Cyber attacks pose a significant challenge for SMEs. It is not only in the midst of the current international tensions that it is necessary to take the most critical protective measures. But numerous companies underestimate the risk and have no risk strategy.
Risk Management: How can IT risks in medium-sized companies be correctly assessed?
Cyber attacks pose a significant challenge for SMEs. It is not only in the current international tensions that it is necessary to take the most critical protective measures. But numerous companies underestimate the risk and have no risk strategy.
The (not only) pandemic-related triumph of online trade and the current dangers of a cyberwar throw a unique light on the condition of the IT systems in companies. For many medium-sized companies, e-commerce during the pandemic is an opportunity to open up new sources of income, compensate for the decline in traditional trade, or expand existing revenue. As a result, these companies, for whom dealing with online shops was not only unfamiliar but still offer new experiences today, have created new targets for attacks from the Internet.
While a security breach can result in significant fines, disruption of business processes, and sometimes major damage to a larger company’s image, it can result in going out of business for smaller companies. Because they often do not have the financial reserves to survive a cyber-attack. This is also confirmed by a study by the Federal Office for Information Security ( BSI ): 1 in 4 cyber attacks have serious or existence-threatening consequences for medium-sized companies.
The Data Breach Investigation Report shows that smaller companies with up to 1,000 employees now significantly outnumber larger companies with more than 1,000 employees (819) in the number of verified breaches (1,037).
Therefore, it is advisable for medium-sized companies to immediately inspect security protocols, IT risk management, and security equipment and make suitable investments in IT security. Without these inspections, companies run blindly into the arms of Internet attackers. New working guidelines should also be introduced. Whether there is a written strategy to prevent possible interruptions to operations due to cyber attacks or to initiate quick recovery should be checked.
The basis of everything is to understand the cyber risks and find out exactly where the high-risk spots are located in the company. Because this is of crucial importance for the continuation of operations in the event of a crisis, unfortunately, this is a daunting and time-consuming task. Fortunately, industry-specific national organizations provide regulations and frameworks. This includes regulatory standards such as ISO 27001, IEC 62443, and the NIST frameworks. Federal security authorities such as the BSI also offer guidance.
Tip 1: Security strategies should explain how they meet the requirements of compliance regulations.
User account control and security top the list of IT risks. External service providers and internal administrators, for example, often have privileged access to critical applications and systems. These accounts are a prime target for cyberattacks (keyword identity theft). Because with just one key, an attacker can extract, manipulate or encrypt essential data and penetrate deeper into the infrastructure and operations. Suitable tools offer the protection of privileged accounts.
Tip 2: The access data to critical systems should not be known to users but should be kept in a secure “password vault” and changed regularly. Technologies such as multi-factor authentication (MFA) exist for secure user authentication. By managing all privileged accounts from one centralized solution, MFA is a big step towards robust cybersecurity.
Cooperation and exchange with highly critical systems, especially privileged users, represents a very high risk. Because intentional or unintentional incorrect action can result in significant damage. Typical examples are complete system failure, malicious code infection, or confidential data leakage.
It should be ensured that interactions with critical systems do not violate the security specifications and are fully traceable. In this way, manipulative interventions in data integrity can be recorded, prevented, and reported immediately.
Tip 3: Based on risk classes, concrete rules and monitoring systems should be defined and implemented to control the scope of action on critical systems in real-time and thus make them auditable
All privileges at the user, application, or process level should be revoked to prevent users from damaging the infrastructure. This drastic measure can significantly impact user productivity if access rights to essential resources are no longer sufficient. But with the proper security measures, productivity should not be limited.
Balancing security and productivity requires applying the principle of least privilege. Based on user and system profiles, only those privileges are granted that are necessary for smooth work without accepting restrictions. It must be precisely defined in advance, which each user can access. All other applications, tools, and data are not visible to him and, therefore, not to the attacker if he gains access. He cannot attack what he cannot see.
Tip 4: The privileges of business applications should be rolled out to user and machine profiles through valid sets of rules, for example, created by the HR department in cooperation with IT.
The principle states that no one, even once privileged users, should be automatically trusted. Because even employees with high privileges can run wrong commands on the faulty critical system, it’s often not their fault because the scams using sophisticated phishing measures are becoming increasingly difficult to detect. It’s easy to fall for. In addition, there are also employees, even if many companies do not want to admit it, who want to take revenge on the company. These are often the most significant security risk.
Therefore, the following applies in principle: Users must always be securely identified (proof through solid authentication) and adhere to the house rules (specific rules for the respective “risk class” of the system to be protected).
Tip 5: Companies create such sets of rules in two steps. You start with the classification of the critical systems (e.g., risk class 0 for extremely high risk and maximum restriction of access to it). Only then do they create the regulations for the respective risk classes.
The secret of success: deal with the risk!
Since medium-sized and small companies are more susceptible to cyber attacks than large companies, and the consequences can be fatal for these companies, proactive investment in an IT risk management strategy is essential. The focus is on protecting privileged users and privileged access. If companies take suitable measures early, they significantly reduce the risk of their infrastructure being endangered. Hence the call: Start planning your strategy and use a sufficient budget for implementation. Such allocations are ultimately more minor than the damage caused by a successful attack. In the end, it pays off.
Also Read: Cyber Kill Chain: How Cybercriminals Penetrate Corporate Networks