News article

•   12/10/2016
•   Created by Christina Münchhausen

The expectations of TÜV TRUST IT, a member of TÜV AUSTRIA Group, concerning information security in 2017 not only include increasing risks of DDoS attacks, as was just shown by the recent attack on Telekom’s customer routers. No - ever increasing digitization is also creating new risks for companies, which is why Business Continuity Management and Industrial Control Systems are buzzwords increasing significantly in importance. According to trend-based forecasts of Detlev Henze, Managing Director of TÜV TRUST IT, first and foremost is a shortage of experts in IT security, which is slowing down optimization initiatives by companies more and more.

• Digitization is opening up ever new dangers: The digital transformation is taking on more and more dynamic features, with mass conversion to electronic processes inevitably also making for more targets at companies for theft and manipulation of data. So far this aspect has not really played a significant role in digitization projects, but compulsion is growing to pay significantly more attention to information security. This includes both taking protection against cyber-attacks into account already in the development phase of digital business processes as well as performing security tests of final environments.

• IT security is gaining in relevance to the public: Often having been perceived as a rather abstract issue, cyber threats have been brought home by the attack on Telekom’s customer routers, making them immediately felt by many people. Quick responses in government policy and business suggest that much more importance should be attached to digital security issues and that they be declared a public issue. This opens up an opportunity for a more intensive societal dialogue about the need for and possibilities of greater commitment to information security and cyber security.

• The risks of DDoS attacks remain: These are becoming more and more effective, having reached new record levels this year of up to 1.1 terabits/s. In addition to the causes already known a long time, botnets from IoT devices have also appeared on the scene. Such devices, like surveillance cameras, household appliances and other widely used devices with an IP address, are either not protected against malware at all or only minimally so. And that is why it can be expected that along with the further spread of the IoT, not only the number of DDoS attacks but also their intensity will increase very considerably.

• Cybercrime as a service is being used more and more: Attacks can be purchased relatively easy as a service on the darknet. That means no knowledge of hacking is even necessary to mount widespread damage. Especially since such cybercrime as a service is becoming ever cheaper and can, for example, be used by companies to hit competitors' web shops where it hurts. The authors of these attacks often remain anonymous, such that virtually no action can be taken.

• Industrial Control Systems (ICSes) are becoming more and more relevant: Security solutions for production processes and factory automation have turned into a burning issue. Production systems increasingly have IP addresses and web-based control, but many systems and protocols within the production infrastructure do not have sufficient security mechanisms. And attempted attacks are not primarily aimed at individual production machines, but rather at back-office systems positioned behind them. Production machinery thus becomes a gateway to the entire enterprise network. This makes appropriate security analyses important, especially for critical-infrastructure companies.

• Business continuity management is gaining in significance: The stronger the consequences of cyber-attacks come to be, the greater the business risks become resulting from outages of existentially important resources and processes. In this process, risks do not develop linearly but rather progressively in relation to growing cyber threats. As a consequence, in 2017 companies are going to invest increasingly in business continuity management in order to ensure their operational capability in exceptional situations.

• The human element is moving even further into the foreground: People continue to play a critical role in information security processes, requiring sustained and concentrated efforts to raise awareness. With increasing number attacks with possibly devastating effects attributable to human error are to be expected.

• No expansion of the IT Security Act: No further development of the IT Security Act [IT-SiG] is to be expected in 2017. Instead, there will be ISO 27001 certifications for many defined critical-infrastructure companies. Moreover, already now it is foreseeable that a domino effect is going to arise because of these companies requiring more security credentials from their suppliers, all the way to ISO 27001 certificates. It is also clear that many organizations outside the critical-infrastructure sector will, by means of existing legislation (through the Telemedia Act, for instance), have to significantly increase their information security so as to meet legal requirements. This is also being driven by the General Data Protection Regulation, a prerequisite of which is the existence of an information security management system in many places, and which from 2018 will replace the data protection law applicable in the member states of the European Union. To this end, action must be taken at an early stage to avoid costly legal violations.

• A shortage of experts is impeding positive development: The gap between the experts required for information security, IT security and cyber security and those available is assuming an ever more critical dimension. As a result, the realization of necessary security measures is being delayed to an increasing extent. As there are currently no concepts to eliminate the shortage of experts, this problem is set to get even worse in the years ahead. To counteract this lack of experts, a strong joint effort will be required on the part of businesses, educational establishments, the government executive powers, society and government policy. TÜV TRUST IT will continue to intensify its commitment in this regard and train experts.