Cyber attacks cost German firms millions of euros each year. In an interview with DW, IT advisor Sandro Gaycken speaks about the technological battle between hackers and the businesses trying to keep them away.
Sandro Gaycken, director of the "Digital Society Institute," sat down with DW on the sideline of the European School of Management and Technology's yearly forum, this year dealing with digitalization.
DW: When it comes to cybercrime, what do you see as the greatest challenge that businesses face?
We're observing a whole new series of attack patterns. So-called "ransomware" has recently spread, attacking companies by encrypting their data and demanding ransom money to unlock it. Businesses of all sizes are vulnerable to it.
In the banking and finance industry we are seeing more and more attacks that deal with stock market manipulation and money transfers hijacking. Just recently a Bangladeshi bank attempted to transfer Bangladesh central bank governor resigns over cyber heistone million US dollars from New York. They made off with $80 million - if they had taken the whole billion it would have been the biggest bank robbery in history.
What kind of attackers do businesses report about when you advise them?
There are normal petty criminals, working primarily with blackmail software. Then there are organized criminals. They have by now developed a strong interest in cybercrime - most of all in the banking and finance industries. They've moved a bit away from the classic business model, growing innovative. And then there are state-sponsored attackers, who are involved with strategic and industrial espionage.
What poses a bigger security risk to businesses: man or machine?
The security risk exists on both levels. It's generally said that the greater risk lies with man. People can easily be hacked so that the attackers can delve deeper into the IT. But even if people are well defended, the IT is still abundantly vulnerable.
Do big businesses have an advantage over smaller ones when it comes to cybersecurity?
Small and mid-sized businesses certainly can't brace themselves as well as big businesses can, though big businesses of course have much more territory to defend. Small companies however often also lack the in-house expertise to make well-informed security purchases. Much of the time they simply don't know exactly what their risks and problems are, and where they need to defend themselves. A lot of the recommended security technology is also too expensive for small and mid-size businesses. Attackers know that and set their sights accordingly.
Industry 4.0 - in which machines communicate with each other - is growing in importance. Is this the next target for potential cyber attacks?
Definitely! There have already been a whole slew of attacks. For example, there was a recent accidental attack on a German nuclear reactor, which infected a loading crane for nuclear material. Sweden's air traffic control system was attacked and was taken offline for hours. There are more and more reports and concerns coming from operators of critical infrastructure.
Do you think that cybercrime will influence the future of digitalization?
I hope that lessons will be learned from it and systems will be built more securely as a result. But the IT industry's willingness to do so is not yet there, because the process of building everything new and secure would be quite difficult and expensive.
Businesses could then also refuse to push further with digitalization.
There are indeed firms that say "this is where we stop - we've had enough." We've noticed with Industry 4.0 that many mechanical engineers are saying that they don't need too keep going, that there is no additional utility to be gained from it.
The security industry has grown very strongly in the past few years. Has it caught up with the advances made by attackers?
They haven't! The security industry needs above all to develop new ideas. At the end of the day businesses are selling old technology with new labels. They desperately need to invest some money into developing new approaches. But the problem is that most small and mid-size firms have no budget to spend on development. And as a result this industry is far behind the attackers.
Sandro Gaycken is director of the Digital Society Institute at the European School of Management and Technology. His research focuses primarily on cybercrime and he advises businesses, organizations and the German government. In the latter capacity, he took part in the "no spy" agreement between China and Germany.