Incendiary, destructive and fascinating all at once, cyberattacks are leading the current polycrisis. Critical infrastructure is under attack, and reports are piling up at state criminal investigative agencies and public prosecutor offices alike. One thing is clear to the experts: Cyberattacks cannot be avoided. It is important, now more than ever, that companies know how to react to them, lest the future judge them harshly for their failure to respond accordingly.
How can companies better arm themselves against cyberattacks? And if attacks succeed: How do they switch to "incident response" instead of "headless chicken mode"? It is time to ask an expert. Philipp Seebohm from AON shares insights and recommendations from eight years of cyber risk management.
Mr. Seebohm, you are an expert in cyber risk management – that sounds like an exciting job.
It is. And even though technology plays an essential role in my occupation, I, first and foremost, work with lots of people from many different backgrounds – some from international organisations with exceptionally diverse IT maturity levels, sizes and origins. This diversity is a lot of fun for me!
How's the excitement?
Are we talking about companies under attack or me?
Feel free to talk about both.
It is extremely varied among companies. There are some larger organisations that are insanely well prepared and have already experienced various incidents of cyberattack. They are relatively calm, have excellent processes and are able to classify the incidents very well in a professional and structured manner. But there are also companies, primarily SMEs, where the perceived impact of a cyberattack is significantly higher. For example, when the managing directors are also the shareholders. An attack and its coordination can become a massive problem. The excitement is palpable in this moment and quickly spreads to the staff. As for my excitement: I have been working in the field of cyber risk management for eight years. In the beginning, I was faced with a lot of unknowns. The excitement was definitely higher than today. In the meantime, however, I have experienced a lot more cases, and the team’s level of excitement is also within reason. It would be unhealthy otherwise: Our customers need seriousness, calm and composure in order to make the right decisions in the event of attacks.
This is then called "incident response" instead of "headless chicken mode".
Exactly, coordinated action instead of running around “decapitated” and quickly doing something that turns out to be wrong in retrospect.
What are typical “headless chicken” reactions that are better avoided during attacks?
That greatly depends on the incident. A typical reaction is to shut it all down and pull the plug on everything – in other words: to switch off everything in an uncoordinated way. That can only work in individual cases.
Why do you advise against it?
Because you should save a certain amount of forensic data after an attack. That way, you can first determine what happened. How did the attackers get into the system? What rights have they been able to gain? How did they spread? You should also be able to make sure that the attackers have not implemented any backdoors, i.e. backdoors that make it possible for them to get into the system again after being kicked out. If a shutdown occurs without retaining a certain amount of forensic information, it will be difficult to ensure that it does not happen again.
After a cyberattack, one also hears about encrypted backups: Companies may have taken precautions, i.e. prepared for an emergency, but the attackers were already one step ahead. What should companies consider for their backups?
Correct, this is also a typical “headless chicken” reaction. Out of panic – and because everything must be kept running and in production – companies fire up system backups without checking. Careful consideration is needed here: Only verified recovery measures should be initiated.
Okay. You already mentioned the keyword "backdoors", which attackers create and thus use to keep access open. But what are other gateways into systems? Are there any classics?
The gateways are very diverse. But phishing e-mails are definitely among the classics: Hackers use them to trick staff into opening certain codes or attachments, clicking on links and downloading malware. Another gateway comes in the shape of vulnerabilities within a system that can be accessed via the internet. They can also arise at any time through updates. Any code, any software can contain vulnerabilities that are then exploited by attackers. These gaps are classic openings because it is difficult to close recurrent vulnerabilities or to completely disable the software. Among other things, these often take the form of open communication channels such as e-mail programmes.
If we think about the global wave of WannaCry infections in 2017, there have already been some spectacular cases in the history of cyberattacks. Which curious case comes to your mind?
A colleague from digital forensics recently described one to me. It happened a while ago and wasn't very popular in the media, but it was very strange. A company was attacked almost simultaneously by two different groups of hackers. The first group had encrypted the company's data. The second group put its encryption on top of the first one nearly at the same time. There was practically an encryption of encryption. Two criminal organisations wanted to cash in on the same company at the same time. There was no collusion.
What kind of company must this have been if several hacker groups were interested in it at the same time? Was it particularly lucrative?
You bring up an interesting point with this question: These criminal organisations are not necessarily interested in the company. What is lucrative for them are the vulnerabilities, the multitude of attack surfaces or the opportunities that companies “leave” for them. So, the companies’ business is not the priority: The available opportunities are the focus.
