#BusinessVsCovid19 - Are German companies taking enough steps to secure their IT systems?

How many emails have you received in the last weeks from your company´s IT team? Are you using your personal devices to access company or customer data? Are you aware of the current uptick in cyber-security related attacks?

Ursula von der Leyen, president of the European Commission, highlighted the issue of increased cyber-crime in the EU on Tuesday (24 March). Companies around the world have ramped down their physical offices and moved their staff to virtual work. This drastic change to home offices and remote teams has come so abruptly that only a handful of cyber-security teams have had sufficient time to prepare for this. On the other hand, companies including healthcare institutions and employees have already become unsuspecting victims of cyber-crime. 

A growing amount of data is pointing towards a rise in cybersecurity crimes and attacks on private and business accounts. Barracuda - an IT security firm has reported a 667% increase in phishing attacks from February to March 2020. In this article, we take a sweeping look at the major concerns around cybersecurity that the business community needs to be aware of. We will take a closer look at the impact of Covid-19 on cyber-security and discuss the industry’s response through the lens of the Berlin-based cyber-security expert – Pierre Pronchery.

Cyber Security: What is happening right now? 

Malicious attackers are aiming for personal credentials, transfer of sensitive data or funds or using business email compromise (BEC) attempts through which they can infiltrate key information systems. Their activities vary: - 

  • Growing attacks on healthcare institutions: 

Hospitals, testing centers, research and development centers, and medical device making institutions are becoming victims of ransomware attacks - this means sensitive and critical data is being locked via encryption by malicious actors and denied access unless a ransom is paid. 

  • Phishing emails posing as government or international announcements (Social engineering)

WHO warned about phishing attacks which appear to be coming from them asking for donations but are actually being used to extract credentials from individuals. Similar attempts have been reported where attackers pose as Centers for Disease Control (CDC) representatives updating on “latest cases near you” and direct to a fraud page.

  • The exploitation of vulnerabilities due to the shift to home offices

Business continuity during the virus-related lockdowns has resulted in a huge rush to shift to home office settings. This has forced IT, security teams, to set up VPN access without the extensive testings needed and resulting in sketchy configurations. Many IT teams themselves have their members on sick leave which is hampering the creation of robust security that is needed. As a result, remote user credential theft has spiked up due to a large number of employees using VPNs or sometimes their own devices. 

Photo : Pierre a cyber security expert at his recently set up home office.

German businesses overlooking cyber security needs?

At the beginning of our interview, Pierre actually expressed his surprise that he is not getting more requests for reviews of IT security infrastructure. 

leverist.de: What is the immediate impact of Covid-19 specifically to your company? 

Pierre: We are seeing three major developments:

  • Much of our work is on-site on client locations to test the robustness of IT systems. We are seeing a cancellation of such projects. 
  • Customers who had sub-contracted work to us are canceling or delaying- such projects.
  • But many customers who we were serving remotely are continuing their association. We are helping our clients set up secure video conferencing and online collaboration infrastructure. 

Are European data protection laws making matters more complex?

leverist.de: What are the immediate concerns of companies that you advise? 
Pierre: European companies have to adhere to strict data protection and requirements of confidentiality. Their first priority is to enable the workforce to work remotely. While companies and freelancers all over the world are raving over zoom for video calling, I am personally skeptical about it. My colleagues have raised concerns over the use of third-party clouds for the communications, notably from non-EU providers. What is also concerning is that the software tries to leave a footprint when one tries to uninstall it. So instead, we are looking at self-hosted solutions and are currently implementing an open-source commercially funded software called Jitsi. 

leverist.de: What are the benefits of using jitsi? 
This is an open-source project meaning the source code for the software is completely open and transparent. Companies can brand it for their own companies, modify features and host it on their own servers so that the data is not hosted anywhere external and all conversations stay on the company´s own servers.

Positive developments emerging for the business community

leverist.de : What are some positive developments you see emerging for the business community?
I see three positives emerging out of the crises - 

  • We are identifying critical infrastructure - energy, mobility, water supply. This relies on people showing up for their work. So, we can learn from these industries how they are able to adapt to the changes and still keep their services up and running. 
  • We are seeing a shift towards increased trust in employees. Companies can no longer micromanage their employees. So, it’s a test of how much can you trust your employees to manage their work and personal lives. Many companies who were skeptical about moving to flexible work, had to adopt it 100% and its leading to more freedom and trust at work.
  • I see a shift towards smaller company offices and more support for setting up home offices in the near future. Companies are creating possibilities to work from home and support financially the right infrastructure to do that. 

Advice to companies

leverist.de: What would be your advice to companies adapting to these changes? 
There are short, medium and long-term measures to be taken by companies.

In the short- term, they should review their VPN configurations with external services as it is difficult for internal employees to identify all the flaws in their own systems. We talk about the 4eye principle where critical systems are reviewed by at least two experts. Companies should also aim to give as many company-owned devices to employees as possible as they are more secure and have fewer vulnerabilities. 

In the midterm, businesses need to improve the security of remote access systems and implement robust solutions for mobile device management. In the long-term, preparing support services like accounting and HR for more digitalization is essential. 

Pierre Pronchery is a Senior IT-Security Consultant and an accomplished Software Engineer. Freelancing for over a decade, he audits and advises leading companies in the Telecommunications, Finance, and Retail industries, and supports Open Source software and hardware communities. He is currently serving as Vice-President for the NetBSD Foundation and is the founder and CEO of Defora Networks GmbH, Germany.

Saptarshi Baksi 
Product Innovation and Marketing consultant – leverist.de | Design Thinker

rishiwrk@gmail.com | Linkedin

leverist.de has launched a special call supporting companies in Ukraine and Moldova, as well as civil society organisations in Germany. Find out more on the special pages.