Six common misconceptions about cybersecurity in the enterprise
Cybersecurity costs money. As long as the IT systems and infrastructure are functioning, it is often difficult to invest the resources that would be needed to reduce risks and ensure smooth operation in the future as well, in other words: to establish cyber resilience. When organizations systematically underestimate their cyber risk, it has to do with several misconceptions. The following is about [...]
Assumption 1: It only affects the others anyway
"Our company is not interesting enough for a cyberattack." This assessment is anything but rare. Unfortunately, the reality is completely different. Statistics show that as many as 99% of all cases of cyber damage are the result of attacks that were not targeted at all. In other words, the vast majority of attacks are spray-and-pray. Cyber criminals launch a general attack attempt without a specific target. Then they simply wait to see which companies or organizations, for example, the email with the phishing link will lead to success. Unfortunately, for many companies, the hurdle for an initial compromise of their IT is not high enough to withstand these attacks in the long term. This plays into the attackers' hands. Especially if they have primarily financial interests and want to blackmail the company, for example by encrypting it using crypto Trojans or ransomware. This is where the spray-and-pray approach is usually the most profitable for cyber criminals. This in turn means that every company is a potential victim. Politically motivated attacks are clearly distinct from this: here, success is ultimately just a question of available manpower, as monetary cost-benefit considerations play a completely subordinate role in an ideologically motivated attack. In such cases, zero-day attacks that exploit security vulnerabilities in software that are not yet publicly known are also used more frequently. With a zero-day exploit, the attacker plays a joker, so to speak. This is because if the new attack method becomes public as a result of its use, this attack vector is ultimately used up because software manufacturers then roll out the corresponding security updates.Assumption 2: Attacks from the supply chain do not play a major role
In fact, the number of supply chain attacks is increasing. In this class of cyber attacks, software solutions, devices or machines that are supplied to a company and that it uses for its business activities act as the attack vectors. For example, the Log4j vulnerability disclosed in December 2021 was a zero-day vulnerability in a Java logging library. Log4j is used to create and store logging information from software, applications and hardware appliances. However, because Log4j is sometimes deeply embedded in many different solutions, in thousands of instances, a simple vulnerability scan is hardly sufficient to identify all vulnerable instances. In general, even open source software is not immune to security vulnerabilities. For example, a professor at the University of Minnesota managed to introduce vulnerabilities into the Linux kernel as part of a study. He and one of his students pretended to provide bug fixes for the Linux community. The aim of the controversial action was to demonstrate how vulnerable open source projects can be. A security gap in the Linux kernel is potentially so serious because Linux is very widespread. Today, it can be found in servers and smartphones as well as in a wide variety of embedded devices - from cars to smart homes and machines. With the increasing digitalization of our economy and our living environment, networked devices can now also become a gateway for cyber criminals. For example, a supermarket chain was hacked when the attackers chose the intelligent refrigerated shelves in the stores as an attack vector. The same risk exists for networked devices in the smart home sector. They also represent potential points of attack - a serious reputational risk for the device manufacturer or distributor. In both the private and commercial sectors, a much more conscious approach to installed software and purchased devices is therefore required. In the manufacturing industry, for example, where a machine can have a life cycle of several decades, sooner or later only mitigating measures will be available to reduce security risks. This is because manufacturers no longer exist, or they no longer supply security patches after a few years. So sometimes the only option left is to seal off the machine from the rest of the network at great expense and accept the residual risk. As a general rule, it would be negligent for a company to shift the responsibility for its cyber security entirely onto its suppliers. Threats from the supply chain are real and commonplace today. Companies therefore not only need appropriate risk awareness, but also experts who can help them establish effective cyber resilience.Assumption 3: Our employees already have sufficient safety awareness
