An article by Thomas Tschersich, Chief Security Officer at Deutsche Telekom AG and CTO/CSO at Deutsche Telekom Security GmbH.
SolarWind, Kaseya, Colonial Pipeline or the attack on the Anhalt-Bitterfeld administrative district: the fear of a cyber-attack is growing in companies and authorities. And the hope of soon finding powerful allies in blockchain and AI. Forget it.
I am a nerd. When I'm digitally immersed, I can sometimes forget about time. I'm excited by new digital technologies. But it pisses me off when so many only play buzzword bingo. That we have to juggle blockchain, AI or the edge cloud in a single sentence in order to be heard at all. When it comes to cyber security, I even find this careless. No, companies don't need AI to secure their computers. They don't need to wait for the blockchain to seal off their data against unauthorised access from the outside. It's enough if everyone does their homework.
"If we immediately installed the security updates offered to us, we could certainly reduce the attack surfaces by 95 percent. This applies to private users just as much as in the corporate environment."
To achieve a higher level of security, companies do not have to work their way through the digital hype themes. They just must not close their eyes to the potential dangers. The most common attacks are still automated attacks. Cyber criminals make it easy for themselves and exploit known security holes in servers or web applications. Relatively little effort is required to prevent the majority of these attacks. Known processes and technologies are sufficient - they just have to be applied. With considerably more speed than before.
Apply security patches faster
According to our findings, an average of 150 days passes in German companies between the discovery of a vulnerability and the application of a security patch. That's 3,600 hours in which a potential attacker can look around your systems and copy or encrypt your data. He doesn't even have to sneak in through the back door, because doing nothing literally invites him to do so.
The most recent example: On 10 December, a security vulnerability was discovered in Microsoft's Exchange Server. Microsoft made a patch available at the beginning of March with which companies could close the gap. Nevertheless, thousands of Exchange Servers have been compromised since March. According to the BSI, some federal authorities are also affected. And even with the Conficker worm, a dinosaur from 2008, thousands of computers are still infected worldwide today. Why? Because many companies are unfortunately too lax in patching their systems.
Security: a question of psychology
For me, IT security is primarily a question of psychology. We have to create an awareness of its importance in the companies. Security teams should motivate their colleagues to support them in the field of security. What is a good indicator of motivation? By how employees react when the window for a security update pops up during work. We security people have only done a good job if the majority immediately clicks on "Install now". Or if we simplify the whole procedure: At Telekom, we are moving towards simply installing the critical security updates automatically.
No one can reduce the statistical probability of becoming a victim of a hacker attack to zero. But everyone can significantly reduce it.
1. train the security awareness of your employees
Raise your teams' awareness of the issue of security. They should see themselves as trainers of the employees and the management. Offer guidance and assistance. Motivate your employees to report mistakes. At Telekom, we focus on short channels and have therefore set up a so-called CERT mailbox for error and hazard reports.
2. upgrade your technology
Are you still using outdated operating systems? Do you have an eye on your shadow IT? Is your technology up-to-date, standardised and simple? Poorly configured infrastructures are always a risk factor.
3. Invest in offline backups
You should protect your most important data with a backup. This backup must always be up-to-date. Do not connect it to the company network under any circumstances. Attackers could otherwise also encrypt it.
4. review your processes
Security certificates alone do not provide sufficient protection. You must regularly check whether the processes necessary for cyber security are established. Only if security is simple and integrated will it be practised. And does not remain a mere add-on.
5. monitor your systems
Almost every system writes log data in which deviations from the norm can be quickly and easily detected. With their help, companies can detect the first steps of an attacker at an early stage. But the best log data won't help if no one looks at it.
6. Establish an Incident Management
There is no one hundred percent protection against a cyberattack. Therefore, you should limit potential consequences with an emergency plan. Practise regularly so that your company does not lose time in an emergency. At Telekom, our experience with this has been good: we were never in crisis mode during the pandemic because we had incorporated experience from swine flu into our emergency plans.