Information security only works with a holistic approach
Thanks to the advancing digitalization, companies benefit from the increasing networking of their systems and, for example, automated production. But at the same time, the dangers are also growing: more and more companies are becoming victims of hacker attacks.
Interview with Florian Goldenstein, Head of IT-Security, Konica Minolta IT Soutions GmbH
Mr. Goldenstein, what security risks are companies currently facing?
In recent times, criminals have increasingly succeeded in penetrating corporate networks via weak points. Whereas in the past a virus was only supposed to cause damage, today intelligent malware aims to remain undetected for as long as possible and to extract as much data and information as possible. Ransomware is also dangerous: with this blackmail software, data is complexly encrypted by hackers and only released for ransom. The damage caused by these attacks is already in the multimillions.
It is also conceivable that hackers could paralyze entire production facilities in companies, in the worst case even critical infrastructures on a national level. Attacks are becoming more and more sophisticated and more difficult to trace. In addition, criminals are using the advantages of artificial intelligence for their activities. The associated danger is that companies affected will suffer major financial losses. Small companies are even threatened with bankruptcy. There is also the threat of serious damage to their image. The situation is therefore threatening.
Can medium-sized and smaller companies still lull themselves into security because they are not interesting for criminals?
No, not at all. It is no longer the question of whether a company will be attacked, but when. Regardless of the size of the company. Large companies have become better and better prepared for cyber attacks. In the past, data loss or costs due to ransomware extortion were too painful. This is why cyber criminals are increasingly focusing on small and medium-sized enterprises (SMEs) and networked control devices in the IoT sector where they expect a less sophisticated security infrastructure. In this way, they hope for a higher chance of success for their attacks. The potential victims must therefore become aware of the adapted strategies of the attackers and, due to the frequent lack of human resources and insufficient know-how, look for experts to support them in effectively and efficiently protecting their company.
Where do you see the greatest dangers?
The fundamental problem is that many managers in companies have not yet developed an awareness of the existing dangers and do not consider and approach security strategically. This often leads to no or wrong security solutions being available or existing ones not being used correctly due to a lack of know-how. Further sources of danger are missing access controls and regulations to the network or insufficient password guidelines. Multifunctional systems are often underestimated, which are usually integrated into the corporate network and can contain confidential data on integrated hard disks and main memories. Without access control and security certificates, they are easy targets. The same applies to video surveillance cameras, which often hang on the network unnoticed and without adequate protection. Another major vulnerability is the human factor: lack of security awareness causes attachments infected with malware to be opened, dangerous links to be clicked or passwords to be used that are easy to decrypt.
That sounds like a lot of building sites. How can companies address this challenge properly and protect themselves from security risks?
Today’s cyber threats can no longer be contained by a simple collection of security products. It is important to take a strategic approach. This means viewing corporate security as a 360-degree project and checking all security-relevant areas - from infrastructure and information security to multifunctional systems and video security for buildings, the environment and production - for weak points and creating transparency. This is the only way for companies to discover systems worth protecting, security gaps and incidents that are otherwise easily overlooked. Greater transparency shortens response times, increasing security levels and reducing the risk of potential damage. It is important to start with a detailed analysis, i.e. answer the questions “What do we need to protect and where can we be attacked?” Only then does a suitable, individualized security system with strategically placed solutions and continuous monitoring make sense.
What does the concrete procedure look like? Is there a standard solution?
There is no one-size-fits-all solution for optimum security. Depending on the company, an individual mix of measures is necessary to successively increase security. Ideally, you start with an ACTUAL analysis at the beginning. Based on this analysis, companies and corresponding security service providers have a clue as to the challenges they are confronted with. A so-called penetration testing (pentest) is helpful here. This allows the hardship case to be simulated under conditions that are as realistic as possible. The pentest shows how well the protection mechanisms already in place work. The analysis then focuses, among other things, on the organizational basics, employee sensitization, basic security (e.g. firewall, antivirus, etc.), access to the network, mobile systems, admin & user authorizations, encryption concept, IoT, logging or security in virtual environments.
What steps will be taken after the analysis?
