Various newspapers symbolise the press area of NW Assekuranz

“Cyber Security is the Fire Safety of the 21st Century”

Everybody knows, but few talk about it: Cybercrime is one of the greatest economic threats of our time. The best way to deal with the uneasy feeling of helplessness is facing the challenge head-on. In the following interview, Achim Fischer-Erdsiek, expert in cyber insurances at NW Assekuranz, tells us what to do:

Mr Fischer-Erdsiek, what are the biggest misunderstandings you have come across in your company with respect to cybercrime?
First: We are too small, no hacker would be interested in us. Second: Nobody finds me on the internet, anyway. Third: I can do without IT.

The opposite is true?
Yes—experiencing it yourself will definitely disabuse you of that notion. But small and medium-sized companies in particular do not speak about it when they have been the victim of a cyber attack. Being attacked is considered to be shameful, and the victims are afraid to lose customers. This veil of silence among medium-sized companies leads other companies to believe that this issue does not concern them, only major corporations, the ones we read about in the media.

Do these companies generally lack awareness of the threat posed by cybercrime?
You have to understand that IT insurance and consequently, cyber security are the fire safety of the 21st century. We know that we are incapacitated when our business burns down. But we have yet to understand that it is the same for our IT system and the data it contains. Availability has become an extremely valuable asset, and yet we simply assume that everything is going to be alright. The Covid-19 pandemic has been an eye-opener: All of a sudden, smooth networking, good software solutions and decentralised availability of data became crucial for our operations. Most companies were able to implement this within the first few weeks, but one thing we’ve learned is this: Without the digital infrastructure, we are quickly incapacitated. I often speak with executives who believe that a couple of days without IT surely is not such a big deal. Then the systems fail, and all works stops within six hours. Of course, it is even worse when you sell your products online: Turnover drops to zero in the blink of an eye. If the system is down for two or three days, you lose more than your revenues. It will take a lot of time to return to your previous level of turnover because your clients will have switched to other providers.

Are hacker attacks the greater danger for IT systems?
Something can always break, but cybercrime is the real challenge. Over the past years, we have seen an enormous professionalisation of the scene. Four or five years ago, we were still talking about script kids—teenagers who just wanted to see if they were able to hack into a system. The damage they caused was so low, it was practically petty cash for most companies. Nowadays, we are talking about a whole industry with several levels of value creation. Someone creates a Trojan, uploads it millions of times to the internet and monitors in how many companies—hundreds or even thousands—it is clicked on. Then they sell their findings on the darknet. Another cybercriminal might find a hole in the code of the latest version of some communication software. They, too, will find a buyer who can then easily read out who uses the defective software, and infiltrate the company of their choice. E.g. by using a Trojan that can identify the cash flows. Then they sell this access to the third level in the value chain: highly professional hackers who build a Trojan that is custom-made for the spied-out system and paralyses it. It is almost impossible to crack the software at this point.

And then what?
You have to pay the ransom and replace the IT.

That sounds alarming.
In Germany, we are talking about damages in an amount of more than 100 billion euros caused by cybercrime every year. The State Criminal Police Office is clear: Why do you think common crime is receding? Who robs a bank these days? Anyone with half a brain and enough criminal energy will use a laptop or buy the software and system access on the darknet. The power of this machinery is reinforced by the ever increasing networks and degrees of digitisation. And it is not only about your own system, but about issues like supply chain interruption as well. We used to say, who cares if a bag of rice falls over in China—but that is no longer true.

And cyber insurance helps?
First, you need a sound analysis. Our first task is identifying your company’s sensitivities. How much does your business model depend on IT? What are the crown jewels of your supply chain? Do you have a supplier whose IT availability is relevant for your system? Our experts and your administrators analyse your IT technology and IT structures. We can gain a good overview of your risk exposure by means of a quick check we developed based on our own experience in cooperation with the Verband der Sachversicherer [Association of Property Insurers]. This quick check is the basis for our cyber workshop, in the course of which we dig deeper. We have a set of highly efficient tools at our disposal, such as a penetration test to show the vulnerability of your system. We then provide recommendations for action, which we implement at the client’s request. For example, we have a hotline for damage events within the framework of the cyber insurance. IT techs can call it in an emergency and say, “Something is wrong, my system is unstable.” Our experts respond immediately, and often they can prevent things from getting worse. It is the same as with a fire: If you discover it early on, it won’t jump to the next building. In the second step, we also insure the risks. What is the cost of this or that incident? We can quantify that very accurately. At the client’s request, we then develop a tailor-made cyber insurance concept that we can optimally place with highly specialised insurers.

Won’t the IT experts of the respective company consider you to be inspectors come to uncover their mistakes?
Quite the opposite: Often, the people in charge of IT at the company are overtaxed trying to deal with security issues in addition to their daily business. The boss says, surely they can do it on the side? We aim to make the management aware that IT security requires hours of work because a company’s ability to do business depends on it. This way, the administrators do not see us as inspectors but as support, someone to finally tell things as they are.

Do you see bigger problems coming our way, e.g. with new technologies, in the future?
Man-in-the-middle attacks and CFO fraud are causing ever more trouble. Targeted manipulation of payment information on incoming or outgoing invoices, for example, can cause money to be transferred to the wrong account (man-in-the-middle attack). A fake e-mail from the Board to Accounting asking for a big money transfer just before the weekend can also have severe consequences. An employee may even get a phone call with this kind of instruction, thinking they are talking to their superior but instead listening to a digital voice simulation (CFO fraud).
Unfortunately, this is no longer science fiction. It is becoming more and more important to raise the employees’ awareness—with respect to increasingly good fake mails, seemingly harmless clicks, and even more insidious attacks. From what we are seeing, 60 percent of all successful cyber attacks can be traced back to a company’s employees’ negligence. This happens on every level. This is why we offer awareness seminars where we train the staff in order to focus their attention. Being careful is a very good defence strategy.

Thank you for the interview, Mr Fischer-Erdsiek!