The rapid development of digital technologies and the increasing interconnectedness of all areas of life present companies with a multitude of complex challenges. In the face of threats such as cyber attacks, data misuse and manipulation of information systems, it is becoming increasingly important to develop new strategies and solutions to protect oneself. In a world where artificial intelligence, the Internet of Things and quantum computing are becoming increasingly important, new opportunities are opening up, but so are new risks. At a meeting of eco’s Security Competence Group, experts discussed key future topics in cybersecurity and analysed how innovative approaches can be used to make the digital world more secure.
Cybercrime and the human factor
- Attacks are becoming more complex and diverse
- Social engineering remains a key threat
- AI and geopolitical interests exacerbate the threat
- Cyber attacks are steadily increasing â both in number and in technical sophistication.
Social engineering remains particularly treacherous: attackers are increasingly using social networks, personalised communication and fake voice messages to deceive users. The use of artificial intelligence is making these attacks more automated and more personalised. In addition, companies are increasingly being targeted by state-sponsored hacker groups, for example from Russia or North Korea. These targeted, often politically motivated attacks are difficult to detect and even more difficult to defend against.
Recommendations for companies
- Employee training is essential
- A security culture must be established
- Prevention through education and societal responsibility
Technical protective measures such as firewalls and phishing filters provide an important foundation, but they are not enough on their own. People remain the decisive line of defence. Regular training for employees raises awareness of threats such as AI-supported phishing emails and fraudulent phone calls. At the same time, it is necessary to establish cybersecurity as part of the corporate culture. This also includes a strategic view of education: dealing with digital risks should already be addressed in schools in order to promote a resilient society in the long term.
Cybersecurity regulation
- New EU laws such as NIS2 and CER include new obligations
- Companies must respond flexibly to legislative procedures
- Disagreement over EU certifications remains a challenge
In the area of cybersecurity, companies must increasingly not only take technological measures, but also take into account increasing legal regulation. A key aspect of this regulation is the various new and adapted legislation at European level. In 2022, for example, the Critical Entities Resilience (CER) and NIS2 directives were adopted. While the NIS2 Directive focuses primarily on the cybersecurity of companies, the CER refers to the physical security of critical infrastructures.
However, the implementation of these and other laws, such as the KRITIS Act in Germany, has been delayed several times, partly due to the early German federal elections this year, which led to a restart of the legislative process. For companies, this means that they must prepare for timely legislation without transition periods. Three scenarios are conceivable for the adoption of the laws: a slow regular procedure, an accelerated 100-day procedure or a hybrid form. Regardless of the procedure, it is essential that companies are fully compliant from the date the law comes into force.
The EU will also regularly review existing cybersecurity laws, such as the NIS2 Directive, to ensure that they achieve the desired effect. Specific implementing rules, for example on the resilience of IT systems, are expected in the course of the year, with governments taking a pragmatic approach to avoid an inefficient and overregulated solution. Companies should therefore favour a market-based security model and closely monitor regulatory developments.
Companies may also be affected by the European Cybersecurity Certification (EUCS), which has been under discussion for years. There is still disagreement, particularly with regard to digital sovereignty and minimum standards. Some countries are pushing for stricter rules, which is delaying implementation. The introduction of uniform certification for IT security products and services also remains a challenge, as national authorities such as the BSI and market-driven providers continue to dominate certification.
In addition, the future of the Transatlantic Data Privacy Framework (TADPF) is increasingly uncertain. This concerns data protection between the EU and the US, with the EU’s decision on the adequacy of US data protection considered unstable. For their part, US companies are increasingly seeking European certifications such as C5 to build trust and meet regulatory requirements.
Zero Trust: A security concept for the future of corporate IT
In today’s increasingly connected and dynamic IT landscape, the Zero Trust security concept is becoming increasingly relevant. It represents a fundamental shift from traditional security models, which assume that users within the network are trustworthy. Zero Trust, on the other hand, is based on the assumption that neither internal nor external users or devices are automatically trustworthy. Every request for access to data or applications must therefore undergo strict identity and access verification in advance.
Why Zero Trust is important for companies
Zero Trust is particularly relevant for companies operating in distributed work environments where cloud services and mobile working are increasingly the norm. In such environments, the boundaries between internal and external networks are blurred, reinforcing the need for a robust security architecture.
The basic principles of Zero Trust include:
- Elimination of the trusted perimeter: The traditional security model, which considers networks to be secure and trustworthy, is replaced by a more secure, continuously verifying approach.
- Continuous verification of identities and devices: Instead of one-time authentication, access is permanently monitored.
- Minimal privileges: Users are only granted the rights they need to perform their tasks.
- Micro-segmentation: Network resources are divided into smaller segments to control access at a granular level.
Introduction of Zero Trust
- Zero Trust replaces traditional security models
- Access is continuously verified
- MFA and segmentation as key elements
The complete introduction of a zero trust model will take several years, as existing IT infrastructures and business processes must be taken into account. A thorough analysis of the current security architecture is the first step. Zero trust does not require a change in technology, but rather a strategic shift: security processes must be rethought and all relevant stakeholders must be involved. Long-term adjustments to service provider and licence structures may also be necessary.
