Cybersecurity and data protection: Challenges for companies

With the digital revolution, the future has well and truly arrived in the business world – be it through almost limitless networking possibilities or the ability to work virtually anywhere. By using the very latest in IT solutions, however, future-oriented companies are becoming increasingly dependent on technology. As companies shift every aspect of their business from the analogue to the digital world, they provide hackers with more and more targets for cyberattacks. And then there is the human risk factor: a single careless act can jeopardise protected infrastructures, be it through the use of insecure passwords, opening an email with an infected attachment or link, or the (accidental) disclosure of information. Increasingly complex attacks call for increasingly professional technologies to defend against the sophisticated methods employed by cybercriminals. According to a study, the question is not so much whether a company will suffer a cyberattack, but rather when and how the attack will take place – and how serious its effects might be. Good risk management, strong technical and organisational measures, and a careful strategy are therefore all the more important for cybersecurity within companies!

Types of cyberattacks

A cyberattack is a malicious attempt to compromise IT systems. By launching a targeted attack on a specific information technology structure, hackers or criminal organisations attempt to plant malware inside IT systems in order to cause damage. While some attacks are politically motivated, many hackers are driven by the desire for financial gain when stealing data. Selling stolen data or extorting ransoms can be quite lucrative.

Cyberattacks come in many different forms and are becoming more and more sophisticated. Most attacks are highly complex, making traceability very difficult.

What threats are associated with cyberattacks?

The goal of most cyberattacks is to steal data, whereby personal data is of particular economic value, as evidenced by data-driven business models. Cyberattacks can also encrypt data on which a company depends in order to operate successfully. The data is then usually only released after a considerable ransom has been paid. The economic impact can be enormous, as can the damage to the company’s reputation if the attack becomes known to the public. This is often accompanied by damage to the company’s internal data infrastructure, which is the foundation of any digital company – possibly resulting in operational disruptions or even preventing the company from operating altogether. The misuse of data is also a major threat for affected companies.

Some cyberattacks are a form of industrial espionage, for example with the aim of gaining competitive advantages by stealing information about the victim’s corporate strategy.

Another inherent threat in cyberattacks is the manipulation of communication channels. In a “man-in-the-middle attack”, for example, hackers can eavesdrop on communications between several parties in order to steal information or even manipulate the content before sending it on to the intended recipient.

It is important to note that any such attack triggers legal obligations. Especially when personal data is involved, the regulations of the General Data Protection Regulation (GDPR) must be observed. Companies that process personal data are obliged to ensure the appropriate security of personal data and to report data protection incidents. The principle of integrity and confidentiality includes, among other things, protecting data against accidental loss and damage as well as unauthorised processing (cf. Art. 5(1)(f) GDPR).

How to respond to a cyberattack

Spread the word internally: If a cyberattack occurs, it makes sense to immediately contact the relevant units, such as your information and IT security officers. In addition, the data protection officer, the IT department and of course management should be informed of the attack. They can then take immediate action based on an incident response plan.

Convene the crisis team: Especially in situations that call for swift and prudent action, it makes sense to run things past a crisis team set up specifically for this purpose, in order to avoid a chaotic internal response and to take uniform action against the attack. It is essential to involve the aforementioned internal units in the crisis team, as well as whichever department has been targeted.

Collect information: In order to stop an attack that has already begun, as well as to be able to prevent future attacks, it is sensible to collect certain information about the attack. Among other things, this includes investigating how the attack came to light, what impact the attack may have on the company’s core services, why the attack happened, and the likely impact on third parties such as customers or business partners.

Comply with notification obligations: Furthermore, it may be necessary to notify the competent data protection supervisory authority and the data subjects affected by the attack. Under certain conditions, companies are subject to this obligation under the GDPR.

Depending on the incident, it may also be advisable to bring the attack to the attention of law enforcement authorities and file a criminal complaint.

