Almost every week there are new reports of possible threats or attacks by hackers that have already taken place. Some articles are poorly researched or formulated sensationally, others simply lack depth and/or the correct classification. For someone who is not an IT security expert, these reports can be disturbing and make you feeling helpless. We often hear sentences like: “Oh, if they want to hack me, there's nothing I can do about it anyway ...” This sentence is fundamentally incorrect. The worst idea is to bury your head in the sand and do nothing!
Companies like to trust the IT department or the external service provider taking care of IT security. This is true in many cases, but it is often overlooked that these departments are often already busy with day-to-day business. IT security involves a lot of effort and resources are limited.
Sometimes dealing with IT security is not very worthwhile: Because when work processes are changed or supposed restrictions for users and management arise due to IT security measures, the IT department faces everything from incomprehension to hostility — except receiving praise for the implementation of security measures that were long overdue. On top of that: On the contrary to most other projects, IT security is not visible.
We basically divide the culprits into the following groups:
The majority of the attacks are carried out by so-called script kiddies and followers. These groups of perpetrators often have little ability and little financial means, which is why it is relatively easy to develop an adequate level of protection against these groups.
A suitable level of protection can also be established against experienced individual offenders and organised groups. In general, these focus on commercial interests. So you can ask yourself whether your company is interesting to these two groups: If there is a lot of research, development or distribution via the Internet, you can say yes. You should also be careful when high individual bills or money transfers are transferred via the Internet. You should definitely introduce suitable protective measures and raise the level of protection accordingly. In addition to the groups of perpetrators, there are other factors that currently make the IT world unsafe. The three main points are:
Easy access to information.
Due to the easy availability of information on the Internet, interested people can quickly acquire basic hacking skills through self-study. This creates many hackers with only rudimentary knowledge, the so-called script kiddies. There are also natural talents here that can be found in every children's room with an Internet connection on every continent.
More and more devices with an associated app are being brought to market. An item that is not linked to the internet and has no app is now often regarded as backward. This trend means that companies are plunging into product digitisation without adequately considering the IT security of their products. You are simply under pressure to produce linked or “smart” products: From body scales to intelligent refrigerators or light bulbs to production systems — everything communicates via the Internet. However, they are often insufficiently secured! Too little budget for software development and poorly trained programmers are the basis of most of our gaps today.
There are countless standards for safe programming and the safe use of networked IT systems: However, these are only used to a small extent. Often there is simply no incentive to use them. Such standards are often only taken seriously when a company has been under attack itself or such gaps have been uncovered. An architect who does not comply with the current building regulations and standards quickly loses his licence. Anyone who sets up an IT infrastructure or develops software is currently free of any standard requirements.
In 2014, cybercrime replaced illegal drug trafficking in worldwide turnover. It's obviously just the more profitable business. As a result, supply and demand will continue to grow.
The fact is: There are many attacks by hackers. And there will be more. The majority of the attacks can be countered by relatively simple IT security measures.
IT security must be firmly integrated into your company and IT processes. And this regardless of the size or division of your company. The smaller the company size or the IT infrastructure, the lower the effort for IT security.
The following steps are necessary for secure IT in the company:
1. Determine the actual status of your IT: A penetration test helps immensely.
2. Create an internal or external position for IT security: An IT security officer.
3. Establish the respective processes with the help of an IT security management.