Expert Interview: Cyber Security for Companies

Cyber Security Is Important For Every Business

exali:
Datenschutzkontor wants to prepare and sensitise small and medium-sized companies in particular for the increasing threats posed by cybercrime. How does this succeed?

Stefan Köster:
Through a lot of experience. I run Datenschutzkontor together with my business partner Andreas Bethke. We are both information security and data protection officers. We have a lot of customers – from small companies with two employees to large companies with 1.000 employees - we have already experienced a lot. We have not only seen attacks on customers, but we have also got to know a number of providers who conduct training courses on the subject of cyber security. The challenge is: How are these attacks carried out, and how can we raise awareness of this issue?

We came to the conclusion: We want to do things differently - without pointing fingers and without picking on users. Because how are people supposed to know about these issues? That’s why it is important for us to show how attack techniques work and what really gets through to users. For example, how do users recognise an email that might be used to launch a phishing attack?

We avoid overly technical details. For an employee in accounting, for example, it doesn’t matter whether it’s ransomware behind an encryption Trojan or a worm eating its way through the company. That’s not important here. We want to take technology and complexity out of the topic and also make things fun. That’s what is important to us. Yes, cyber security and awareness training can actually be fun. That’s our intention, and I think we’re doing quite well in terms of content.

Of course, the topic is particularly important for companies in the area of critical infrastructure, because some of them are even legally obliged to offer information security and awareness training for their employees in order to reduce risks.

Training in Everyday Work

exali:
You said it’s supposed to be fun. How do you manage that?

Stefan Köster:
We’ve created a fictitious company for training purposes - Krause Energie AG. In the training videos, the customers follow the protagonists (i.e. the fictitious employees of the company) in their experiences, gaining useful insights into the topic of cyber security.

Our training videos are structured according to the following scheme:

• Short videos lasting about three to five minutes
• Clear two-part structure: A story in which a cyber attack takes place and at the end an explanation of what the viewers can learn from this attack technique and what they should pay attention to in future.

So there is a little story that explains an attack and a lesson on how to hopefully avoid an attack in future. Of course, this won’t always work, but we are striving for gradual improvement. The people in our films are actors, we have a camera team and we write texts for them - they’re always funny productions that people can enjoy. That’s also important.

The Best Cyber Security for Companies is Trained Employees.

exali:
Company employees are usually the biggest gateway for cyber attacks. How can I make them aware of this and ensure they retain this awareness?

Stefan Köster:
Companies primarily use various technical measures for cyber security. You set up a firewall, install anti-virus scanners, protect your login processes... any number of precautions can be taken here. But the attacks we’re talking about here can’t be countered with technology alone. Because, a phishing email can manage to slip through these security barriers - and end up in a user’s mailbox.

The main risk is the attacks that are tailored to specific companies. Because cybercrime is no longer done by some shy teenager in a hoodie sitting in a dark little room somewhere. These are professionally organised companies with a human resources department that hires and fires people. The “employees” come to work at eight, take their lunch break and go home at 4 p.m. – this is how cybercrime works today.

These organisations are set up like a call centre with three-tier structures. The people who start the attacks are at the first level. For more complex actions, additional human and technical resources are added at the second level, and the third level takes care of collecting the money, for example from blackmail. That means hackers don’t work haphazardly. They precisely attack companies that they consider to be promising targets (also in the context of the current political situation).

We quickly run into social engineering in this context. That’s why we try to raise awareness among employees of at-risk companies that it’s not just about phishing emails but also about what people do in their private lives. How do they behave on social media, for example? Because these are precisely the typical sources cybercriminals turn to when it comes to targeting individual people within a company. That’s why it’s so important that this awareness of business vs. private matters really exists everywhere and that everyone is aware of what these attacks look like.

Cyber Security Requires Constant Awareness

Another problem is that companies typically offer cybercrime training once a year. Everyone is rounded up in the office or online and forced to attend the training. What happens? You sit in a training session for an hour and ask yourself whether it’s really that important. Everyone involved hopes to learn as much as possible from the training of course, but in everyday life you forget what you’ve learned almost immediately. The learning curve is steep and user awareness steadily deteriorates – just a short time after the training!

So that’s why we do things a little differently: We offer our customers a package with twelve films. Viewers get a three- to five-minute film every month. This duration can also be integrated very well into the daily work routine. This raises the average awareness level significantly over the entire year, as viewers are confronted with the topic month after month and ideally look at a new aspect of cybercrime each time.

We not only rely on classic attack training courses, but also want to embed the learning experience in an overall story in  future. Users follow the managing director of our fictitious Krause Energie AG throughout the year and participate in his experiences as part of a story, so they get excited about the next episode. It’s kind of like an early evening TV series.

exali:
You mentioned it before – front-facing teaching bores most people incredibly quickly. Especially since a lot of different people come together at such events. Inspiring everyone equally is anything but easy. How do you raise awareness in employees without boring them to death?

