“IT-Security: It’s down to each and every one of us”
Dr. Klaus Schäfer, VP Technology – F24 Group
Malware, hacker attacks, data theft – it’s not just about a feeling that the danger of attacks on IT systems has increased significantly, according to the Threat Landscape Report produced by the European Union Agency for Network and Information Security (ENISA) the scope of almost all threats experienced in the IT environment increased in 2017
In Accenture’s Cost-of-Cyber-Crime-Study the increased cost due to cybercrime is as high as 27.2%, that converted into hard cash is around USD 11.7 million. To combat all these dangers appropriate protective measures are in place but it has been clear for a long time that there is no such thing as perfect security. We talked to Dr. Klaus Schäfer, Head of IT at F24, about what matters in the event of an IT attack and why people are at least as important for IT security as the relevant technology itself.
Various studies show that the danger of being affected by a cyber attack has risen sharply. What is the reason for this and what are the consequences for companies?
Klaus Schäfer: “IT security affects every company today. The reason for this is the ever-increasing digitalisation of the business world. A worst case scenario for many companies today is the so-called DDoS: Distributed Denial of Service attack where a company’s service is made unavailable or overloaded to make it only partially available. Hacker attacks primarily aimed at capturing or encrypting data can also cause a DDoS and when your own company’s service is no longer available or the company is no longer able to operate at all it can cost a lot of money.
At the same time the frequency of innovation is extremely high, especially in IT today. Securing oneself technically against attacks is becoming more and more difficult, since any technical protection mechanism will soon be outdated. IT managers can only gain control by being uncompromising in maintaining procedures aimed at constant and continuous security status verification.”
IT security affects every company today.Dr. Klaus Schäfer, VP Technology – F24 Group
What does this look like in practice?
Klaus Schäfer: “When it comes to security in the procedural sense, people – meaning every single employee – play an important role. In most cases it is not the direct (technical) attacks from outside that are successful but those via an existing access, such as an employee. This is not meant to be a finger pointing at the employees. Human beings are by nature (in many ways fortunately so) not subject to being fully controllable. Most importantly, not everyone is always focused on IT security but generally on the actual task at hand. A little carelessness, a USB stick of foreign origin and the damage is done. It is therefore important that employees are sensitised and regularly trained regarding IT security issues. Especially in small and medium-sized companies this is, unfortunately, often pushed into the background.”
Companies today need to be prepared for being affected by some kind of cyber attack at some point. What is important in an emergency?
Klaus Schäfer: “In an attack on IT the aim must be, on the one hand, to limit the damage and, on the other hand, to get the systems up and running again as quickly as possible.
The decisive factor here is communication – be it with employees to prevent the attack from spreading further, be it with customers or business partners or even with the public. Outsiders can, for example, be informed and kept up to date with a separate information hotline.
The communication with and amongst teams of experts working on problem solutions also needs to be ensured. The basic rule is that communication must always be possible and ideally, of course, be as quickly as possible re-established. Since attacks on IT often affect telephone connections too – keyword: Voice-over-IP – it is particularly important in such cases to be able to act independently of the in-house IT and communications infrastructure.”
F24’s own systems are therefore just as vulnerable to attacks as those of any other company. How does F24 protect itself against such attacks?
Klaus Schäfer: “FACT24 is explicitly designed for such cases and represents a kind of parallel world to our customers own IT infrastructure. In contrast to most other companies this is our core business and in terms of security and availability we have to be constantly up to date and working at the highest possible level. The time, personnel and financial resources this requires does not pay off for most companies. In this respect, we also rely on procedural and technical measures. This means that we are not only technically up to date – keywords: security updates, firewalls and so on – but our employees are also sensitised, educated and regularly trained outside of certification audits. All this forms the basis for FACT24 and is on our daily agenda.
In addition, F24 and the majority of the its subsidiaries are ISO/IEC 27001 certified, which goes well beyond ISO27001 in terms of basic IT protection. We also have our systems regularly subjected to an acid test, both internally and externally, using professional penetration testing. Last but far from least, our systems are designed to be completely redundant. For example, even if one of our data centres were affected by a DDoS attack, our customers would continue to use FACT24 to its fullest extent. That’s why we can give a contractual guarantee of 99.50% availability.”