Small budget vs. IT security?

• A survey of exhibitors at it-sa revealed that many of their customers’ IT security budgets have been reduced as a result of the pandemic. Marc Fliehe from VdTÜV explains how managers can still guarantee the best possible security.
• Companies are confronting new risks, such as employees working from home, that can be especially challenging for SMEs.
• Changes caused by the coronavirus also make it necessary to reevaluate the security situation. A new risk analysis can be performed quickly and affordably using simple methods.
•  

Mr. Fliehe, you’ve studied political science, philosophy, and psychology. How did you go from politics and philosophy to IT security?

When I was a student, I was fascinated by a number of subjects, and about technology and IT in particular. At that time, I started collecting and exchanging computer viruses, still using diskettes. I was fascinated by the technology of viruses, which is how I came to be more involved with IT security. Eventually I started asking fundamental philosophical and psychological questions, such as how are people affected and what are people’s security needs. Behind the machines, there are always people and the two influence one another. But I also wanted to shape things, so I studied politics. My dissertation was on the perception of IT security. It was supervised by the German Federal Office for Information Technology (BSI), where I then worked as a student trainee. Back then, IT security wasn’t as important as it is today. After I completed my studies, there was an opening at the digital association Bitkom. They happened to be looking for someone with IT security expertise and a knowledge of politics. Two weeks later, the Snowden affair broke and IT security became a major issue.

Today you work for VdTÜV, the Association of Technical Inspection Agencies. What does VdTÜV have to do with IT security and what exactly is your job?

VdTÜV represents the joint interests of the TÜV organizations and also bundles its members’ joint activities. TÜV has been a trusted service provider for over 150 years, throughout all the advances in industry and technology. Its pledge has always been to minimize risks, which has increasingly come to mean digital risks. IT security is now a significant risk field. I’m head of the digital division at VdTÜV and work with experts from all the TÜVs to identify IT risks. Today’s cyberattacks can cause physical damage that can endanger life and limb. This makes the job extremely challenging, especially now.

How has the IT security situation been changed by the coronavirus?

Digitalization has benefited from the coronavirus in ways we wouldn’t have thought possible a few months ago. It has promoted videoconferencing, online collaboration, and many other applications related to working in a home office. But it has also brought new risks. Companies are currently facing challenges for which they’re often unprepared. They have to learn to deal with them. For example, there’s been a dramatic increase in attempts to steal access data using phishing e-mails whose subject relates to the coronavirus. SMEs are especially at risk because their IT infrastructures are usually less secure. Employees are often able to access all the company data via network drives, including from home. So the security situation in the home office becomes important for the company. Many IT attacks are extremely professional – for example, AI is used to imitate the voice of the CEO and place a call to the office authorizing payments. And this is happening in a situation where the company is already operating in crisis mode and normal workflows often don’t exist anymore. Hackers take advantage of this.

Has the coronavirus pandemic affected the IT security budget?

The pandemic has forced companies to provide new services and tools within a very short period of time. This has been costly. Just think of the expense of providing all your employees with laptops. This has been a huge strain on the IT departments’ already tight budgets.

When budgets are cut, which projects are the first to go?

When companies are under economic pressure, they save wherever they can. Over the medium and long term, this results in IT systems not being modernized when they need to be. Sooner or later, this becomes a security problem because the hardware and software are outdated. For example, it might affect the phone system, which should have been updated long ago. At some point, maintenance will be discontinued, then there won’t be any more updates. It will still function, but it usually hasn’t been secure for some time.

Changes in the risk situation make a new risk assessment urgently necessary. How can a company do this despite a reduced budget?

The most important thing is that a company know what it has that’s actually worth protecting – its crown jewels, so to speak. I have to know this before I can figure out what I’m protecting it against, meaning what type of risk I’m up against. Sometimes companies want to protect everything, but not everything is of equal value. If I can’t assess the relevance, then I have to prioritize. Legal requirements can be helpful, like data privacy laws. If I’m already complying with these requirements, I can start analysing what it is that differentiates me from the competition, what makes my company special.

To be able to assess the risks, it’s helpful to determine the probability of occurrence and the extent of damage to my assets. For example, if I have risks that have a high probability of occurrence but would cause no appreciable damage on a practical level, then I don’t have to concern myself with them right away. Instead, I should focus on areas where the extent of damage would be very high and the probability of occurrence is also very high. This type of assessment is especially valuable in the current situation, because it can be done relatively quickly and inexpensively. There are also best practices or standards that can be consulted as guidelines, such as ISO-27005. The BSI also has a lot to offer, including extensive materials for SMEs.

Are there any security measures that are especially important in the current situation and that can be implemented despite budgetary restraints?

This is the time to implement awareness projects in order to sensitize employees working from home to the new risk situation. If the budget is extremely tight, you can offer in-house training courses taught by knowledgeable colleagues. There are also various public initiatives that offer free information and training. The German Federal Ministry for Economic Affairs and Energy (BMWi) has free offerings as part of the “IT Security in Businesses” (German) initiative, as does the Alliance for Cyber Security (German).

If my budget is extremely limited, I can increase IT security by optimizing processes. For example, I can review and adapt access rights. Long-time employees often know exactly where optimization is possible. All of this helps create more of an IT security culture within the company.

Author: Uwe Sievers