What do companies in production have to fear today with regard to the dangers from cyberspace, how high is the potential danger really?

Michael Veit: Organizations such as the German Federal Office for Information Security (BSI) or the industry association Bitkom as well as providers of security solutions like us agree on this issue: the situation is precarious! Unfortunately, the much-quoted phrase that it is not a question of whether you will be affected by a cyberattack, but when, is more relevant than ever. Far be it from me to scaremonger or present horror scenarios in which everything goes wrong and an entrepreneur's livelihood is always at stake after a cyberattack. Rather, it is about recognizing the potential dangers so that companies can work out an individual strategy to protect themselves in the best possible way or to be able to react correctly in an emergency.

So the risk situation varies depending on the size of the company or the expansion of digitalization?

Veit: Not really. Large corporations, where cyber criminals can expect high losses or even ransomware ransoms in the millions, are attacked more specifically, individually and with greater effort. However, these companies very often already have highly effective security solutions installed, which makes an attack more difficult. Medium-sized companies, on the other hand, often experience attacks that occur in waves and affect many companies at the same time. Here, criminals rely on protection systems that they can more easily circumvent or infiltrate. Overall, the risk of falling victim to a cyberattack is and remains high - especially in an environment where digitalization is a top priority.

Can you elaborate on this?

Veit : We conduct an annual international study, the 'State of Ransomware Report'. In it, we survey companies worldwide to get a holistic picture of the threat situation. Across all industries and countries, 66% of all companies surveyed were affected by ransomware attacks in 2021, compared to 37% in the same period in 2020.

You said that digitalization increases the potential threat. What exactly is the problem?

Schematic representation of the ZTNA principle (Zero Trust Network Access).

© Sophos

Veit: One example: In production, there have always been machines and robotics that have been developed primarily for optimal function in terms of hardware and software. Logically, security is not the core competence of these manufacturers. Nevertheless, many of these machines and components are nothing more than computers that are also connected to the company's internal IT networks or even to the internet or a cloud application. However, it is not just the large machines and robots that should be considered here, but rather the small devices, such as hand-held scanners for warehouse logistics, which have direct access to important systems within the company. It is often precisely these devices that cyber criminals take advantage of to break into the company network and then use many other means to wreak havoc.

Now you can't simply stop digitalization and networking...

Veit: Of course not, and that's not an option either. It's much more about recognizing the multi-layered gateways used by cyber criminals and then acting accordingly. Many of these typical gateways are now known and can be closed. But it's about the backdoors that are not yet known. And with increasing digitalization, it is also about mass and dynamics in the entire IT structure; this has long been almost impossible to control manually. This is why we are talking about an integrated security ecosystem that encompasses all IT and digital devices in companies. Security is very advanced here and if a high degree of automation and intelligence is also anchored, such solutions can not only detect problems but also react automatically in the event of an attack.

Can you name a typical risk that many companies in this sector are likely to face?

Veit : Today, digitalization is not only driven by IT, but also by the specialist departments. Time and again, new digital devices are integrated into the company network, but they are not secure. The specialist department itself does not necessarily need to know this, but the security managers must receive a warning message - or even better, the security system must react automatically and immediately. Ideally, of course, by closing the security gap and ensuring that the newly connected device can still be used.

Another example of potential risks are the new developments in work organization. In the production environment, too, there are many employees who work from home. In most cases, employees are connected to the company via a VPN connection in order to work on the systems that are important for their work. This includes, for example, all administration and design applications. However, the VPN connection is nothing more than a long virtual network cable to the employee's home office. However, employees working from home are not in a secure environment, as they usually only have access to traditional Internet and WLAN connections. And security is much less important there. This means that the home office is a good opportunity for cyber criminals to gain access to the company network.

Trust nothing and no one

How can you tackle the problem of working from home or other insecure devices without doubling the size of your IT team?

Veit: The problem is that traditional security concepts check and secure everything that takes place outside the company. Everything that takes place inside the company is basically good and hardly needs to be checked separately. Insecure scanners in logistics or home office computers, for example, which are connected to the company network directly or via the WLAN or VPN, create risks that you generally don't want to let into the company. And yet, from a technical perspective, these devices are treated as internal IT resources.

Another example that we know from many areas of industry is digitalized supply chains. Many companies are networking with each other to make automation even more efficient and prevent errors in manual processes. Imagine just-in-time production in which the supply chains are not digitally connected between the manufacturers of the individual components and logistics - that is no longer possible today. However, it is incredibly difficult to determine whether a third-party connected company really takes its security seriously or whether it will not become a massive threat via the digital connection - perhaps only over time. One way to protect a company with a high degree of automation is the Zero Trust principle with the corresponding solutions.

How does the principle work?

Veit: The Zero Trust model offers a much higher level of security because no device or user is trusted. In simple terms, the zero trust principle means: trust nothing and no one, especially not a network, and check everything. As a result, there is no automatic trust or mistrust inside or outside the perimeter. It is always verified who wants to access and it is checked whether the accessing device is in order. In addition, users are only granted access to resources and applications that are required for their tasks.

This is the security perspective. How does the user perceive Zero Trust?

Veit : Nothing really changes for the user and that is important. If you implement the Zero Trust principle with our solution, the Zero Trust Network Access Gateway (ZTNA), for example, the user can still work with their resources and applications and has the feeling of being directly connected to the company. Users log in with their devices and this login is forwarded to the ZTNA gateway in the background. If everything is correct, users are authorized to access exactly the applications and resources they actually need. They work with the applications as usual and transparently from a security perspective.

And how much work is involved for IT?

Veit : If IT works according to the old principle described above, where everything that doesn't seem good is successively banned, there will have to be a short conversion phase to the zero trust principle. Once this process has been completed, however, automation will greatly reduce the burden on IT. With zero trust, complexity is reduced despite the large number of applications and possibly changing internal and external users, while agility is increased at the same time. Rules and authentication can be designed much more easily and, above all, more transparently. In addition, scalability is many times greater than with traditional concepts. What is perhaps even more important from a management perspective is that it is much easier to meet and adhere to compliance requirements in terms of transparency and traceability, i.e. who has access to what. Incidentally, Zero Trust does not have to be fully established throughout the entire company from the outset, but can be introduced in stages, which we also recommend in many cases. For the initial setup, it makes sense to rely on experienced partners who are very familiar with ZTNA and have experience from the conversions in other companies.

What advice do you have for companies and where is the journey heading?

The interviewee: Michael Veit is a security specialist at Sophos.

© Sophos

Veit: The journey is clearly defined by the incredibly high criminal potential of cyber criminals. According to our studies, ransomware extortion sums have increased dramatically. Security is trying to catch up with the criminals or even stay one step ahead with increasingly intelligent solutions that are based on machine learning and complex algorithms, among other things. However, this is only part of a security strategy. In an effective security ecosystem, human skills are increasingly needed to supplement what no protection technology can do today. This includes, for example, forensic experts or task teams with years of expertise. Medium-sized companies can hardly cover these teams internally, which is why managed threat response is increasingly being used in production - usually as a service. In other words: the cat and mouse game between cyber criminals and security will continue for a long time to come and in the near future a level will be reached where companies will place the protection of their data and production in the hands of experts.