A key element is user identity. Multi-factor authentication (MFA), ideally hardware-based, is increasingly replacing traditional password systems. This prevents unauthorised access.
Zero Trust also helps companies meet regulatory requirements, such as NIS-2 and DORA. Continuous reconciliation of access rights improves both IT security and compliance. Despite potential hurdles â especially in Germany â awareness of the need for such concepts is growing. Those who actively shape change will benefit in the long term from a more robust level of security.
Quantum computing and the future security landscape
- Quantum computers threaten today’s encryption
- PQC and QKD secure tomorrow’s communications
- First pilot projects worldwide in implementation
Quantum computing will significantly change the security landscape in the coming years. The potential impact on data security is far-reaching, as quantum computers will be able to break existing encryption methods and thus compromise the confidentiality of data. Quantum computers are expected to be ready for use in the next 10 to 15 years. This is already particularly relevant today for data that must remain confidential for long periods of time, such as health or military information. With the help of quantum computers, this information could be decrypted in the future if it is currently protected by only classic encryption systems (Store Now, Decrypt Later).
Companies should consider two technologies in this area
- Post-quantum cryptography (PQC): This is a collection of cryptographic methods developed to be secure even against future quantum computers. Quantum computers have the potential to break many of the classical encryption methods used today, especially those based on mathematical problems such as the factorisation of large numbers (RSA) or the discrete logarithm (DSA, DH). Existing encryption methods will be replaced by quantum-secure algorithms. This solution can build on existing infrastructures, but has its own challenges, especially when it comes to integration.
- QKD (Quantum Key Distribution, QKD) is a technology for the secure distribution of cryptographic keys based on the principles of quantum mechanics. QKD is theoretically unbreakable because any attempt to intercept or interfere with quantum bits alters the transmitted data and is therefore immediately detected. In a world where quantum computers could compromise classic encryption methods, QKD offers a way to ensure secure communication in the future.
Quantum communication networks and international developments
Some countries, including China, Korea and Poland, have already set up quantum communication networks to protect themselves against future quantum attacks. Initial pilot projects are also underway in cities such as Bonn, Berlin and Frankfurt, as well as in Asian countries such as Singapore and South Korea. The EU is also working on standardising such technologies, but uniform specifications are not yet available. Since migration processes in cryptography can take many years, companies should prepare themselves at an early stage.
Security by design
- Security must be integrated early in development
- CRA calls for continuous updates and patch management
- Small companies face implementation problems
Ensuring product security from the outset is becoming increasingly important in the modern digital world. For certain product categories, there are now regulatory requirements such as the Cyber Resilience Act (CRA), which require companies to consistently integrate security aspects into the entire development process of their digital products. The requirements of the CRA can be implemented through the Security by Design concept.
Security by Design: An integrative approach to product security
âSecurity by Designâ means that security aspects are integrated into the development of digital products from the outset, rather than being added later. This proactive approach identifies potential vulnerabilities at an early stage and prevents vulnerabilities from occurring later in the development process.
Core principles of Security by Design:
- Identification of threats: All potential threats and vulnerabilities should be analysed and taken into account right at the start of development.
- Secure data management: The handling of sensitive data must be designed to be secure from the outset, in particular through encryption and data protection measures.
- Minimisation of functions and data access: Product functionality should be limited to the bare minimum to avoid unnecessary attack surfaces.
- Failsafe measures: The product must remain secure even in the event of system failures, e.g. through emergency mechanisms or automated security protocols.
- Regular security patches and tests: Products should be continuously checked for vulnerabilities through automated security scans and penetration tests.
Cyber Resilience Act (CRA): Strengthening the resilience of products
The Cyber Resilience Act (CRA) aims to increase the resilience of products against cyber attacks. Companies must ensure that their products continuously comply with the latest security standards, that security patches are provided quickly and that potential vulnerabilities are closed regularly.
Important requirements of the CRA:
- Resilience of products: Products must be designed to be resistant to cyber attacks.
- Rapid provision of security patches: Companies are obliged to fix vulnerabilities as soon as they are discovered.
- Continuous updating of security standards: Companies must regularly update their products to the latest security technology.
Challenges for companies in implementing the CRA
Implementing the CRA can be a challenge, especially for smaller companies, particularly when it comes to certification and ongoing security measures. Larger companies often have special departments that deal with implementing security requirements. Smaller companies may need to seek external support or develop partnership solutions to meet the CRA requirements.
Conclusion
Companies must keep abreast of current cyber security trends in order to protect themselves effectively against the ever-growing and changing threats in the digital world. Cyber attacks are becoming increasingly sophisticated, and outdated security measures no longer offer adequate protection. Those who fail to respond in time risk not only financial damage, but also the loss of sensitive data, damage to their image and legal consequences. In addition, customers, business partners and legal requirements are increasingly demanding a high level of IT security. Continuous engagement with cyber security trends is therefore not only a technical but also a strategic success factor for every modern company.
