How vulnerable is corporate data?
Governmental and private agencies regularly try to record the global threat situation and present it appropriately. From this representation, trends can be read that allow management to get an independent picture before they proceed to map the information gathered there with their own corporate data and to their own company.
The view of the constitutional protection agency on corporate data
The state offices for the protection of the constitution, which deal specifically with the topic of industrial espionage, have been touring companies without interruption for several years, giving an assessment of what they see as going on in the area of professional data theft. And the figures they present are indeed quite impressive. It is not only about concrete examples that are used, but about the fact that the amount of uncovered state espionage actions is increasing exponentially and that, in their opinion, many states no longer know how to help themselves in view of the global competition in the economic sector, but to steal the information they need. In contrast to the past, it is no longer only the very large companies that are affected; rather, the focus is shifting to small and medium-sized enterprises. Companies with a few thousand employees that are at the forefront of technology in a sector are becoming targets. According to the Federal Constitutional Protection Service, the entire range of attack possibilities is used to achieve their goals. This ranges from attacks via the Internet to Trojans developed specifically for an attack to locally carried out espionage attacks by student assistants or diploma students.
A quote from the website of the Baden-Württemberg Office for the Protection of the Constitution puts it this way: “The constitutional protection agency sees internet-linked attacks on networks and computer systems of companies and government offices as the most dangerous threat in the area of industrial espionage at present.”¹
The agency also provides assistance: it refers to the writings of the Federal Office for Information Security (BSI), and there, in turn, IT security management is described as the process that must be introduced to ensure the security of one’s own know-how and thus the continued existence of the company.²
If it becomes necessary to back up mostly abstract threats with data and facts, then the rather general suspicions and the few concrete examples of the constitutional protection agency will, in case of doubt, not be sufficient to get the necessary funds approved that are needed to build up a modern IT security management. For this purpose, some sources on the internet are helpful, which have been trying for years to collect incidents and present them statistically. The problem with this is basically that no one likes to talk about it when they have become the focus of a successful attack. Fear for one’s own reputation or the worry of being sued if entrusted data has also been stolen do the rest.
The damage of a publication is thus often estimated to be higher than the benefit of an advertisement. This is also due to the fact that the percentage of solved incidents is vanishingly small. While large, high-profile incidents are also pursued by government agencies, small companies are often left to investigate themselves. Even today, the vast majority of police forces are not equipped to a level that would enable them to take successful action themselves.
A second important reason why many incidents are never made public is that they are simply not discovered. Estimates go as high as 90% of all incidents that no one notices. This is due to the fact that systems for detecting security incidents, so-called intrusion detection systems (IDS), are only used in a few companies and, due to their complexity, rarely deliver consistently useful results even there. In addition, such a system is only one building block on the way to introducing an IT security management process. Without corresponding processes into which an IDS can be integrated, successful use is almost impossible.
For understandable reasons, the analyses of the various institutions are not suitable when it comes to deriving concrete information from the available statements that can be mapped one-to-one to one’s own company. However, this is not always necessary. In most cases, the information gathered there is sufficient to read off a development and to derive one’s own conclusions from it as far as the prioritisation of topics is concerned.
Studies since 2010/2011 show the development of the threat of malware in comparison to the threat of phishing since 2005. While the occurrence of malware was the biggest problem in 2005, this was reversed in 2007. Since 2015, the spectre of “CEO Fraud” has been doing the rounds and several well-known companies have since been tricked into transferring large sums of money to thieves due to fake emails. From 2017 onwards, a fairly new discipline was added to this problem, the so-called extortion software (ransomware), which has caused some technical damage. This type of attack in particular offers quite a good living at very low risk and therefore attacks of this type take place in a partly highly professional way. All types of attacks are now being carried out increasingly professionally and the number of targeted and thus tailored attacks has increased massively since 2019. Accordingly, the amounts of damage are also increasing.
What is becoming apparent is that it is not enough to respond to this bouquet of attack types with individual measures. Awareness of the current greatest danger is still derived from studies, from reports in film, radio and television and from the advertising of the security industry. What is quickly forgotten is: studies are written over longer periods of time, and even if a trend emerges, the reaction time would be too high to react specifically to shifts in the means of attack used each time. What can be read in any case, however, are the main attack routes and thus the main threats. The IT security processes can be aligned accordingly. It can be deduced from this for every person responsible for IT security that only comprehensive IT security management, which takes into account all threats and all associated attack vectors, can guarantee a transparent and reliable level of security.
One’s own perception of the corporations
How safe does one feel in the company? How do you realistically assess the threat situation? Is someone or something really after the company’s know-how and trying to get at it? These questions are asked by countless companies and have one thing in common: objective answers to these questions can only be given in individual cases, and therefore companies answer these questions based on a subjective perception. This also provides an answer to the phenomenon of why every major case of malware or data theft that is exploited in the media triggers cross-industry actionism among widely known companies. A short time later, when the media have already moved on, many of these actions come to nothing, are discontinued for cost reasons or are only pursued under a low flame.
In order to get an approximately accurate picture of reality, it is therefore necessary to know and evaluate as many facts as possible. The analyses of the constitution protection agency, statistics from independent companies combined with the results of logs from one’s own firewall and one’s own IDS systems provide a snapshot that can serve as the basis for the security strategy. This combines information that depicts an average with information that describes actual, individually occurring events.
This is where awareness measures come in. In a top-down approach, the individual decision-making levels are continuously informed about the threat situation, if possible with fact-based material. This creates a basis for moving from reflexive reaction to proactive action. The state that is then achieved and the defined further course of action as well as the underlying goals can then be described as an IT security strategy.
Notes in German:
Dieser Artikel ist ein Auszug aus dem neuen Buch „„IT Sicherheitsmanagement“ von Thomas W. Harich. Alle Infos zum Buch, das Inhaltsverzeichnis und eine kostenlose Leseprobe finden Sie hier beim Fachbuchverlag für IT, Business und Fotografie mitp.
Thomas W. Harich
Thomas W. Harich works as Head of Information Security at the large German industrial group MAHLE. He also works as a lecturer and IT consultant. His focus is on the creation of IT security concepts and their practical implementation in an international IT environment.