Cyber Security Risk Report by MHP and LKA BW
Sophisticated attacks require the expansion of preventive measures
By Andreas Henkel
Every second company has been the target of a cyber attack in the last two years. Therefore, a comprehensive risk assessment and a planned reactive incident treatment are required. But this is exactly where there is a considerable need for optimization.
This assessment is based on the current Cyber Security Risk Report 2021 the management and IT consultancy MHP and the State Criminal Police Office of Baden-Württemberg. In addition to qualitative interviews, the report is based on the responses of 314 participants from companies in different economic sectors. Optimization potentials were derived from the survey of the status quo, which lead to eight recommendations for action.
More than half of the companies refrain from comprehensive risk assessment
From our point of view, a comprehensive risk assessment is one of the most important fields of action in order to minimise the risk of cyber security incidents in companies as a preventive measure. However, a suitable assessment of risks can only be made if various aspects are considered and analyzed in detail in advance. In our experience, this includes attack targets, current threat situations, trends and statistics, attack paths and tools as well as potential attackers. Only 40 percent of the companies surveyed have all these aspects in mind when analyzing IT security-relevant risks. More than half of them do not have a full risk assessment. From our point of view, this is essential in order to derive and implement suitable security measures. Therefore, all aspects that are included in the risk assessment should be continuously reviewed and adjusted. If necessary, additional features are to be added.
Preventive risk treatment can be expanded
The good news: The majority of companies implement basic preventive measures such as password security (84 percent) and malware protection (79 percent), backup strategies (78 percent), event-related monitoring (72 percent) and segmentation and/or the assignment of rights within networks (72 percent). Even if the high values look promising, measures can still be expanded:
- Password security can be improved, for example, via multi-factor authentication. A password is supplemented by one or more additional factors or even replaced in special cases.
- A stronger protection of e-mail communication is required, as this is still often the gateway for attacks. The hackers’ main focus is on communication, administrative and personnel data as well as financial key figures. Data on corporate strategy as well as production, logistics and product data should also be prioritized for protection. Regular checking of the access rights as well as the control of the data storage can provide an initial remedy.
- Suitable backup strategies should generally include backups on different media and avoid a connection with other IT systems. In addition, we recommend that, in the best case, storage be carried out at a different location in order to effectively protect data from natural hazards such as fire outbreaks.
From a preventive point of view, a high level of awareness among employees is indispensable, as they are often a primary target of attack. Accordingly, the staff must be trained regularly. Specific content such as the handling of security software, social engineering and the private use of social media should be given more focus. In our opinion, there is a high optimization potential, especially with regard to social engineering, since this type of attack is responsible for almost every third attack. In doing so, a person impersonates an unauthorized employee of a company in order to issue instructions on their behalf – for example, by e-mail to transfer large sums of money or to release internal information. As a result, this can lead to significant damage to the company.
Reactive incident management – active involvement of the police authority
If an incident occurs, the right steps must be taken quickly. However, this only works if corresponding plans exist, procedures and tasks are known. Therefore, the planning of a reactive incident treatment is of essential importance in order to be able to react as quickly as possible to the consequences of IT security-relevant incidents. This includes, among others
- to maintain operational capability as far as possible,
- To close security gaps and restore operation and
- To inform and actively involve police authorities in IT security-relevant incidents.
Just half of the participants surveyed rely on the support of the police authority. However, investigations by a police authority can often lead from a single incident to a large number of other potential attacks. The integration thus leads, in addition to support in their own incident management, to notification and thus, at best, to the protection of other companies. It is also important to prevent companies from taking the wrong approach when restoring back-up data. There should also be plans for reporting the incident, ways of responding, measures to maintain IT operations, as well as a reconstruction plan of IT systems by analogy. In an emergency, for example, in the event of a ransomware attack and encrypted data, the plans can still be accessed and the steps and measures provided for can be initiated quickly.
(Picture: MHP )
From our experience, IT security incidents can be managed in a targeted manner if organizations prepare in advance. This not only helps to develop a risk awareness, but also to regularly play through various worst-case scenarios over and over again and step by step. Only then do potential gaps become apparent, which can potentially have a serious impact on companies.
About the author: Andreas Henkel is an Associated Partner at MHP Management- und IT-Beratung GmbH and supports its clients in the strategic and organizational orientation of cyber security initiatives in an increasingly complex networked world with increasing geopolitical tensions.