Where do you see the greatest dangers in the topic of security in data management?
“I see the greatest danger in the fact that management and employees still assume that security programs installed once and a one-time note on the subject of handling e‑mails will suffice forever to ensure that data, IT infrastructures and documents are secure within the company. But that’s not true. Everyone knows that their smartphone needs an update every few months. And that’s very important to all of us to keep our personal data protected. I don’t understand why companies that handle third-party data still look the other way so often. And this isn’t just about outside dangers, there are dangers lurking inside as well.”
What do you mean?
“Well, data doesn’t just need to be secure when it’s transmitted, it also needs to be secure when it’s managed. Unmaintained and outdated servers or IT infrastructures that have grown in an unorganized manner not only pose functional problems in issues such as synchronization, logging and compliance, but also in terms of system stability. Unfortunately, some companies do not react until the worst has already happened, i.e. the incident has already occurred and the systems have collapsed.
I can’t understand this, because much higher financial losses are to be expected here than if infrastructures and security are continuously maintained. Because in addition to having to rescue the entire system in such a case, not to mention the data, the company is paralyzed and no work can be done. After all, in some industries, just a few minutes of downtime can mean millions of dollars in lost revenue — not to mention image problems.”
So is it enough to keep the infrastructure up to date to guarantee security?
“No, that alone is not enough. IT security is always a combination of technology and manual attention. The best security system is of no use if the spam email is clicked on anyway. However, wisely timed security patches, for example, help protect against new types of viruses, Trojans and other hacking methods.”
So how can you tell when a security update is necessary?
“Unfortunately, you can’t give a blanket answer to this question. Because the world of hackers is acting ever faster and more sophisticated. It is not easy for people who are not familiar with IT to assess when a measure should be taken. However, hiring an external service provider to take care of such monitoring costs little on average each month, if you think about it: One incident in a medium-sized company can completely endanger its existence and that of its employees. External service providers offer a 24-hour service with appropriate monitoring, i.e. the systems are monitored with specialized technology and competent know-how. Adjustments always take place in consideration of the current DSGVO standards and techniques. IT security is a toolbox that can only be handled properly by professional providers.”
You mentioned “manual attention” before, what do you mean by that?
“Well, this concerns management levels and employees in a company — in other words, people. Basically, they should know about current dangers and be able to recognize them concretely. For example, we offer a special training and testing program called Awareness Plus. Participants are given an overview of what fake mail templates can look like — industry-specific. Be it for public authorities, medical practices and clinics or consumer goods manufacturers. The types of presentation differ greatly here. In addition, as part of Awareness Plus, we analyze sensitive areas within a company where there may be a need for additional training, and then provide support here as well.
With the program, we make employees and management levels aware of the latest forms of fishing e‑mails, trends and developments in cybercrime, so that they can keep a watchful eye on data management in their day-to-day work. This important building block in IT security makes sense and is affordable for every company. Here we’re talking about a commitment of five euros per user per month compared to the financial damage if an incident occurs or data is stolen.”
Do you have another SOS tip on what to do in the event of a hack?
“Turning off the computer or unplugging it is one option, but it doesn’t help. Unfortunately, this is often a knee-jerk reaction by users in the hope that nothing else will happen. But the Trojan or worm eats its way through the system at the back end. The fatal thing: In this case, it is not possible for us to trace the course of the incident at a glance. However, this would be necessary to find the vulnerability. Instead of simply switching off, please take your current IT emergency plan to hand and proceed according to these procedures. The most effective and quickest action here is taken by an experienced professional, because he knows every move that is necessary at such a moment off the top of his head.”