All too often, careless behavior on the part of employees still provides cyber criminals with a convenient gateway into the company. Creating and maintaining an appropriate level of risk awareness is a building block for cyber security, the importance of which a company should never underestimate. Only if they are aware of the danger will employees consistently avoid giving out passwords over the phone, for example, or carelessly clicking on a dubious link in an email. Sometimes the potential danger is also a direct consequence of daily work. Employees in the HR department, for example, open applications almost every day without knowing whether the digital CV contains malicious code or not. The same applies to invoice PDFs in the accounting department's inbox. This is why companies naturally need to take technical measures against such attacks. But it is equally important to reduce the likelihood of successful phishing attempts by raising awareness of the dangers of social engineering attacks in general. Social engineering means that the attackers use deception to gain unauthorized data or access. Methods of human psychology are misused to manipulate employees and persuade them to transmit information or take certain actions - such as fatally clicking on the link in the phishing email or giving their password to supposed support staff on the phone.Assumption 4: The scope of this safety check will already be sufficient
Putting a company's cyber security to the test with penetration tests is an important building block in the development of cyber resilience. However, if the scope of the pentest is too small, little is gained. This creates a supposed sense of security. A typical example is the exclusion of certain systems, such as those that are at the end of their life cycle because they will soon be shut down or replaced anyway. However, as long as they have not yet been switched off, these old systems often offer the most tempting attack vector. Another example: An FTP service is also running on the server that operates a web application to be checked, which enables the server to be completely compromised - but all services apart from the web application are excluded from the check. It also happens that a financial institution, for example, only chooses the scope of its audit to be as large as is prescribed by regulation and officially required. Here too, the result would be a deceptive false sense of security. If pentests are to be truly meaningful, they must not only focus on a section of the company's IT. Instead, they must be designed holistically. After all, the aim of a penetration test is not just to give management a positive feeling about cyber security - it should identify real security gaps and potential attack vectors so that these can be rectified before they are exploited by criminal attackers.Assumption 5: Penetration testing can be done by the IT department on the side
In most companies, pentesting cannot be an in-house task at all. After all, IT administrators have one thing above all else to do: they have to ensure that the company's systems run reliably. As a rule, the administration team is already working at 100, if not 120 percent capacity with its operational tasks. In addition, penetration testing requires highly specialized and cutting-edge expertiseThis is something that the IT department usually does not have at its disposal. It is important that management understands that a pentest is not something that can simply be done on the side. At the same time, internal IT staff must realize that a security audit is never about discrediting their own cybersecurity work, but about strengthening it. A meaningful penetration test would not even be feasible with in-house resources because know-how and time are lacking. This is only different if the company is large enough to afford its own dedicated Red Team - the attackers - for more or less continuous pentesting. This Red team is then countered by a dedicated Blue team with the defenders. But even a dedicated Red team can sometimes benefit greatly from external support from Ethical Hackers.Assumption 6: Our backups save us in case of emergency
Just over five years ago, this statement may have been true. Today it is no longer true, not in every case. It is important to remember that the quality of malware has increased significantly. Crypto Trojans that encrypt company data for blackmail purposes no longer do so immediately. There is now ransomware that first settles in a company's backups and gradually destroys them. Only months later, when the backup has become unusable, does the crypto Trojan then set about encrypting the company's data - and the actual blackmail begins. That is why it is important today, Backups firstly, to secure them against malware with suitable protection concepts and, secondly, to check them regularly. Only a backup that can actually be set up can be relied on in an emergency. Companies should therefore regularly test, practice and try out their disaster recovery. And if a company encrypts its backup for security reasons: This backup key itself is also a potential point of attack, because cyber criminals can of course also encrypt the company's backup key. The backup would then, in turn, be unusable, and the extortion attempt through the encryption of the company's data could begin. That's why it's important that companies keep their backup crypto keys offline and also document their disaster recovery training offline.Conclusion: From cybersecurity to cyber resilience
