Cyber attacks are a serious threat, especially for SMEs, as they often lack the necessary security measures. resulting business disruptions such as production or communication halts can cause significant financial damage. The expert in Austria for cybersecurity is Mag. Walter Unger, ObstdG, Head of the Cyber Defence & ICT Security Department at the Austrian Armed Forces. We spoke with him about implementable security measures, practical examples, and the role of the human component in cyber attacks.
According to the study by KPMG, two-thirds of Austrian companies were victims of cyber attacks last year. However, only about half of domestic companies see cybersecurity as an integral part of their digitization efforts. How do you explain this trend?
When I give my presentations, I also present these numbers and ask what happened to the other third. On average, it takes eight months to detect espionage operations related to cyber attacks. Cybersecurity is a complex issue, and knowledge about it is often not well developed in companies. Frequently, there is no specialized personnel, and security measures cost a lot of money. However, the risk of becoming a victim is high for companies. In the end, it boils down to whether companies can afford not to secure themselves against cyber attacks.
For what purpose do cyber criminals often target companies?”
Everything that is conceivable in terms of crime is also possible in the cyber realm and is indeed carried out there. Often, the focus is on money: in these cases, the company’s data is encrypted with ransomware, and a ransom is demanded. Company or customer data is effectively held hostage. If a company does not have a secure recovery and backup plan in such a situation, they quickly become victims. However, companies can counteract this by regularly backing up their data. Another intention behind attacks is sabotage: systems and servers are disabled, rendering them inaccessible. This is especially problematic for e-commerce providers. Usually, a ransom is demanded in such cases as well. Then there are cyber attacks for espionage purposes. On one hand, the criminals target trade secrets or specialized know-how. After all, we have around 400 hidden champions in Austria, which are innovative companies that are globally leading in technology. If knowledge is stolen from them, someone else might be able to enter the market faster and possibly at a lower cost. On the other hand, customer data is protected under the GDPR, and mishandling it – for example, through improper data backup – can result in penalties. Another subtopic of cyber attacks is the manipulation of websites, the dissemination of fake news, etc. This can also cause harm to companies, leading to reputational damage that can unsettle employees, customers, shareholders, or stakeholders. This quickly leads to financial losses for the company, which is, of course, a real danger for small and medium-sized enterprises.
How can companies protect themselves against cyber attacks?
State-of-the-art technological precautions are an absolute must. This includes intrusion prevention and intrusion detection systems, firewalls, sandboxing (isolated environments), etc. These measures should primarily be implemented on computers that store genuinely important information. Not all computers need to be protected in the same way – only those that contain sensitive information. If all these systems are bypassed, and no ransom is demanded, it becomes very difficult to detect cyber attacks. In such cases, it may only be possible to indirectly identify the attacks by observing abnormal system behavior or unusual data flows.
Do you have a real-life case from practice for such indirect indications of a cyber attack on a company?
For example, in 2011, the Carinthian company Windtec became aware of industrial espionage through indirect incidents. An disloyal employee had sold technological know-how to a Chinese company that used to be a regular customer of Windtec. When the Chinese company was no longer dependent on the Carinthian know-how and the regular orders ceased, Windtec became suspicious and realized that something was amiss. This is a classic case of indirect indications of an attack targeting technological know-how. The case received media attention, and the company reported a financial loss of $250 million and had to lay off 40 employees. The disloyal employee was legally punished.
And do you have a case where an Austrian company was defrauded of money?
The most well-known case of extortion is certainly the one that happened to the Upper Austrian company FACC in 2016. In this case, an employee fell victim to a CEO fraud (Fake President Trick). The attacker had internal information and posed as the company’s CEO in an email. He claimed to be preparing a major deal that conveniently needed to be kept strictly confidential, and instructed the employee to transfer 50 million euros over the Christmas holidays. She complied, and the money was lost. This is a classic case of social engineering, where a person is manipulated to release financial resources. It works only through the thorough preparation of the fraudsters, their courteousness, and the trust and lack of proper financial guidelines on the part of employees.
In these two examples, human behavior played a significant role. What proportion does technology have in protecting against cybercrime, and what role does the human factor play?
As mentioned earlier, technology must be up to date. One should also consider the power supply, which should always be ensured, even if it requires the use of backup generators. The human factor also plays a very significant role: employees and management need to be sensitive to possible attacks, including phone calls and emails, especially those involving social engineering. Companies need a clear strategy for protecting against cybercrime.
How can a company develop a strategy for cybersecurity?
For example, by asking the right questions. Every company should honestly ask themselves these questions and be aware of the measures that need to be taken:
- What is truly worth protecting?
- What do employees need to know to protect themselves and the company?
- Are employees sufficiently trained? Do they make mistakes in using software and hardware?
- Is there a dedicated security officer within the company?
- Is there a healthy culture of learning from mistakes? Can employees trust someone when they make mistakes?
- Are there dissatisfied employees? Are security considerations integrated into the recruiting processes?
In short, every company needs a security officer. This can be a major challenge, especially for small and medium-sized enterprises (SMEs). The question always arises as to who should take on this role and who has the knowledge, capacity, and time for it. Alternatively, is it possible to ensure security through organizational measures? For example, in the military, the truly important things are not online.
What role does encryption play in this?
Encryption is a central aspect when it comes to cybersecurity. Important datasets must be encrypted and have appropriate access control. Ideally, companies have usable encryption methods that can be used by everyone, potentially after a short training.
In your opinion, does digitization open the floodgates to cybercriminals?
With the Internet of Things (IoT), more and more devices are interconnected, creating significantly more vulnerabilities and entry points than before. For standard systems, there are firewalls, but for smart heating systems, alarm systems, access controls, and similar devices, passwords and corresponding protection are also needed. Often, both in companies and in private settings, standard passwords are still used. Software can also have flaws and vulnerabilities. Additionally, the advent of 5G is approaching, which will primarily be of interest to industries and businesses. With such technologies, one must always consider the implications if the system fails or stops functioning properly.
How can awareness of cybersecurity be raised, both at the executive level and among employees?
Currently, the focus on this topic often revolves solely around employees. However, the larger mistakes can occur at the executive level! In practice, many companies have found it effective for the person responsible for security to directly inform the management. Because anything that falls under the purview of the CEO or the leader is heard and receives the necessary budget. It is important for awareness to be demonstrated from the top. Executives must ask themselves: What still functions when computers cease to work? Without functioning computers, one cannot manage, produce, communicate, and so on. But even at lower levels in the hierarchy, appropriate awareness measures are needed. The insurance industry has already recognized the danger: today, cyber attacks are the top risk for companies.
What might these awareness measures look like?
For example, at the Bundesheer (Austrian Armed Forces), every individual is required to undergo an annual security training, which they must pass. During the training, questions are asked about topics ranging from “What constitutes a strong password?” to “How do you recognize social engineering measures?”. Experience has shown that such awareness training is highly effective – even for companies.