When it comes to security, public authorities in any country also want to represent their interests, some more intensively than others. Germany is not lacking in initiatives and organizations that want to help companies in terms of digital security. Unfortunately, the wheels of public administration can turn very slowly, such as the recently unveiled national economic protection strategy shows. In addition to the key associations BDI and DIHK, different security agencies in Germany are involved in the initiative, including the Federal Office for the Protection of the Constitution, the Federal Criminal Police and the Federal Office for Information Security. Announced in August 2013, it took nearly three years until a significant concept was presented this week. On the whole, the national economic protection strategy is not much more than brochures and explanatory films that are intended to raise awareness of security threats among SMEs – not just in the field of IT. Practical measures such as financial support for companies to hire certified security consultants or implement security projects are lacking. Raising awareness of security threats whether physical or virtual through cyberspace is never a bad thing. But whether a brochure on the Kurdistan Workers Party (PKK), which can be found on the website to download, promotes the protection of the national economy, is questionable. At best, the website www.wirtschaftsschutz.info is a colorful entry point for companies that have not yet been exposed to cyberthreats or information leaks through industrial espionage.
For the majority of companies, especially international enterprises and most SMEs, cyber threats are not new. Awareness on the company side is no longer a priority, consistent implementation is much more important. This was also shown in the recently published Verizon Data Breach Investigations Report (DBIR). In its ninth edition, the authors complain bitterly about the resistance of security managers who ignore existing and known vulnerabilities until it’s too late. The same entry methods for malicious software have worked successfully for years and years. According to the report more than 30 percent of all phishing emails are opened and an incredible twelve percent of users go on to click malicious links. To put this into context, when companies start a legal e-mail marketing campaign, a 1-2 percent click quota is considered successful. Verizon experts find it just as difficult to fathom that there are such a large number of successful attacks on captured username/password combinations, although multi-factor authentication would effectively protect against these attacks.
Awareness needs to be expanded at the user level – if at all – the IT departments already know what they have to do. The usual reasons prevent security measures from being implemented. Lack of budget, time and support from management. In light of this, we should be almost grateful for the current wave of ransomware. It’s suddenly a different matter when companies come to a standstill because important files have been encrypted. The consequences are felt immediately – including by apathetic employees and non-IT-savvy management, rather than dismissed as the latent threat of malware infections lurking in the background.
It cannot be said often enough: IT security is a process, not a product. Anyone who wants to protect valuable company information – processes, documents and data – first need to know what these are, where they are stored and what physical assets they depend on. After gathering this intelligence, a threat profile can be created from the potential threat vectors identified. What is most important or most expensive and exposed to the most threats must be the best protected. If there is no budget available, the risk must be secured or a serious talk must take place with management. If resources are left over, they should be distributed for other IT security measures. IT security could be this simple if it was managed from the top down. But still so many companies fail to do so. Whether the national economic protection strategy will change the situation remains to be seen.