Digital fingerprint

Is IT security all hype?

Why companies find IT security so difficult

November 26 2021Thomas Tschersich

IT security concerns everyone

SolarWind, Kaseya, Colonial Pipeline, or the attack on the Anhalt-Bitterfeld district: in companies, fear of a cyberattack is growing. As is the hope to find powerful allies in blockchain and AI. Forget it. 

Buzzword bingo does not help anyone

Digital Fingerprint with numbers above

I am a nerd. When I dive into the digital world, I can completely lose track of time. New digital technologies excite me. But it annoys me, when many people are simply playing buzzword bingo. When we have to tackle words like blockchain, AI, or the edge cloud in a single sentence to make any sense of it. On the topic of cybersecurity, I actually find this careless. No, companies do not need artificial intelligence to secure their computers and applications. They do not need to wait for blockchain technologies to protect their data against unauthorized external access. They just need to do their homework.

Fixing security vulnerabilities

Companies do not need to grapple with digital hype topics to achieve a high level of security. However, potential threats should not be ignored. The most common attacks are still automated attacks. Cybercriminals make it easy for themselves in this way and exploit well-known security vulnerabilities in servers or web applications. Comparatively speaking, there is little effort required to protect against the majority of attacks. Well-known processes and technologies are all that is needed for this – you just need to make use of them. More quickly and with a greater sense of urgency than before. 

If we immediately carry out security updates when prompted, we can definitely reduce vulnerability to attacks by 95 percent. This applies to private users as much as the business world.

Thomas Tschersich

Install security patches quicker

Error message on the screen that the IT system has been hacked.

According to our findings, it takes German companies an average of 150 days to go from the discovery of a vulnerability to the installation of a security patch. That constitutes 3,600 hours in which a potential attacker can view your systems and copy or encrypt your data. They do not even need to sneak in the back door, as the lack of action invites them directly in. 

Latest example: a security vulnerability was discovered in Microsoft’s exchange servers on December 10. Microsoft provided a patch at the beginning of March that companies could use to correct the vulnerability. Nevertheless, thousands of exchange servers have been compromised since March. According to Germany's Federal Office for Information Security, several federal agencies have been affected. And there are even thousands of computers worldwide that are still infected with the Conficker worm, a dinosaur from 2008. Why? Because many companies are unfortunately too careless in patching their systems. 

Security: a question of psychology

IT security for me is above all a question of psychology. We need to raise awareness for its importance in companies. Security teams should motivate their colleagues to support security efforts. How can a good level of motivation be identified? In how employees react when a window appears suggesting a security update during working hours. As security personnel, it is only when the majority immediately click on “Install now” that we have done our job correctly. Or when we simplify the whole procedure: at Deutsche Telekom, we are moving towards simply installing critical security updates automatically.

The statistical probability of falling victim to hacking can never be reduced to zero. But we can considerably reduce it.

Thomas Tschersich

1. Build up the security awareness of your employees

Familiarize your teams with the topic of security. You should see yourselves as trainers of employees and management. Offer guidance and support. Motivate your employees to report errors. At Deutsche Telekom we value short lines of communication and have therefore set up a dedicated CERT inbox for error and risk reports. 

2. Update your technology

Are you still using outdated operating systems? Are you keeping an eye on your shadow IT? Is your technology current, standardized, and simple? Poorly configured infrastructures are also a risk factor.

3. Invest in offline backups

You should protect your most important data with a backup. This backup must be continually updated. Under no circumstances should you connect this to the company network. Otherwise, attackers could encrypt this as well. 

4. Check your processes

Security certificates alone do not provide sufficient protection. You need to check regularly whether the processes necessary for cybersecurity are established. Only when security is simple and integrated, can it be effective. Instead of simply being an add-on. 

5. Monitor your systems

Almost every system records log data from which you can quickly and easily identify deviations from the norm. Using this data, companies can identify an attacker’s first steps early on. But this log data cannot help if no one looks at it.

6. Establish incident management

One hundred percent protection against a cyberattack does not exist. For this reason, you should limit potential consequences with an emergency plan. Practice this regularly, so that your company does not lose time in the case of an emergency. We have good experiences with this at Deutsche Telekom: we were never in crisis mode during the pandemic because we had implemented experiences from the swine flu outbreak into our emergency plans.

Jobs in IT security

Want to do away with buzzword bingo and focus on IT security? Then join our IT security team and work with us to make our customers’ businesses more secure

About the author

Thomas Tschersich

Chief Security Officer, Deutsche Telekom AG

Show profile and articles

This may also interest you:

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.