The analysis gives us an overview of existing security gaps. On this basis, a comprehensive concept is developed that includes all participants, systems and processes - including an emergency plan with a precise definition of who, when and what to do in the event of an attack. In the downstream process, the identified weak points can now be closed step by step and with suitable measures in order to achieve the target state. This defines how external access to the respective company is to be secured and how companies can meet existing audit and documentation requirements. On the one hand, it is necessary to implement the appropriate security solutions in the company environment as smoothly as possible for the respective case. These can be new IT security solutions such as AV or firewall solutions or security concepts for multifunctional systems or video security systems. On the other hand, encryption and authorization concepts must be created. In addition, the large number of companies requires the introduction of processes that are prescribed by legislation. At present, for example, several companies are still struggling to meet the requirements of the latest Basic Data Protection Regulation. Here, too, external help is necessary in most cases.
Apart from the technical and organizational side, is there anything else to consider?
A very central point is the human factor, through which - consciously or unconsciously - a large number of security breaches occur. This makes it all the more important to create appropriate awareness. Security training courses, for example, help to raise awareness among employees and reduce human error. Classic examples are not to click without hesitation on all attachments and links in e-mails or to use 1,2,3,4,5 or one’s own date of birth as a password. Technical measures such as sensible network segmentation and strict access controls and authorization concepts for access to devices, machines and data can contribute to a noticeable increase in corporate security.
Are companies completely protected?
No one can guarantee absolute security, as new vulnerabilities are constantly emerging that can be used as gateways by cyber criminals. This makes it all the more important to take a holistic, sustainable and continuous approach to security. This means that management, IT and specialist departments as well as production must work closely together and understand this holistic protection as a process that also requires its annual “update.” The IT security environment of companies must not only constantly withstand new attacks from outside; changes are also constantly taking place within the company, such as through the use of new hardware systems or software updates. Such changes to systems and processes make it necessary to continually re-evaluate the overall condition and to initiate the necessary measures. Of course, this also applies if a company has become a victim of a cyber attack. But even without a current reason, regular analysis should take place as part of the 360-degree approach. In this process, which exceeds the know-how and resources of most companies, experienced consultants and service providers such as Konica Minolta can help to address the highly complex issues of comprehensive corporate security.
About Konica Minolta Business Solutions Europe
Konica Minolta Business Solutions Europe GmbH, based in Langenhagen, Germany, is a wholly owned subsidiary of Konica Minolta Inc., Tokyo, Japan. Konica Minolta enables its clients to champion the digital era: with its unique imaging expertise and data processing capabilities, Konica Minolta creates relevant solutions for its customers and solves issues faced by society. As a provider of comprehensive IT services, Konica Minolta delivers consultancy and services to optimise business processes with workflow automation. The company further offers its customers solutions and managed services in the field of IT infrastructure and IT security as well as cloud environments. With regard to its office printing solutions, ‘IDC MarketScape: Western Europe Smart Multifunctional Peripheral 2018 Vendor Assessment’ stated that Konica Minolta is ‘recognised globally as a leading smart MFP provider of note’. As a strong partner for the professional printing market, Konica Minolta offers business consulting, state-of-the-art technology and software and has established itself as the production printing market leader for more than a decade in Europe, Central Asia, the Middle East and Africa (InfoSource). In the healthcare sector, Konica Minolta drives digitalisation of clinical workflows and offers a broad range of next-level diagnostic solutions. Its Business Innovation Centre in London and four R & D laboratories in Europe enable Konica Minolta to bring innovation forward by collaborating with its customers as well as academic, industrial and entrepreneurial partners. For its solutions that combine ‘smart service with smart technology’, Konica Minolta was awarded the prestigious ‘Buyers Lab PaceSetter Award for Outstanding Serviceability 2018/2019’ from Keypoint Intelligence. Konica Minolta Business Solutions Europe is represented by subsidiaries and distributors in more than 80 countries in Europe, Central Asia, the Middle East and Africa. With almost 10,300 employees (as of April 2019), Konica Minolta Europe earned net sales of over EUR 2.39 billion in financial year 2018/19.
For more information, please visit http://newsroom.konicaminolta.eu/ and follow Konica Minolta on Facebook, YouTube and Twitter @KonicaMinoltaEU.
Terms and product names may be trademarks or registered trademarks of their respective holders and are hereby acknowledged.