Cyberattacks – How they happen and how companies can protect themselves against them

Symbolbild Cyberangriffe
"It's not a question of if, but when it happens" — a statement that comes up again and again in connection with cyber attacks. Bettina Zimmermann, expert for crisis management and security as well as guest speaker at Rochester-Bern Executive Programs explains what an attack means and how companies react correctly.

Cyber attacks have increased. Reasons include the Corona pandemic and the Ukraine war. “During the Corona pandemic, many companies introduced home offices before all the security measures were ready,” says Zimmermann. This left security gaps that are now being exploited by hackers. Since the start of the Ukraine war, there has also been a fear of cyberattacks from Russia in European countries. “Cyberattacks in this context can be a form of war,” Zimmermann says.

The Course of an Attack

Hackers usually do not select a company specifically, but look for security gaps. Once they have found gaps, they launch attacks. If the attack is successful, the ransomware – the malicious program – then spreads throughout the company’s IT system without the victim noticing. In today’s so-called double extortion attacks, corporate data is first siphoned off and then encrypted. Over time, victims often for example discover that they can no longer log into certain programs. What follows is the horror of any company management: the data is encrypted and an extortion letter is found on the server or displayed as a pop-up.

If the attacked company has a back-up that can be successfully restored and for this reason does not respond to the demand of the extortionists, the hackers go into the second round and threaten to publish the extracted data. “On the one hand, this can become a data protection problem, and on the other hand, it can lead to major reputational damage,” Zimmermann said. Meanwhile, there is also the triple extortion attack: In this case, the data is siphoned off, encrypted and then additionally systems are paralyzed with DDoS attacks.

Prepare Well and Respond Correctly

“Cyber attacks must be included and assessed in risk management. Responsibility for risk management lies with the board of directors,” says Zimmermann. To keep IT up to date, a regular security audit is necessary: Are employees trained regarding security risks? Are updates carried out promptly? Does the company have efficient password management? Are back-ups regularly restored for checking? It is also advantageous if the crisis team has already been defined before an emergency occurs. “I recommend a crisis team that is as small as possible, but as large as necessary. It should be built up in line with the company’s structure. It is important to have decision-makers on board who cover the various company-specific areas of expertise,” says Zimmermann. In relation to the crisis team, the board of directors usually takes on the role of the fallback level. “Crisis management is basically an operational issue. However, the board of directors should be regularly informed so that it is aware of the progress of crisis management and can get involved if necessary, for example if it affects strategic issues,” says Zimmermann.

Once the emergency has arrived, the first thing to do is to take the IT off the grid so that the ransomware does not spread any further. The crisis team should be convened immediately, as the questions that arise in the event of a cyber attack in the company are sometimes among the most complex. Regarding communication, Zimmermann advises restraint. “Stakeholders are usually only informed if they are personally affected, and any outward information to the media/public should be well considered and weighed. I would also be careful with the wording: Do we have to speak of a cyber attack? Or can we also call it an IT incident?”, says Zimmermann. After the attack, the vulnerabilities should be remedied and fundamental lessons learned from the incident so that IT security can be improved.

Other Threats Should not be Overlooked

“There is a lot of talk about cyberattacks right now, and the threat is real. But there are also other dangers that should be included in risk management. I am thinking in particular of supply chain difficulties, artificial intelligence or future quantum computers,” says Zimmermann. All these topics offer new opportunities as well as security risks. Executives and board members are therefore advised to keep themselves informed about these topics. A good way to keep up to date with cybersecurity and general management topics is to attend continuing education courses such as those offered by Rochester-Bern Executive Programs.