Cyber Resilience 2024

How companies can protect themselves against cyber threats

Ransomware, phishing, AI threats: the cyber threat landscape is changing. Taking this into account, Franziska Hain gives an insight into her expertise – explaining how companies can deal with new regulations and which cyber resilience plans can help them to protect themselves

Ms. Hain, cyber attacks on companies are on the rise. What threats should companies be looking out for in 2024?

Cyber threats are constantly evolving – which can also be seen in the reports from the German Federal Office for Information Security (BSI) and the European Network and Information Security Agency (ENISA). We are facing an increase in sophisticated attacks, such as persistent threats from state-supported hackers, targeted ransomware attacks against vital infrastructures or AI-supported phishing operations with amazingly authentic identity deception. In these circumstances, I believe it is particularly important to invest in the security of artificial intelligence systems in order to strengthen our own digital sovereignty and effectively counter new threats.

Artificial intelligence is an important keyword. How can companies guarantee the security of their AI systems and verify the authenticity of their generated data?

Although AI systems are based on complex algorithms, they are ultimately just program code. Like any critical software, this must be secured. Furthermore, the challenge lies in ensuring the integrity of AI products. Quality assurance without a benchmark requires innovative methods, such as advanced anomaly detection – this makes it possible to quickly identify deviations. It is also crucial to protect the data input from unwanted changes to ensure the reliability of AI outputs. The visualization of impurities or manipulations in the output requires transparency in the processing procedures and advanced techniques for verification.

Could you give an example of how an attacker could compromise the function of an AI and what protective measures should be taken against it?

Let's assume that an undetected attacker infiltrates an AI system with manipulated data and thus falsifies the empirical data basis. The AI system then uses this erroneous basis to generate findings - which could be used as the basis for critical decisions. To prevent this, companies need to safeguard their data inputs, for example by introducing control mechanisms that check the authenticity and quality of the data. They should also regularly recalibrate their AI models and check for irregularities in the results in order to minimize such risks.

What else would you advise companies to do in order to protect themselves against any cyber attacks?

Companies need to recognize that the traditional approach of risk analysis and treatment and the implementation of an information security management system are no longer sufficient. Rather, it is now equally important to build up resilience in the event of an emergency so that you can react quickly and effectively to incidents – i.e., a so-called cyber resilience must be established.

How do you build this kind of cyber resilience?

First of all, we see that there is a great deal of fear concerning cyber incidents and their devastating effects. At the same time, companies are reluctant to tackle the issue and do so inadequately. This is where the first step needs to be taken. Decision-makers need to empower themselves to perceive, assess, and treat cyber risk as a business risk. The objective of being able to rely on the effectiveness of one's cyber resilience correlates with the willingness to make investments.

So how can such an implementation be done quickly and easily?

We always advise our customers to train realistically for the event of an emergency. Crisis simulations are not just exercises, they often turn out to be rehearsals for reality in the company. They prepare the teams and help them recognize and manage the unpredictable. In our simulations, we like to start by asking a key question: "What should I do if a cyber attack paralyzes my IT tomorrow morning and data is compromised?" Answering this question must be a priority within a company’s information security strategy and is more important in an emergency than the best policy document.

Speaking of guidelines: What new regulations and laws do companies need to pay attention to?

Above all, companies now have to deal with the regulatory requirements of the Directive on the Security of Network and Information Systems (NIS) and the Digital Operational Resilience Act (DO-RA). The EU Data Act will also play a central role. The Act will regulate fair access and use of data in the future and strengthen data sovereignty, which means that companies will not only have to protect their systems, but also carefully rethink the way they manage and share data.

How will DORA affect information security in companies?

If a hacker, a criminal organization or a state-organized group succeeds in carrying out a cyber attack in such a way that a critical number of increasingly digitized processes in financial companies are impaired and the interdependencies between them lead to instability in the financial markets, e.g. due to liquidity bottlenecks or a loss of confidence in the financial markets, then the cyber risk is to be understood as a systemic risk. The Digital Operational Resilience Act is an answer to the question of how to avoid cyber systemic risks. Against this background, it is consistent that DORA also places requirements on the information security of critical ICT service providers commissioned by financial companies. As critical ICT service providers are now under the supervision of the EU supervisory authorities (European Supervisory Authorities - ESAs) for the first time, it can be assumed that they will invest even more consistently in establishing and maintaining information security. This will benefit not only the financial sector, but all companies that rely on the same ICT service providers. Overall, a relevantly higher cyber resilience can be expected as a result of DORA.

The new directives may be helpful for companies, but they also bring additional hurdles with them. Won't more regulation become a problem for small and medium-sized companies?

I am convinced that these investments are worthwhile. It's not just the financial companies themselves that will benefit, but also SMEs that use the same ICT service providers. This could also lead to improved insurability in the field of cyber insurance. At the same time, the quality of implementation will depend on the audit capacities of the supervisory authorities. As a result, achieving compliance with DORA will extend over a longer period of time, well beyond January 2025.

Is there a loophole for companies to escape the regulations - for example by playing for time?

No, there is no leeway when it comes to regulation - it must be budgeted, implemented and compliance must be ensured. It is advisable to work out the added value for your own company and make use of the regulatory framework. By making intelligent use of regulatory requirements, companies can improve their security standards and gain a competitive edge at the same time. This is not just about implementing guidelines, but about integrating resilience into the corporate culture in a sustainable way.

Let's assume that I have built up some good cyber resilience in my company. Am I now completely safe?

Unfortunately, it has long since become impossible to completely prevent cyber attacks. Let me remind you yet again: cyber resilience is not just about prevention, but also about building response capabilities. Companies need to develop strong detection and response capabilities in order to recognize and fend off cyber attacks at an early stage before a catastrophic event occurs. However, cyber specialists are often also needed to provide support. The skills and knowledge required for this are extensive and highly specialized. It is often not economical or practicable to keep them available in the company and to keep them up to date in the constantly changing world of attacks. This makes it all the more sensible to obtain this specialist knowledge from outside - for example by using our cyber incident response and forensic services.

What exactly does such a specialist service involve?

I can obviously only speak for BDO here: As a client of our BDO Cyber Incident Response & Crisis Center, companies have 24/7 access to a team of cyber experts with specialist technical knowledge and crisis management skills as well as the necessary legal advice on data protection and liability issues. And our specialists are tried and tested. They are often familiar with the malicious codes used, while also being able to predict the course of the crisis situation and knowing negotiation strategies, for example meeting the blackmailers at eye level in a ransomware case.
 

In summary, what steps do you think are essential for companies to act confidently and autonomously in the digital world?

Increasing digitalization and the advancement of technologies such as AI are currently having a massive impact on social developments and are a key driver of innovation. However, companies are also facing the complex challenge of asserting themselves in a networked and thoroughly technologized world. It is essential for them to protect their data and know-how and to design secure digital infrastructures.
In addition to the secure design of supply chains, the use of products which have the German IT Security Association’s seal of approval (TeleTrusT trust mark "IT Security made in Germany") also contributes to the secure design of IT infrastructures. Products with this label have been extensively tested and classified as trustworthy IT security solutions without a hidden backdoor. In addition, companies should always apply a zero trust philosophy when designing their processes and infrastructures. Unlike traditional security approaches, this approach assumes that, in principle, no user, device or network is trustworthy and that they all pose potential security risks. Derived from this, this concept relies on minimizing authorizations, continuously checking the identity and status of users and devices, strict authentication and authorization and consistent network segmentation.