4 Questions for Merlin Stottmeister from Bechtle
At the meeting of the eco Security Competence Group, experts discussed cyber resilience, new regulatory requirements and the impact of increasingly professionalised cybercrime. Following the event, we spoke to Merlin Stottmeister, IT Security Consultant at Bechtle, about current threats, the role of AI on the attackers’ side and concrete measures towards greater digital resilience.
1. Cyber resilience is currently a key issue for many companies. What exactly do you understand by this, and why does traditional IT security no longer go far enough today?
Traditional IT security often focuses on preventing attacks. However, experience in recent years shows that cybercriminals repeatedly find ways to circumvent existing protective measures. Even companies with extensive security measures fall victim to data theft.
In this respect, IT security is, to some extent, an unfair game: companies have to secure as many attack surfaces as possible, while attackers often need only a single vulnerability.
Cyber resilience therefore goes one step further. It’s not only about defending against attacks, but also about detecting successful attacks at an early stage, limiting their impact and recovering from them quickly.
For example, a compromised user account must not result in terabytes of company data being exfiltrated unnoticed. Instead, unusual activity must be detected and automated countermeasures initiated – such as a temporary block or renewed multi-factor authentication.
After all, if attacks are not detected in time, the consequences can be existential. In Germany, cyberattacks have already driven companies into insolvency.
2. Attacks are becoming faster, more professional and increasingly AI-driven. Which developments are currently causing companies the greatest difficulties?
Cybercrime today operates in many areas much like a professional business. There are specialised actors dealing with stolen login credentials, malware, money laundering, support or the actual execution of attacks. Access data and tools are traded on the dark web, which other criminals can then use.
Added to this is the increasing use of AI. AI enables even less experienced attackers to deploy complex attack methods. At the same time, it boosts the speed and efficiency of professional groups.
According to CrowdStrike, the average time it takes attackers to spread further within a corporate network following an initial compromise has fallen by 70 % in recent years to just 29 minutes.
Companies therefore have to respond much faster than before. It’s no longer sufficient to check dashboards once a day. Many protection and response measures must now be automated.
Supply-chain attacks present a further challenge. In these attacks, criminals do not target the actual company directly, but instead target service providers, suppliers or other business partners. As a result, a company’s own security level increasingly depends on the weakest link in the supply chain.
3. NIS2, the Cyber Resilience Act and other regulations are increasing the pressure to act. What specific changes will this bring to day-to-day business operations, and where do you see particular challenges for SMEs?
NIS2 and the Cyber Resilience Act are ensuring that cybersecurity is once again receiving greater attention in companies. Managing Directors are personally liable, reporting obligations are being extended, and security measures must be documented in a traceable manner.
This is a major challenge, particularly for SMEs – not because of a lack of awareness of the issue, but due to limited human and financial resources. Often, specialised teams capable of systematically implementing regulatory requirements are absent.
At the same time, SMEs are often part of critical supply chains and are therefore affected by regulatory requirements without always being aware of it.
The real challenge is therefore not to regard compliance as an end in itself, but to combine regulatory requirements with genuine security improvements.
4. What should companies tackle first in order to remain capable of acting in an emergency and to strengthen their cyber resilience over the long time?
The first step is transparency. Companies should identify their greatest risks and assess their cyber resilience in a structured manner. This is not about creating additional bureaucracy, but about being able to prioritise measures in a targeted manner.
This also includes keeping staff up to date with the latest security awareness training. Instead of standardised mandatory training, the focus should be on current threats such as infostealer malware, deepfakes and identity misuse.
Equally important is the continuous monitoring of user and service accounts. Automated systems should detect and assess suspicious behaviour. Dark web monitoring can also help to identify stolen login credentials at an early stage.
Log data is another factor that is often underestimated. In an emergency, it provides the basis for reconstructing attacks and assessing their impact. If this information is missing or has been manipulated, the investigation becomes considerably more difficult.
Last but not least, companies should have tested contingency plans in place, as well as a robust backup strategy incorporating offline backups. What is crucial here is not only the existence of such measures, but also their regular testing in real-world scenarios.