To put an end to the attack, it usually makes sense to take the affected system – the one used as a gateway by the hackers – offline. In some cases, however, the only way to overcome a cyberattack is to completely reinstall the affected system, as it is usually the entire system that is considered compromised. Cybercriminals use a variety of methods, some of which can cause damage even on a network that has been taken offline. For this reason, companies should be sure to create regular back-ups and store them securely and separately from the rest of the infrastructure.

What cybersecurity steps can companies take?

Cybersecurity is all about taking protective measures to secure and protect systems, networks and programs from unauthorised digital access.

Companies take cybersecurity measures in order to ensure the confidentiality of data and information. In addition, they aim to protect the integrity of personal data. Another goal of cybersecurity is to protect the availability of information used in the company against threats from cyberspace.

Cybersecurity should therefore be embedded as part of the company’s internal risk management. Companies should rely on a combination of strategy, technology and user awareness training. With the right cybersecurity risk management, internal vulnerabilities can be identified and administrative solutions and measures found to offer appropriate protection to the company and its digital infrastructure.

Possible cybersecurity measures

In order to prevent cyberattacks, it is advisable to take preventive measures to protect the company’s internal structures.

It is sensible to implement security gateways for individual network transitions, such as a proxy firewall (also called an application firewall or gateway firewall). A proxy firewall is essentially a security system for a communication network. Using a proxy firewall, no direct connection is established between your own network and another network such as the internet. The firewall is placed between the networks. It filters all requests from the internet, for example, either forwarding them or blocking them. This allows harmful viruses or similar to be detected and warded off before they have a chance to enter your own system.

Furthermore, system segmentation, i.e. the division of computer networks into several smaller subnetworks, is often a successful tool in preventing cyberattacks. With network segmentation, companies can determine whether all network traffic should only remain within one part of the network, or whether it – or at least certain categories of it – should be allowed to pass over into other network segments. This makes it more difficult for hackers and cybercriminals to penetrate the entire network, as the different segments are not connected to each other.

It is also essential to implement a patch management system that identifies software updates and “patches” and makes these available on endpoints such as computers, mobile devices or servers. Installing updates and patches regularly and at short notice is an effective means of eliminating software vulnerabilities that could otherwise be exploited as gateways for cyberattacks. By using patch management, companies can reduce the security risks associated with software and applications. Employees should therefore be made aware of and obliged to install updates and use the latest version of a given application. As far as possible, regular updates should be enforced technically.

The software used by employees should be equipped with effective virus protection from the outset anyway. Ideally, this will prevent malware from infiltrating systems in the first place. It also makes sense to use two-factor identification wherever possible. This can better ensure that only authorised persons ever have access to systems. Effective password management that mandates strong passwords also increases the security of IT systems. Since IT security breaches are often caused by employees clicking on an infected link or similar, employee training is also an effective measure. Regular staff training and clear rules of conduct on the part of the company can raise awareness of cyberattacks before they happen.

AI-based tools that are embedded in the system as a defence against cybercrime and can detect and ward off attacks fully automatically can be particularly effective.

There are already some frameworks on the market for cybersecurity risk management that can also be used to identify measures. Well-known frameworks include ISO 27001 and the BSI-Grundschutz certification process. It is important to document any measures taken.

Conclusion

Cybersecurity and good risk management serve to protect companies from threats to their systems. Anyone who wants to be armed against ransomware, malware and other cyberattacks needs robust cybersecurity. Regularly reviewing your cybersecurity strategy can reveal vulnerabilities in your own company well before an attack occurs and ward off cyberattacks. Nevertheless, it is not possible to be completely protected against all cyberattacks at all times, which is why your company should know exactly how to act in the event of an IT security breach. In particular, it is advisable to document all measures taken – so that the system can be reviewed regularly, but also in order to comply with your accountability requirements under the GDPR (cf. Art. 5(2) GDPR). The Federal Office for Information Security (BSI) also provides companies with comprehensive information on how to manage, report and prevent incidents.

Feel free to contact us – our data protection experts will support you in developing a suitable cybersecurity strategy for your company!