Cybersecurity has become critically important across every aspect of modern life. Why is it so important? How do cybersecurity professionals work? What legal consequences can a cyber attack have? These and many other questions are answered by experts from CERTAINITY and Dr. Helmut Liebel from the law firm E+H.
Mia Volmut: Cyber attacks occur every single day. Cybersecurity has become a well-established term, and there are countless examples of attacks around the world. Nevertheless, many organizations still fail to prepare adequately for potential cyber attacks. Why is that?
Florian Walther, Head of Defensive Security at CERTAINITY:
Fundamentally, I believe it’s because digitalization has been a gradual process. Over the years, organizations have digitized more and more of their operations, but they rarely stopped to consider the consequences or the associated risks. That’s what I mean by gradual. Particularly in small and medium-sized businesses, there often comes a point where they suddenly realize just how dependent they have become on functioning digital processes - and how little attention they have paid to ensuring those processes are secure.
Some organizations continue to resist investing in digital modernization, particularly long-established small businesses, because of the associated costs. That reluctance often extends to the security measures and processes that could help them withstand a cyber attack. What is frequently overlooked is that the financial consequences of a successful attack are usually far greater than the cost of prevention.
Mia Volmut: How severe can the consequences of a cyber attack become? We regularly read about companies being forced to shut down after an attack. How realistic is that scenario?
Florian Walther: Especially during economically challenging times, that can happen surprisingly quickly. A ransomware incident almost always results in substantial follow-up costs. For a financially struggling organization that has made little or no preparation for such an incident, insolvency can become a very real possibility. That’s why I always emphasize that every euro invested in cyber readiness is money well spent. In my view, every euro invested in prevention is likely to save at least one hundred euros in avoidable costs after an incident.
Clara Nowara: The costs associated with a cyber attack can be enormous. Although organizations are generally aware of the risk, the true financial impact of a cyber incident often remains difficult to grasp until it happens. And that doesn’t even take into account the potentially significant costs resulting from reputational damage.
Mia Volmut: CERTAINITY operates a dedicated Incident Response team. Florian, as Head of Defensive Security, you’re responsible for exactly this service. Could you give us an insight into your work?
Florian Walther: The easiest way to think about it is like the fire brigade. When something is “on fire,” organizations call us. Our goal is to help as quickly as possible. During an initial call, we assess the situation, discuss immediate containment measures, exchange contact details, and establish secure communication channels. The customer then receives a proposal outlining the required support. Once it’s accepted, we get to work immediately.
In most cases, that means working closely with the customer’s IT staff to contain the ongoing attack as quickly as possible. If necessary, we also deploy incident responders on-site with the required forensic equipment. After containment, our focus shifts to recovery - either by removing the attacker from the environment if they’re still active, or by helping the customer establish emergency operations and restore affected systems.
Mia Volmut: Does it make a difference whether you contact experts immediately or only, for example, 24 hours later?
Florian Walther: It makes an enormous difference. If the attack is detected before the attacker achieves their objective, professional incident response can often prevent the worst from happening. However, if the attacker has already completed their objectives, data has been stolen and encrypted, and the attacker has already left the environment, there is often very little that can still be recovered.
Unfortunately, in practice, most attacks are detected far too late. We also regularly encounter organizations that first try to handle the incident themselves before contacting us. In most cases, that approach doesn’t work and ultimately leads to significantly higher costs - costs that could often have been avoided by involving experienced incident responders as early as possible.
Thomas shares what matters most during a real incident:
Thomas Langthaler: Paradoxically, the first piece of advice I’d give is - somewhat provocatively - don’t do anything immediately. Reacting with blind action as soon as an incident becomes known rarely improves the situation. My first priority is always to gather the current status from everyone involved and build a complete picture of what’s actually happening.
Because incidents are stressful situations for everyone involved, I also try to calm the situation and reassure the people affected. Acting methodically and with a clear head not only minimizes potential damage but also makes the remainder of the incident response process much smoother.
Taking notes is absolutely essential. Whether those notes are written on paper or stored digitally depends on the situation. In either case, every note should include a timestamp so that events can later be reconstructed accurately.
Finally, I would emphasize that it is rarely a good idea for a single consultant on-site to disappear into the technical details of one individual system. Doing so almost guarantees that important information will be missed, while also making it difficult to remain the customer’s primary point of contact. That’s why we work as a team. Specific technical investigations are delegated to colleagues working remotely whenever possible, or handled later when we’re no longer on-site with the customer.
Mia Volmut: Dr. Liebel, you are a data protection expert at the law firm E+H and are very familiar with this topic. What are the key legal challenges that arise following a cyber attack?
Dr. Helmut Liebel: A cyber attack raises a wide range of legal questions. One of the most important issues that must always be considered is whether the incident has to be reported to the data protection authority. Such an obligation exists whenever personal data has been affected and there is a potential personal data breach.
If this is the case, the incident must be reported to the competent data protection authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Since this timeframe is extremely short, maintaining state-of-the-art data protection compliance is essential. One of the most important prerequisites is keeping a comprehensive and up-to-date Record of Processing Activities (RoPA). Only on this basis can an organization properly assess its reporting obligations and prepare the required notification to the supervisory authority.
