- The security situation can change quickly; companies should track it closely
- Contingency plans ensure maximum business continuity in times of crisis
- Check IT supply chains for dependencies now
With the start of the war in Ukraine, critical infrastructure, businesses, and government agencies there became targets of cyberattacks. According to estimates by the German Federal Office for Information Security (BSI) and eco – Association of the Internet Industry, Germany has not – yet – become a greater target of cyberattacks. “This situation assessment could change at very short notice, and targeted as well as massive cyberattacks could severely compromise cybersecurity at any time,” says Prof. Norbert Pohlmann, Board Member for IT Security at the eco Association. “Steps needed now include keeping an eye on the situation, reducing the attack surface, and reviewing contingency plans to ensure one’s ability to act in the event of an attack.”
European IT security vendor ESET has already recorded increased cyberattacks on Ukrainian government facilities, critical infrastructure and industrial complexes since 2014. “In the run-up to the Russian invasion, we saw a significant increase in cyberattacks in Ukraine,” said ESET spokesperson Thorsten Urbanski. “Unfortunately, we have to assume that if the conflict escalates further, Germany will be the focus of more state-motivated cyberattacks than before. It cannot be ruled out that computer systems of smaller utilities, such as local energy providers, have already been successfully infiltrated with malicious code.”
To be prepared for all eventualities, eco recommends that companies review their existing protective measures now and expand them if necessary:
- Check basic protection – reduce attack surfaces
Companies should take the current situation as an opportunity to review their existing basic measures for protection against cyber attacks. Like a digital spring clean, all IT systems should be provided with updates and thus closing possible vulnerabilities via which attacks could take place. This applies both to the centrally administered servers and to all end devices. The assignment of rights and external access to the company should also be critically reviewed in terms of their necessity. Often, accounts of employees who have left or accesses that were set up for testing are not fully removed and then provide a backdoor for attacks. But reducing the communication options with the help of firewall systems also helps to reduce the potential attack surfaces.
- Mitigate outages
In the event of large-scale cyberattacks, there may also be short-term infrastructure outages. The Internet is basically designed with redundancy. Within the company, it is important to check whether there are any areas with increased requirements for fail-safety. Emergency generators for an uninterruptible power supply should be tested regularly for proper functioning. This also includes an adjusted supply of required operating materials, such as sufficient diesel. There may also be short-term disruptions in the area of Internet connectivity. In case of increased requirements, a second redundant connection should be considered, using a different technology if necessary.
- Create awareness for the special situation
In the event of increased cyberattacks, cybercriminals can be expected to use phishing emails to attempt to gain access to corporate systems. Employees should be sensitised to such attacks in order to be able to recognise such emails. Sensitising employees to such attacks and keeping awareness high is especially important when many colleagues working from home are cut off from the usual office grapevine.
- Have internal and external resources ready
In the event of an emergency, companies need qualified personnel on site. To do this, it is necessary to both plan for a replacement in the event of an unexpected employee absence and to ensure the availability of your IT specialists. The responsibilities of your employees in IT should be clearly defined and known. Responsibilities and accountabilities are also recorded in writing in an emergency plan so that there are no organisational misunderstandings in the event of an IT attack. Remember that an external service provider may not always be able to respond promptly in the event of an incident. Prepare your employees to be able to act without external support.
- Monitor network traffic for anomalies
Unusual network activity is a clear alarm signal. React to warnings from your monitoring software, unless you have handed over the monitoring of your network to an external service provider. External IT systems, such as employees’ mobile workstations or communication devices, are particularly at risk here. Such accesses should always be protected by suitable measures – including VPNs, for example – together with multi-factor authentication, and should be specially monitored. The individual privileges for users and for end devices can be clearly defined in policies, and their compliance can be controlled. Employees who need to work with administrative rights should have a separate login for each role. The strict separation of the respective roles and the restriction of the rights in the network to the respective necessary ones contribute to a considerable strengthening of the security level. But external services must also be critically evaluated and secured. In principle, external connections to internal systems should only be enabled from specified IP addresses or via VPN and protected by multi-factor authentication. Appropriate monitoring of accesses can help to detect misuse of the connections at an early stage.
- Emergency plans
With the help of a contingency plan, companies can respond immediately to attacks or outages of their IT systems and thus minimise down time. Rules and measures to be taken in the event of an emergency are defined here. Responsibilities and persons are also defined, and a checklist with instructions for action is created. The eco IT security survey shows that emergency planning is one of the top security topics for companies (eco IT Security Survey 2022: Companies respond to tense cybersecurity situation). But so far, only 63 per cent of companies have actually implemented a corresponding emergency plan.
A backup is an elementary protective measure against attacks, which can be used to ensure the recoverability of data in an emergency and thus the continuation or resumption of business operations. Therefore, an efficient and, above all, proven backup strategy is a “life insurance” policy for a company.
- IT supply chains
Attacks on software or IT service providers can also be used to attack their customers. In this context, it is necessary to prevent attacked partners from taking over or compromising the company’s own IT infrastructure. Ensure that only authorised apps can run and create secure code integration policies and external updates. Also, monitor your partners’ incoming network traffic for irregularities. Your strict security policies regarding network access and security should also apply to your partners. Also, keep in mind that physical supply chains can be affected by attacks and create plans in advance for how to deal with such an attack.