Cyber attacks: the invisible threat

Cyber attacks: the invisible threat

November 30, 2016

Spectacular security loopholes make daily cyber-threats appear to be the norm. Most pitfalls remain undetected. Yet companies can take action to defend themselves.

Businesses must brace for further cyber attacks this week on a potentially “significant scale”, British intelligence officials have warned, less than 48 hours after the debilitating WannaCry infection swept across the world. According to the Financial Times and Europol data 200,000 computers across 150 countries are known to have been infected in the first wave of the WannaCry cyber attack.

In February 2017, British authorities arrested a suspect in connection with a cyber attack against German telecom provider Deutsche Telekom three months before. The attack had forced millions of private and commercial routers to their knees. Or remember the Stuxnet worm in 2010, which attacked a production automation system in an Iranian nuclear facility. We could think of numerous examples.

However, one thing is clear. Traditional value chains have lost their cyber-innocence. The radical digitization of production and products leaves manufacturing companies even more vulnerable to cyber-assaults.

Three developments sparked off the debate about data security.

Firstly, traditional IT is permeating every business process to an ever greater extent. Advances in the virtualization and digitization of business processes, electronic interaction in networks with suppliers and customers, and the consumerization of IT – the tendency to follow habits of use that stem from the world of personal smartphones and tablets – are driving this development.

Secondly, the public at large has become more aware of existing weaknesses. Managers outside the community of cloud services in Europe have become aware of the threats – thanks to incidents of stolen intellectual property in the context of industrial espionage, or the role the internet plays in geopolitics (e.g. the recent upheaval in Turkey, the Ukraine crisis, the "Arab Spring"). These examples have prompted decision makers to put the topic of data security high on their agenda.

Thirdly, numerous web-based digital business models have become established in relation to connected vehicles, e-commerce, e-health, e-energy and Industry 4.0, for example. Although traditional security management is a mature discipline in commercial IT circles, digital business models still raise new questions: Is enough being done in the development of connected vehicles to rule out unauthorized electronic access? Are the manufacturers of aircraft, power plants and production lines taking adequate precautions to ensure that embedded software components from third parties are innocuous? Is companies' most valuable intellectual property really safe?

We recommend the following checklist:

  1. Analyze where and how you are exposed to threats.
  2. Cultivate security awareness.
  3. Build security systems and processes with clearly defined responsibilities.
  4. Verify your company's compliance, both internally and in collaboration with suppliers.
  5. Change your organization's mindset. Nurture a philosophy that integrates security from the earliest stages of product design.
  6. Lead by example.

New digital lines of business often lack clear security guidelines, organizational principles and management tools. At the same time, preparing a business case for security is not easy. A few pieces of guidance and advice to companies and their employees can make a huge difference to data security. Don't overdo the rules and procedures. Leave a balanced measure of flexibility between the needs of your operating business and the requirement for data security. Ultimately, even when faced with potential threats, your company still has to be able to act quickly and flexibly on the markets it serves. More security must not come at the expense of agility.