The same applies to mandatory notifications that may need to be provided to contractual partners or affected individuals. Determining which notifications are legally required always depends on the specific circumstances of the incident and must be assessed very quickly. For this reason, organizations should involve a lawyer specializing in data protection law immediately after becoming aware of a cyber attack.
From a legal perspective, the assessment also depends heavily on whether data has actually been exfiltrated. This is why close cooperation with IT forensic specialists is essential.
Mia Volmut: From a legal perspective, what should organizations pay particular attention to when making these notifications?
Dr. Helmut Liebel: If legally required notifications are not submitted, are submitted too late, or fail to include the mandatory information required by law, organizations may face administrative fines under the GDPR as well as civil liability claims.
At the same time, organizations should avoid making premature or overly broad statements, as these may later be used against them. Notifications should therefore only be submitted where they are legally required. Even when mandatory, such notifications often result in reputational damage and trigger numerous enquiries from customers, business partners, and other stakeholders.
For that reason, it is essential that these notifications are not only legally accurate but also carefully drafted to avoid exposing the organization unnecessarily.
Mia Volmut: One particularly interesting topic is negotiating with ransomware actors. Does that actually happen?
Florian Walther: In ransomware incidents, attackers almost always make demands. Whether those demands ultimately lead to negotiations is a different question. As a general rule, paying a ransom is not recommended. Ransom payments only fuel the attackers’ criminal business model and ultimately make the situation worse for everyone who could become a future victim - which, in reality, is all of us.
Mia Volmut: Another fascinating topic is table-top exercises. Thomas, I know from one of your blog posts that this is something you’re particularly passionate about. Is there anything you can share that wasn’t covered in your article?
Thomas Langthaler: Unfortunately, not too much - we’re bound by confidentiality. What continues to impress me, however, is how much even highly mature organizations benefit from these exercises, and how quickly they produce valuable insights. In particular, bringing together departments that rarely interact during day-to-day operations often reveals significant opportunities for improvement - especially regarding communication and collaboration. Without a realistic simulation, many of these issues would remain hidden. And in many cases, organizations leave the exercise wanting to do even more.
Mia Volmut: Dr. Liebel, who is actually liable if customer data is stolen?
Dr. Helmut Liebel: Since the perpetrators are often impossible to identify or prosecute, affected individuals typically direct their claims against the organization from which the data was stolen. Whether they are legally entitled to compensation ultimately depends on civil law.
Under the general principles of liability law, a claimant must establish not only that damage occurred but also that the conduct of the responsible party was (i) causal, (ii) unlawful, and (iii) negligent or otherwise culpable. The damages may be either material or non-material. In practice, non-material damages are particularly difficult to quantify, and their scope remains the subject of considerable legal debate.
Where contractual relationships exist, any agreed limitations of liability must also be taken into account - even in the event of a cyber attack. Since cyber incidents often result in significant financial losses, organizations should seriously consider obtaining cyber insurance to avoid bearing those costs themselves.
Mia Volmut: In your opinion, what is the single most important preparation an organization can make?
Florian Walther: Without question, the most important preparation is a robust backup strategy with very short recovery times that is tested regularly. If everything else fails, this is the one safeguard that can ultimately determine whether a business survives or not.
Thomas Langthaler adds: For organizations that are not large enough to maintain their own security team - let alone a dedicated incident response team - the best preparation is to establish a direct relationship with an experienced incident response provider such as CERTAINITY. When an incident occurs, that provider can immediately contribute the expertise required to support recovery and investigate what happened.
Clara Nowara: The goal is always to respond to incidents as quickly as possible. On the one hand, organizations can achieve this through security solutions that improve detection capabilities. On the other hand - and this is something every organization can implement regardless of its size - clearly defined incident response procedures and response playbooks significantly reduce the organizational overhead during a crisis and allow incident handling to begin immediately.
Mia Volmut: Cybersecurity professionals seem to be in extremely high demand. Florian, how do you deal with that challenge within your practice?
Florian Walther: It’s true - demand for cybersecurity professionals far exceeds the available talent pool. Finding qualified people is therefore challenging. Of course, we offer competitive salaries, but money isn’t everything. Beyond a certain point, simply paying more becomes much less important.
Many other factors matter far more to people - things like sustainability, company culture, work-life balance, working conditions, supportive colleagues, interesting projects, and opportunities for personal development. Those are the areas where I try to make the difference. As a smaller organization, we also have significant advantages over larger companies because we’re flexible, have flat hierarchies, and can make decisions quickly. That approach has worked very well for our team, and I’m genuinely proud of the outstanding people we’ve been able to bring on board.
Mia Volmut: Finally, would it be fair to say that prevention plays the most important role?
Florian Walther: Absolutely. Every euro invested in preventing cyber incidents is money well spent. When it comes to cyber incidents, the question isn’t if they will happen - it’s when.
Thomas Langthaler: I like good quotes, and one of my favourites comes from Benjamin Franklin:
“By failing to prepare, you are preparing to fail.”
Your first line of defence will always be vigilant, well-trained employees. Incident response plans, emergency contact procedures, and communication chains should be clearly documented, communicated, and regularly rehearsed.
Mia Volmut: Thank you all very much for this interesting and insightful discussion!
