The choice of a password to protect data is varied, but often too predictable. People like to use their own name or initials combined with their birthday or year, the name of their pet, the current date of the day or, in the worst case, the classic "12345". In cases like these, Christian Mairoll, Managing Director of Emsisoft, is beating his hands over his head, because solutions to protect systems and access from unauthorized access are easy to implement.

Are German companies adequately prepared for potential cyber attacks and are their protective measures sufficient?

Mairoll: If you look at the current numbers of confirmed ransomware cases and the damage they have caused, you have to state quite clearly: No, German companies are unfortunately not adequately prepared for cyberattacks.

Emsisoft recently analyzed the direct and indirect costs of ransomware cases in the past year and came up with a conservative estimate of ransom demands of USD 148-593 million in Germany alone in 2019. The resulting business losses are also conservatively estimated at between USD 1 and 4 billion (the calculation method in detail).

Ransomware has been the biggest cybersecurity problem for several years, while classic malware categories such as viruses or rootkits have become almost negligible.

Regardless of the budget, which three security measures should companies implement to protect themselves from cyber attacks?

Mairoll: It can be observed that many companies rely too much on (sometimes very complex and expensive) purchased ready-made solutions, but often disregard common sense when it comes to basic precautions. The main gateways for malware are usually not technical gaps in firewall configurations, as one might assume, but outdated software and human error.

Specifically, we recommend implementing the following 3 security measures without ifs and buts: Multi-factor authentication - When servers are cracked and encrypted, it is mainly because attackers try common passwords and if a working one is found, there are no other security measures in place. Multi-factor authentication must therefore be mandatory for all services accessible via the Internet. Especially for servers that are accessible via RDP (Remote Desktop).

Strong passwords: Although it has been preached for decades that you should not use passwords that are too short, they are still used. People are lazy and therefore always prefer passwords that they can remember, which is fatal for security. Password managers solve the problem by storing virtually uncrackable long passwords behind a master password that is memorized.

Install software updates without delays: This tip is also not a real novelty, yet every day we see servers of sometimes very large organizations that have been cracked and encrypted simply because a security update that has been available for months was not installed on time.

The tips mentioned do not ultimately cost any significant amounts, but they make a huge difference.

Keyword security as a service: Should the manufacturing and process industry consider managed security services?

Mairoll: Yes, although I think we should differentiate between the reasons. If it's just about passing on responsibility to external service providers and saving costs, managed security can very quickly end in a fiasco. However, when it comes to integrating the knowledge of experts in order to establish better tested and documented security protocols yourself, I think it makes perfect sense to rely on managed security. Cloud-based solutions can significantly simplify and speed up administration, especially when it comes to the centralized management of endpoint security software. Your own IT admins always remain directly involved.

It is important to note here that security ultimately always remains the core task of your own company. Security must not be an annoying add-on in your own business model, but must always be included in the design of processes from the ground up.