That makes sense. For example, if you look at the pattern of prey of the hacker group “Double-Spider”, it includes various enterprises: manufacturing companies such as Matratzen Concord, critical infrastructure such as the university hospital in Düsseldorf, media companies such as Funke and district administrations such as that of Anhalt-Bitterfeld. Can one therefore not speak of particularly favoured or endangered sectors?
Even if some criminal organisations conduct highly targeted attacks on specific companies, a company’s attack surface can nevertheless make all the difference. If we look at Germany, we already see a focus on manufacturing companies. They have two landscapes: IT and OT, partly also IoT. The production facilities are many and are now also controlled digitally. However, the systems for the machinery, some of which have been running for more than 30 years, are difficult to update. This increases the attack surface.
We have a large number of manufacturing companies in Germany; they also account for a large part of the overall economic output. Is Germany of global interest to hackers and thus particularly at risk? A ransomware statistic puts Germany in third place among the most attacked countries – after the USA and the UK. There are also reports of an increase in attacks. Is this due to Germany's economic success?
Logically, yes. After all, the pay-off is greater when individuals or companies with higher assets are extorted.
What then is the status quo, and how well prepared are German companies for cyberattacks?
It depends on the company, but we observe that a change in thinking is increasingly taking place: Many organisations are increasing their focus on cyber risk management and cyber insurance. They are investing in prevention, in detecting and reacting to attacks. From my point of view, this is also very important because many companies will become victims of an attack in the future.
You advise companies in this regard: What misconceptions do you still often encounter regarding cyber security and attacks?
It is a misconception that cyberattacks are exclusively an IT problem. It is assumed that IT is responsible for the problem and must also solve it. This is not the case: Cyberattacks are an operational risk for the entire company. IT is only one link in the chain. In the case of attacks, data protection is just as affected as production, management and accounting. Governance must therefore be properly anchored in the company to manage the problem as a whole.
How do companies often weigh themselves when it comes to security preparedness?
Especially after implementing a new measure – for example a penetration test or the implementation of a new security solution – companies often have a deceptively high sense of their own security. They think that nothing can happen to them now. After all, all vulnerabilities have been found. But dynamic systems cannot be protected with static measures. This formula does not work in the long run. The attacks are far too multifaceted for a selective measure.
So, the risk is constantly changing. What are the latest developments with cyber criminals? How have they been acting recently?
There are several new approaches. In general, however, one in particular stands out: The attacks have become much more professional and organised. Criminal organisations are on the hunt for more than just vulnerabilities. As soon as they gain access, they scout the company out for a very long time, doing so very quietly and with a lot of resources. This is new. They get to know their victims better, gathering information about their processed data, vulnerabilities, communication channels, backup infrastructures and much more. They also investigate the ways in which the companies could recover, i.e. how they could recover data after an attack. For this scenario, they find out how to infect backups accordingly. They also extract sensitive data, that way they can also blackmail companies – provided that the company does not want to pay a ransom for the decryption key. This process has been around for a long time, and it is called “double extortion”.
It Is said that entire business models row out of the following: One hacker group cracks the access and sells it. The next group extracts sensitive data and sells that. Finally, another group blackmails the company for a ransom.
And so on, absolutely! By now, “Ransomware-as-a-Service” (RaaS) is already being used in an inflationary manner. Finding loopholes, exploiting loopholes, but above all, selling or exploiting sensitive data: There is an increased division of labour among criminals. This also makes things much more professional.
Phishing e-mails have also become much more professional. Whereas not long ago you could distinguish them on the basis of their faulty spelling or striking visual components, today you have to look much closer.
Yes, new technologies play a significant role here: AI like ChatGPT makes it very easy for attackers to automatically create structured phishing emails with impeccable spelling. Professionalism has improved significantly here. It is a matter of time before we also receive more fake phone calls and, eventually, fake video calls. Deepfake audios have long been a reality. All in all, this brings together a great many risks, which unfortunately often affect the most vulnerable – I am thinking here of the grandchild scam.
We note: Cyberattacks are extremely sophisticated and cyber criminals are often already several steps ahead. Is prevention still at all possible? If so, what is the best way for companies to act in advance? What steps are necessary?
