Comment: Mirko Bulles, Director Technical Account Management EMEA/APAC at Armis
Since the origins of cybersecurity, there has been a constant chicken and egg conflict between compliance and cybersecurity. The recurring issue in this dispute is who gets first and more attention. Most companies tend to act only after they have been the victim of a security breach by cybercriminals. Others react only when fines for compliance violations threaten their business development. In reality, the two areas are interconnected and compliance is often required to support cybersecurity efforts. At the same time, more budget is needed to keep up with the ever-changing cyber threat landscape and increasing IT sprawl – the unmanageable introduction of more and more IT devices, components, software and interfaces. Ultimately, it is a mix of people, processes and technology (PPT) that protects businesses from cyber attacks, not mere compliance. Worse still, most businesses in critical infrastructures such as transport, healthcare, food and energy are not only at risk from cyber criminals, but also from nation-state actors, or at least those supported by them.
Despite the risk of constant cyber attacks and the daily increase in threats, many IT and OT security professionals in DACH manage their security tools manually to a certain extent. The results of a recent survey of 651 IT security professionals in the DACH region by market research company Censuswide show that less than half of the companies have automated IT security software to detect APTs, which have been identified as the most dangerous groups and are often supported by state actors. On the contrary, 43 percent of these companies manually look for suspicious behaviour through predefined alerts. The reason could be a lack of financial resources, but it seems strange that in the survey, more than 66 per cent of respondents said that their companies have cyber insurance, but of those, only 51 per cent have cyber insurance against security incidents caused by threat actors such as APT groups or could be considered cyber warfare.
The need for automatic detection of security risks, which would reduce response time to infiltrations and cyber-attacks, seems to be less important than having cyber-insurance. This result suggests that covering potential damage seems to be more important than preventing damage beforehand. This conclusion also fits the picture of the conflict between cyber security and compliance mentioned at the beginning. The majority of experts surveyed stated that they are currently in the process of taking additional technical and organisational measures to be compliant with the latest regulations such as the IT Security Act 2.0 in the case of CRITIS operators or for B3S in the case of hospitals.
However, the problem remains: You can only protect what you can see. As long as the goal is to clean up a potential mess and show law enforcement that the company has complied, these issues will not be addressed. Executives need to understand that compliance and purchasing cyber insurance will not protect against a security incident, but that it takes people skills, processes that work and innovative technology to protect the organisation from cyber-attacks. Transparency is key to protecting the various IT, OT, IoT and IomT environments. Knowing – what the assets are, how many there are, where they are, how they behave, how important they are and whether they are vulnerable in any way – these are all questions that ultimately all organisations need to find answers to, especially in these times of uncertainty.