is: How do I manage this in the organization?"
"The best firewall is your own employees"
The second big issue is employee awareness.
There's a great saying: The best firewall is your own employees. I should therefore continuously train my employees.
The topics of such training could be, for example, phishing emails: How do I recognize a phishing email? Does the email with the incorrect grammar really come from the savings bank? Or the CEO fraud: Would the CEO of my organization really ask me to transfer this large amount of money to an unknown account.
This is relatively easy to communicate - even with service providers who take care of it.
And you can achieve a lot with this: Email attachments are the most important means of transport for malware and passwords become known above all when an employee gives them out in good faith.
Training your employees is half the battle.
So cyber security has more to do with the processes in an organization than with technical issues?
Yes, the technology is even easier to control in case of doubt because it does not block processes, if you like. You can install the patch, that's not a technical issue. The rest is the organization, that's certainly the case.
But even if you do everything right here, there is no such thing as 100% cyber security.
The most important thing is therefore always to prepare for crisis management.
What would be your most important advice when preparing for crisis management?
Create a crisis manual and plan business continuity.
In the crisis manual, I write out processes to have a checklist that you can then simply run through. This includes topics such as:
Which people do I need now? Who is part of my crisis team? And where do we meet?"
I also need to inform my employees. Unfortunately, cyberattacks usually happen at night or at the weekend. On Monday, everyone then unsuspectingly connects their computers to the network, as before, even those that may have been clean. This must be prevented.
Furthermore: Which authorities should I contact first? As I mentioned earlier, I need to inform various bodies: the police, my insurer, perhaps a lawyer and possibly the data protection officer.
These are topics that belong in a crisis manual so that I can proceed according to a script in an emergency.
Replacement processes are also very important: What else can I do if I no longer have a computer? This needs to be clarified for each process in order to limit the downtime.
And finally: What do I do if all the data is gone, including the contact details of customers and other external parties? You can't think this through enough in advance.
Thank you for your time!
You're welcome!
Next steps
Would you like to have the effectiveness of your security measures checked? Or do you need support in creating a crisis manual? Our expert is available to answer these and other questions as a consultant and interim manager. You can find more information about him on his manager profile.
