Everybody is a target: “We need a stronger IT security culture”

The University Hospital Düsseldorf is offline for weeks rendering the emergency ambulance unusable. A woman could no longer be helped in time. In Norway or Germany, e-mails from members of parliament are hacked. Garmin Smartwatches are useless after a hacker attack. And if you trade in crypto currency on Eterbase, you should check your wallet: The provider has apparently lost up to 5 million dollars. Hacker attacks are increasingly becoming a problem, but the issue of security continues to be criminally neglected in many executive offices. Do we have a too lax IT security culture in companies?

Arron Finnon is an “ethical hacker” and Chief Technology Officer at Vindler GmbH, a consulting firm near Wetzlar that specializes in IT security. Together with his wife Caroline Krohn, who is the managing director of the company, I had the chance to talked about security and business. Caroline is co-founder of the European Data Protection Conference GDPR2, which brought together top-class representatives from business and politics for the first time in 2019 in Luxembourg for a Security Networking Day. Arron has been an IT specialist in computer security attack scenarios for over 15 years and knows about the weaknesses in hardware and software and companies in general. Together, they have a lot of expertise in security matters.

“For most people, convenience is more important than security”. Caroline Krohn and Arron Finnux criticize the carelessness of many companies in the area of IT security. Photo: Vindler GmbH

Why do you think IT security is still so badly neglected?

Caroline: People lull themselves into a comforting illusion of security until something happens. Let’s assume that a small, medium-sized company invests twenty thousand euros in IT security in one year. Then the year goes by and nothing happens. What impact does this have on the IT security culture? What do you do when you plan your budget for the following year? You cut security expenditures in half. After all, nothing has happened.

Arron: Security is a cost factor that does not bring a direct return on invest, but only costs. Without any recognizable profit. Until it bangs.

But don’t you have to keep the security expenses unter control. when planning your budget.

Arron: Basically, it’s like looking into a double-barrelled shotgun when the trigger jams. At some point the thing goes off and you have no face anymore. Then your business is “kaput”!

Well thats kinda harsh, isn’t it?

Arron: But that’s the way it is: If you ignore the issue of safety, you welcome technological neglect. If something happens then, you don’t deserve it any better! No money for security? No time for security? You should think about it: Do I prefer to invest my money in IT security now or do I spend it afterwards for all the damage, penalties or image loss to save my business?

Take a look at what happened to Garmin. The company is said to have paid a ten million dollar ransom to the attackers to get the systems up and running again. They had previously infiltrated a ransomware and thus not only paralyzed the entire operation, but also rendered their customers’ Smartwatches unusable.

Caroline: Or think of Equifax, something like a US American credit bureau. In September 2017, around 150 million pieces of customer data were stolen from them. Personal data, names, social security numbers, addresses, credit card data.

Arron: They only noticed that after six months. They spoke of a “professional attack”. No, they only had two people sitting in their IT security department and handling outdated software. In the end, this cost them at least almost $600 million in fines to the FTC alone!

How do you help to create a better IT security culture in companies?

Caroline: Our job is to help people secure their businesses.

Arron: I don’t do that myself. I see myself more as a kind of trainer, guiding people in the company to better respond to attacks. You can’t just buy your way out of this knowledge, you have to experience it yourself. If you want to know how to protect your house against burglars, don’t just buy a thousand security systems. It is best to ask someone who breaks into houses first. Only then will you know what to do.

Of course, a lot is also about soft skills. It’s just not enough to send your employees a training e-mail once a year in which they have to tick a few boxes on the subject of phishing. We put the companies through their paces. This way we simulate attacks under controlled conditions and uncover the weak points. These do not necessarily have to be insecure IT systems. Often it is also the employees who simply react “humanely” and make the attack possible in the first place.

Hacking is a scalable business. The investment is minimal – the return on investment can be colossal.

What shortcomings do you most often encounter during the analysis

Arron: Most people don’t make reasonable backups of their work. When you process data, this data must be available! You need a backup. But a backup is not a hard disk on your computer. A backup belongs outside of your computer. Moreover, many don’t even know the difference between a snapshot and a backup.

Where are the biggest dangers lurking, especially with regard to the Internet of Things?

Caroline: Actually everywhere nowadays. And thanks to IoT we live in a world where I can access your systems through your fridge.

Arron: You have to realize the urgency of this problem. If I were an IoT developer, I should basically consider any network as hostile at first. At home, at work, in the coffee store. As long as I do not secure these endpoints with encrypted protocols, my product is vulnerable.

That would be the technical side…

Arron: That’s right, even the human being is a constant security risk. And there is no other way than to show people again and again on how many ways you can fool them. We need a much stronger security culture in companies. This starts with the employee in the lobby, goes through the IT developers and ends up on the executive floors. Some people can’t even keep track of their Facebook passwords. How do they do that with their email account?

Is the same critical mindset absolutely necessary in private?

Caroline: The mistake everyone makes is a wrong self-assessment: “I don’t have anything valuable that could interest a hacker”.

Arron: And that is a fallacy! Everyone has something. Even if it is just someone you know. One thing you have to realize in a networked world: You are always a target. At all times. And even if you’re only an intermediate goal. And it is not always just your data that is of interest. It is your contacts, your knowledge, your influence, your money. It is sufficient enough to have access to your systems. Your computer, your smartphone, your webcam, your coffee machine, your refrigerator. For attackers, these are all “assets”. Devices that can be remotely controlled and later used for larger attacks.

Hacking is a scalable business because it is profitable. Sometimes it’s about money, sometimes about politics. The investment is minimal – the return on investment can be colossal.

So what can each of us do?

Caroline: For most people, convenience is more important than security. Whether it’s at home or in the office or ultimately in the product.

Arron: There needs to be a fundamental rethink, we need a strong IT security culture in companies. With IoT we are heading towards a borderless networked and digitalized world. And if we are honest, we are really ill-prepared for this.