The question with cyber incidents is not if it will happen, but when it will happen

Cyber security has become extremely important in all areas of life. Why it is important, how cyber security experts work, what legal consequences it can have, and many other questions are answered by CERTAINITY employees and Dr Helmut Liebel from the law firm E+H (opens in new window) .

Mia Volmut: Cyber attacks happen every day. Cyber security is now a well-established term and there are countless examples of attacks worldwide - yet there are still many companies that do not deal with the topic enough and prepare for possible attacks. Why is that?

Florian Walther, Head of Defence Security at CERTAINITY: Fundamentally, I think it’s because digitalisation has been a rather gradual process so far. Over time, more and more has been done digitally with computers, but the consequences and effects have not really been taken into account. That’s what I mean by creeping. Especially in SMEs, at some point you realise how dependent you are on digital processes actually working, and how little attention you have paid to ensuring that everything is secure, etc. !

Clara Nowara: Some companies are still reluctant to upgrade in the digital area; especially “old-established”, smaller companies, as this is associated with high costs. This also includes the security measures and processes that could help a company in the event of a cyber attack. The fact that the costs incurred in the event of a successful attack are significantly higher is usually ignored.

Mia Volmut: How far-reaching are the consequences of a cyber attack? You read in the press that some companies have even had to close down as a result - how realistic is such a scenario?

Florian Walther: It can happen relatively quickly, especially in times of economic hardship. A ransomware incident like this always entails considerable (follow-up) costs. For an economically ailing company with insufficient or no preparation for such an incident, this could well mean insolvency. That’s why I always preach that every euro invested in cyber-readiness is money well spent. Presumably, for every euro you invest in prevention, you save at least 100 euros on the (avoidable) follow-up costs of an incident.

Clara Nowara confirms: The costs that can be incurred in the event of a cyber attack are horrendous. Despite the known risk of a cyber attack, the costs that can arise from such an attack are not tangible. The costs that can arise from a possible loss of image have not even been factored in.

Mia Volmut: Certainity runs a successful incident response team. Florian, as Head of Defensive Security at Certainity, you are responsible for this very service. Could you give me an insight into your work?

Florian Walther: In principle, you can think of it like the fire brigade. We can be alerted if there is a “fire”. We then try to help the affected company as quickly as possible. In an initial meeting, the facts are clarified, immediate measures are discussed, contact details are exchanged and (secure) communication channels are established. The customer then receives a corresponding offer. If the offer is accepted by the customer, we get started. Normally, this means that we immediately implement measures with the customer’s responsible employees, e.g. to contain the ongoing attack. If necessary, we send employees with the appropriate equipment to the customer’s site. We then clean up the attack, either by removing the attacker from the infrastructure if the attack is still ongoing, or by helping the customer to set up an emergency operation or support the restoration of the systems, for example.

Does it make a difference whether experts like you are called in immediately or after 24 hours, for example?

Florian Walther: It makes a big difference. If the attack is noticed before the attacker has reached their target, a lot is still possible with professional help. If the attacker has already reached their target, data has been leaked and encrypted and the attacker has already disappeared again - then there is often very little that can be saved. Unfortunately, in practice, most attacks are only recognised very late. Unfortunately, we also repeatedly see cases in which the affected companies try to deal with attacks themselves before contacting us. In most cases, this goes wrong and causes high follow-up costs that could have been avoided if professional help had been called in as early as possible.

Thomas tells us what matters in an emergency:

Thomas Langthaler: Paradoxically, the first point I would mention - to exaggerate - would be to do nothing. Going into blind actionism as soon as you become aware of something or it arrives is not helpful. Rather, I first obtain an up-to-date status report from all parties involved and thus get a picture of the overall situation.

As an incident of this kind is a stressful situation for everyone, I try to calm the situation and convey to those involved that by acting prudently, the damage can be minimised as far as possible and the further handling of the incident can be made smoother. As far as the wealth of information is concerned, notes are of course essential. Whether they end up on a notepad or in a laptop depends on the situation. In any case, it makes sense to time-stamp each note so that all relevant processes can be reconstructed afterwards. Finally, I would emphasise that it doesn’t make sense to be the only consultant on site and get lost in the technical depths of individual systems, as you are guaranteed to miss out on information this way and it is difficult to act as a point of contact for customers. Here we work together as a team and pass on certain questions to colleagues off-site. Or work on them in the evening when we are no longer on site with the customer.

Mia Volmut: Mr Liebel, you are a data protection expert at the law firm E+H Rechtsanwälte and are very familiar with this topic - what are the legal problems that arise in the event of a cyber attack?