Stefan Köster:
We reduce the complexity. Instead of chewing through complicated processes, we convey a fun story that fosters attention and loyalty and that can also be followed all year round like an early evening sitcom. Back then, we asked the production team to make a sitcom like the Office. Our fictitious managing director of Krause Energie AG is always a bit unsure, but conveys the content in a charming and personal way, which we ultimately want to pass on to the viewers. I’m convinced that this is really fun for people - and that’s what we hear from the feedback. People like to watch these films because they’re professionally produced, have an entertaining story and the content is also well prepared. I think that’s a big advantage over other providers.

Cyber Security – Also for Supply Chains

exali:
We touched on the subject of social engineering earlier. These kinds of attacks are taking place more and more frequently and, unfortunately, often with great success – which is also due to the fact that for many companies protection against cybercrime ends at their own front door. Supply chains in particular are repeatedly ignored when it comes to security measures, leading to so-called supply chain attacks. What threats are companies exposed to here and how can they be prevented?

Stefan Köster:
This is precisely why we also address our offer to freelancers. A few years ago, a cyber attack took place at an American retail company on Black Friday, a time when sales are really strong. The hackers stole countless credit card data and caused the company 220 million dollars in damages. And this happened despite the fact that the company itself was very well protected against cybercrime and had the topic anchored in its DNA! The hack was carried out via a service provider, namely the air conditioning manufacturer. Of course, they had to access the individual air conditioning systems via network access for maintenance work. And that’s how the criminals got in instead of attacking the big retailer directly.

This supply chain attack shows very clearly that no one – including large companies – can continue to provide cyber security on their own. This means that companies also have to ensure suppliers have also implemented certain minimum security measures. Because within the supply chain, the weakest link is the person who makes themselves most vulnerable. I already mentioned at the beginning that attackers are no longer just individuals, but entire call centres. Their attacks aren’t just hit or miss, and if they don’t succeed at a company, they move on. Criminals are now able to successfully target their attacks over four or five levels.

Cyber Training As a Certificate

This is also evident in the automotive environment. There is a certificate here called TISAX. This certification indicates that the service provider of the car manufacturer can demonstrate a minimum level of cyber security. Automobile manufacturers have long since realised that they can’t guarantee this safety on their own and also have to require their supply chain to do so. I’m firmly convinced that this approach will also move beyond the automotive sector – this situation affects everyone and will also play a role for individual freelancers, start-ups and small trade businesses in the future.

That’s why we recently decided that we’re going to provide a self-service portal where freelancers and small businesses can also book a training package so they can show: “Hey, we take this issue seriously”. This is an important approach. Big companies above all want to avoid having to pay fines or suffer damage to their reputation. This is almost more expensive than the fines, which they can usually absorb somehow. Reputational damage is one of the biggest risks for companies. That’s why freelancers, like myself, don’t want to be responsible for their customers being hacked. If we instill this mindset in as many freelancers as possible, the whole world will be a little bit safer, and the “bad guys” who cause so many problems will have it a little harder.

Cyber Security Is Possible For Every Company

exali:
When you start working with a company, do you have a few tips anyone can do to protect themselves against cybercrime?

Stefan Köster:
If I could only recommend one thing from the cyber security toolbox to everyone, it would be multi-factor authentication. It’s actually a great way to significantly reduce attacks. Because attackers primarily target access data such as user names and passwords. For example, they either acquire higher and higher authorisations within a company, or they first move “sideways” on one level through different accounts until they have stolen the desired access data and are finally able to steal the data they want.

Multi-factor authentication is nothing unusual, especially in online banking. It’s quite common with this approach that I have to approve a transaction again separately via an app. And I can set up this same process for all my accounts. It works for Microsoft, Amazon, Google, Facebook - it doesn’t matter which services I have. That’s why my recommendation is: Use multi-factor authentication.

Otherwise, the usual things help: current updates, virus scanners, and questioning things. For example, if you get an email, you should stop and consider whether the content is actually plausible. There are quite clear characteristics by which you can tell whether it is a phishing email. This includes, for example, emails from unknown senders. BUT: even known senders aren’t necessarily secure – a cybercriminal can also fake something like that. So I recommend a healthy dose of suspicion.

I recently had an experience like this myself: I knew that a client was planning to create an account for me in his system. I received an email asking me to enter my username and password. But this email came out of nowhere a week later, leaving me wondering: Is it really from my client? There was nothing to suggest this email was actually sent by him. So I questioned the whole thing and decided to delete it. If the message was from my client, he would contact me again.

It’s better to be a little more careful, to question things. There are much meaner scams around now than the Nigerian prince who wants to leave you five million dollars. The attacks are very perfidious, so a high degree of caution is advised. That’s why you need multi-factor authentication, up-to-date virus scanners, firewalls, and a healthy mistrust of the things you are confronted with every day.