With all due respect to fire drills, the probability of falling victim to a cyberattack is higher than that of a fire breaking out. In order to be able to act in a coordinated manner in the event of an emergency, I recommend that companies carry out a tabletop exercise to roleplay as the victim of a cyberattack and then play out the scenario: Stakeholders get nervous, customers fear that their data will be published, and suppliers can suddenly no longer be part of the value creation. At the same time, monetary obligations are pressing. So, you should imagine a problematic situation that is as complex as possible; think preventively about the problem together, talk to each other, discuss it, weigh it up, and have a plan – similar to what many companies have been doing for fire protection for decades now. That is the first step.
Which target-oriented questions should be asked and answered when acting out such a worst-case scenario?
Here are a few: Is there a crisis plan? Is it up to date? Does it physically exist or is it digital and therefore also encrypted? Are all phone numbers and contacts up to date? What are our critical processes? Do we actually negotiate with blackmailers? To whom do we communicate what, for example, to external partners? How do we deal with overtime and weekend work? Which areas would be better off on short-time work? Is there a certain amount of liquidity available? What needs to be paid immediately?
Do you have a tip for contingency plans that tends to be overlooked?
Yes, keep it short. The document should be pragmatic and constantly adapted. When a company is hit, the document should work with limited resources. A 200-page document is of no use to anyone. It is more important to establish who must do what in an emergency. For example: Who records the damage? A company must not only be able to prove forensically that it was the victim of an attack, if it is insured, it must also be able to quantify its damages. These roles should therefore be distributed well in advance and defined in the crisis plan.
Which brings us to the “how”: You say that it is more important than ever how business leaders react to attacks. Why?
Because it is the "how" that decides how much damage the company will suffer from an attack in the long term. If companies react hectically and uncontrollably, too many technical and organisational mistakes will happen organisationally. And the more problems that arise, the longer the problems persist and the higher the balance sheet impact of the crisis becomes. Crisis management is the key here. How business leaders and organisations react: This is how they will be measured in the future.
Good. Let's assume that the worst-case scenario has occurred. One morning “You are f*****d” is emblazoned on every screen. That's what happened to the Anhalt-Bitterfeld district administration a good two years ago. What are the first three steps in such a situation?
Prio 1: Stay calm and act in a coordinated manner.
Prio 2: Bring in-house expertise to bear and prioritise crisis management and forensics.
Prio 3: Cut off the hackers' communication channels in a considered and sensible way.
Prio 4: Do forensic analysis, including collecting evidence and examining backups.
Prio 5: Create a parallel system to keep emergency processes running.
Okay, in conclusion, I have three theses. Some of them are steep, and I would like to ask you for your assessment. Thesis No. 1: Authoritarian corporate cultures are more likely to fall victim to hacker attacks than others. Yes or no?
That is difficult to answer in a generalised way. On the one hand, companies with a strongly authoritarian corporate culture have the advantage that guidelines are strictly followed by everyone. On the other hand, they often find it difficult to operate an open culture of failure and active crisis management. This means neither external expertise is consulted nor questioning among the staff encouraged. This is precisely what can make it easier for attackers: CEO frauds are more likely to succeed if they are not questioned.
Thesis No. 2 is a quote: “Pen and Paper is better”: Digitalisation only makes us vulnerable.
Certainly, the attack surface increases with increasing digitalisation. But the risk does not lie in the technology: in most cases, it lies with the people. We are currently in a state of twilight here in Germany, which means that we are more than a little digitised, but we are also not yet fully digitised. The risk arises primarily in structures that have grown historically over time: They still have a lot of old machines, old IT, a lack of updates and general ignorance. This combination creates risks that then manifest themselves in attacks. So, not digitising is not the solution – on the contrary, digitisation brings immense advantages. It makes us competitive, and it strengthens companies and business locations. But it also requires courage.
Thesis No. 3: Criminal organisations also like to extort ransoms by publishing highly sensitive data – for example, the disciplinary files of civil servants, see Case D.C. Police (2021) – or board minutes, some of which document their own legal violations. If so, one might suggest: “Cyberattacks make companies more “correct” in the long run.” Or?
I doubt that cyberattacks will make companies more correct or honest. But the pressure on companies to pay ransoms will definitely increase. However, what I can say is this: With such attacks, companies will grow increasingly aware of their own vulnerability. But this will also increase their investment in the protection of sensitive data.
Thank you very much for the fascinating interview, Mr. Seebohm.