Helmut Liebel: A cyber attack raises a variety of legal issues. One particularly important issue to consider in any cyber attack is the obligation to report the incident to the data protection authority. Such an obligation always exists if the attack also affects personal data and therefore a breach of data protection is to be feared. If this is the case, a report must be made to the data protection authority immediately, if possible within 72 hours of the breach becoming known. As this time period is very short, state-of-the-art data protection compliance within the company is essential. This includes, in particular, an up-to-date and meaningful register of processing activities. Only on this basis is a company in a position to make the mandatory notification to the data protection authority. The same applies to the mandatory information of contractual partners and data subjects. The mandatory notifications that need to be made must be reviewed and decided very quickly based on the specific circumstances. For this reason, a lawyer specialising in data protection should be consulted immediately after a cyber attack becomes known.

The legal assessment naturally depends crucially on whether data has actually been stolen. This requires close coordination with IT forensics specialists.

Mia Volmut: And what needs to be taken into account from a legal point of view with these reports?

Helmut Liebel: If these reports are not made or not made in good time with the minimum information required by law, there is a risk of fines under the GDPR and civil liability. At the same time, premature or excessive notifications should be avoided, as this information could be used against the company. Notifications should also only be made if they are absolutely necessary. Reports - even if required by law - regularly lead to damage to a company’s image and to numerous concerned enquiries from customers and other contractual partners. For this reason, it is important that these reports are legally correct, but also carefully formulated so as not to expose the company unnecessarily.

Mia Volmut: Negotiation with ransomware actors is a particularly exciting topic: does it happen?

Florian Walther: There are actually always corresponding demands in ransomware cases; whether negotiations actually take place is a completely different matter. In general, it is not recommended to pay a ransom. Ransom payments only fuel the criminal business model of the perpetrator groups and are therefore counterproductive for all those potentially affected - and that is all of us.

Mia Volmut: Interesting topic: Table Top: Thomas, I know from one of your blog posts that you are particularly interested in this. can you perhaps tell us something else that we couldn’t read in your blog post?

Thomas Langthaler: Unfortunately not too much, as we are sworn to secrecy, but I am always pleased to see how much even very well-positioned organisations benefit from these table tops and how quickly great results are achieved. In particular, the interaction between several parts of the organisation that do not have so many points of contact in day-to-day operations reveals a lot of potential for improvement, especially in terms of communication and networking. This is almost impossible to identify without a simulation and often leaves companies wanting more.

Mia Volmut: Mr Liebel, who is actually liable if customer data is stolen?

Helmut Liebel: As the perpetrators are usually not available, the victims turn to the company from which the data was stolen. Whether the injured parties are entitled to compensation is ultimately a question of civil law. According to the basic principles of tort law, in order to receive compensation for damages, the tortfeasor’s actions must be (i) causal, (ii) unlawful and (iii) culpable. This can involve both material and immaterial damages; the latter are difficult to quantify in practice and the exact extent is also highly controversial. In existing contractual relationships, agreed limitations of liability must of course also be taken into account in the event of a cyber attack. As cyber attacks often result in damage, it is advisable to take out cybercrime insurance to avoid being stuck with the costs.

Mia Volmut: So in your opinion, what is the most important preparation that can be made?

Florian Walther: By far the most important preparation is a sensible backup concept with very short recovery times that is also tested regularly. If all else fails, this is the one all-important anchor that determines the continued existence of the company.

Thomas Langthaler adds: “For companies that are not large enough to maintain their own security team - let alone a dedicated incident response team - the best measure is to keep the official channels to a service provider like us as short as possible. In the event of an emergency, the service provider can then use the necessary expertise to restore and process the situation.

Clara Nowara: The aim is to respond to incidents as quickly as possible. On the one hand, this can be achieved with software solutions that support detection, but also - and these preparatory measures can be implemented by any company regardless of its size - by creating incident response processes and action catalogues, you can avoid a lot of organisational effort and get involved in emergency response immediately.

Mia Volmut: It seems to be particularly difficult to find good people in the cybersecurity environment. How do you deal with this in your practice, Florian?

Florian Walther: Of course, the demand for IT security experts is much greater than the supply. In this respect, it is fundamentally difficult to find employees. Firstly, of course, we pay competitive salaries. But money isn’t everything and above a certain salary bracket, “more salary” increasingly loses its appeal. Other factors are often much more important for employees, such as sustainability, corporate culture, work-life balance, working conditions, the collegial environment, but also, for example, the type of projects you work on, support for personal development: in other words, many topics that have to do with so-called soft skills. This is where I try to score points. In these areas, we also have considerable advantages over large companies precisely because we are flexible, have flat hierarchies and therefore fast decision-making processes. This approach has worked well for my department and I am very happy about the great employees we have been able to recruit as a team.

Mia Volmut: And to summarise at the end: you could say that prevention plays a decisive role - is that right?

Florian Walther: Definitely. Every euro invested in preventing such incidents is money well spent. The question with cyber incidents is not whether it will happen, but when it will happen.

Thomas Langthaler: I like clever quotes and like to go with Benjamin Franklin: “By failing to prepare, you are preparing to fail”.

The first line of defence is and remains attentive and trained employees. Emergency plans, telephone chains, etc. should be clearly communicated and rehearsed.

Mia Volmut: Many thanks to everyone involved for the interesting and informative interview!