Cybersecurity: what does it have to do with me and my business?
Why cybersecurity doesn't just affect large corporations and what to look out for
Cybersecurity is on everyone’s lips after many attacks and headlines. But as a business owner, why should I be concerned and why is cybersecurity an important topic that can affect anyone?
A lot has changed in the digital world since Corona. Among other things, this also affects the state of digitization in Germany and around the world. In many places, the infrastructure is inadequate or even non-existent. Not long ago, high-ranking representatives of the German federal government described the Internet as “uncharted territory,” which caused astonishment in many parts of the population, since the Internet has become an indispensable part of our daily lives. However, digitization has passed by not only public authorities, but also many medium-sized companies, and this is particularly painful right now. The acquisition of new customers is a major obstacle due to the loss of personal contacts, home offices are a difficult task due to the lack of infrastructure, and the administrative burden is increasing.
Many repetitive tasks that could have been automated a long time ago to free up time for employees are still performed in a laborious and cost-intensive manner are still carried out laboriously and cost-intensively, in part by hand. Used correctly, a good digitization strategy can expand our customer base and improve employee satisfaction.
Cybersecurity and data breaches
What does all this have to do with “cybersecurity”? The more data and processes we shift to the digital realm, the more “attack surface” we offer for potential damage. Time and again, spectacular data breaches make headlines, ranging from the loss of data worth protecting to the failure of critical infrastructure. As is so often the case, the best strategy for many here is “if you don’t do anything, you won’t make any mistakes.”
On the opposite side of the spectrum, we have the “a lot helps a lot” approach, so anything that someone can think of or is currently popular in some way is thrown at a problem. But again, it should be noted that complexity can also put the security of a system at risk. The more complex a system is, the more room we give to potential security vulnerabilities. We thereby increase the amount of code we have to trust and keep up-to-date at the same time; this is referred to as the trusted computing base (TCB). A security hole in just one component of our TCB can potentially compromise the entire system, so the smaller the TCB can be kept, the better.
Security as a strategy element
Security must always be a high priority in any digitization strategy. The very first and probably simplest strategy is to keep the software in use up to date. Many systems are often set up once and then not maintained further, or only inadequately maintained. A much-vaunted argument as to why this is not a major problem is: “no criminals are interested in our company,” but Telekom is already reporting a number of cyberattacks in the double-digit millions in 2019.
Automation of the attacks
The fact is that the majority of attacks are not targeted, but purely automated. The “romantic” notion of cybercriminals sitting in the basement between energy drink cans attacking companies is giving way to a small program that tirelessly scans the Internet for a few predefined vulnerabilities 24 hours a day, seven days a week. Often, these vulnerabilities are targeted the very day they become known.
We refer to such above-mentioned programs as so-called zero-day exploits. These are programs that can exploit a vulnerability, sometimes even before effective countermeasures exist. A whole market exists for this type of software, on which, depending on the the severity and attractiveness of the vulnerability, large sums of money are paid for this type of software. Thus, especially software that enjoys widespread use is often the target of such attacks, and for this very reason requires increased attention when it comes to updates.
Particularly interesting to see is the class of vulnerabilities that we deal with most often. The Open Web Application Security Project (OWASP for short) maintains a TOP 10 list of security problems found in today’s web applications. In first place here for many years have been the so-called “injection” attacks. Simply put, these are attacks that allow commands to be injected into an application via normal user input (e.g. search queries). Such vulnerabilities usually emerge due to poor care in the development of the software and in many cases could be greatly reduced by using more modern tools.
In the financial sector, these tools, such as advanced programming languages, are already being used. In many places, however, the software industry is still struggling. There is often a lack of willingness to invest in such technologies and the associated expertise. As a result, the majority of these problems can still be found by manually “looking for it”. However, more progressive tools can greatly relieve developers in this process and ultimately lead to better results. People who work make mistakes. Tools are not there to reproach us, but to support us; this opportunity must be recognized and used.
Develop software securely
As software developers, we owe our customers an increased level of care – especially in times of rising cybercrime. Developing correct and robust software is a task that requires a lot of experience. As software developers, we are in a constant game of cat and mouse. Being aware of this and regularly looking into the attackers’ cards to understand their modus operandi is part of our job.
Many standard software solutions are often equipped with a rather rigid range of functions to cover as many scenarios as possible. Often, however, exactly the functionality that would be desirable for a specialized application is not part of it. In some cases, the software is therefore extensively adapted. One risk that can arise here is that the system cannot be updated without adjustments. So if a security risk arises that requires a new version of the software used, this is automatically associated with additional effort, which in the worst case can lead to a complete redevelopment of the software.
A functioning infrastructure requires expert knowledge, and finding a trustworthy partner for this task can be a major challenge. For this, communication at eye level is essential. “One hundred percent security” and similar promises should be taken with great caution, because security problems can always arise. The important thing is how transparently they are handled and how the team responds to potential threats. Don’t be impressed by flowery buzzwords. Attackers won’t be impressed either.
Related article: Cyber security for entrepreneurs in 5 points