The threat of cyberattacks has not diminished; on the contrary. If a company wanted to conclude from a past that went smoothly that it will continue to be safe from cybercrime in the future, this would perhaps be the most serious misconception of all. Operational reliability can only be established in IT if a company establishes, maintains and further develops its cyber resilience with suitable, holistic concepts and measures. In any case, it is worth the effort to deal with this, because the financial damage in the event of an emergency weighs many times more heavily than the foresighted investment in cyber security. As in medicine, prevention is better than cure when it comes to cybersecurity. Authors: Michael Niewöhner and Daniel Querzola are both managers and penetration testers at Ventum Consulting, MunichThis article originally appeared on m-q.ch - https://www.m-q.ch/de/sechs-gaengige-fehlannahmen-zur-cybersecurity-im-unternehmen/
Just at the halfway point of the year, a word creeps into our vocabulary that couldn't be more fitting: semi. The current state of the industry? Semi. The work of industry colleagues at juries? Semi. The juniors' proposals for the next pitch? Semi! It's mainly the young people in the industry who have brought the word into circulation. When the old-timers talk about their long-gone exploits, Generation Z doesn't even roll its eyes, but looks out into the world, perplexed. What are they talking about? They find it semi-funny or semi-interesting. The prefix "semi", which as a determiner originally weakens or halves adjectives or nouns, has long since taken on a life of its own. Presumably because, without a base word, it leaves open what exactly it means. Neither outstanding nor bad. Neither innovative nor oldschool. Simply semi. It sounds more positive than "so-so" or "okay" and more engaging than "interesting", but above all much more motivating. Which brings us to the topic of Generation Z. While the "old ones" - meaning Boomers and Millennials - are used to commenting on current events from an intellectual semi-distance, Gen Zers always go all-in.
The Literatur Festival Zürich, presented by Kaufleuten Kultur and Literaturhaus Zürich, will take place for the 10th time next week in the Old Botanical Garden. For the anniversary with a new design and a 
We spend around eight hours sitting down in our normal office routine plus our free time in the evenings. Calculated over a decade, that's simply four years of "sitting". The ergonomic LimbicChair aims to offer a way out of this static captivity. The two seat shells support the body almost weightlessly in its posture, while arms and legs can move completely freely. The LimbicChair was developed by Swiss physician and neuroscientist Dr. Patrik Künzler at MIT, among others, and is said to be a boon for the limbic system - and therefore for memory, drive and creativity.
"The connection between posture and movement and well-being and performance has been proven," explains Limbic Life CEO Künzler. "The LimbicChair is the essence of this knowledge. Clearly, the communication around this innovative seat also needs to be top-notch. For the complete positioning & brand launch, we therefore found the perfect partners in the vision of CD Matthias Kadlubsky and his Salt & Water team."
The Muntagnard showroom is located in nature and presents completely biodegradable garments. With this action, the two Muntagnard founders, Dario Grünenfelder and Dario Pirovino, want to underline that it is also possible in the textile industry to act sustainably and in the spirit of the circular economy. "We are very proud of the fact that we have exclusively products in our range that we can leave in the wild without hesitation. Of course, clothing should never be disposed of in nature. In our case, however, we can ensure that the environment would not be unnecessarily burdened with our products," says Head of Brand Dario Grünenfelder.
The idea of the biodegradable showroom was developed in collaboration with BrinkertLück Creatives. The Swiss-German agency specializes in communicating for brands that act in harmony with ecology, economy and social responsibility. In addition to the Legna - Romansh for wood - and Mangola - Romansh for cotton - lines, the Lana - Romansh for wool - line will also be on display. 
The campaign's target group consisted of 80% men who are interested in luxury watches. In addition, geographical targeting was used to reach people who are traveling in the catchment area of the new store. Thanks to the programmatic playout of the campaign, the target group could be reached very precisely using cookieless audience targeting and environment targeting on finance & business environments. The audience targeting included people with the highest purchasing power and people in C-level positions. Thanks to the cookieless audience targeting, the reach was expanded more than is possible with conventional audience targeting segments based on cookies, particularly on mobile devices. The campaign was dynamically optimized during its runtime. The campaign budget was allocated between devices, audiences and environments in such a way that the best possible performance was achieved. This has led to a measurably strong increase in visits to the website and click-through rates that are up to 3 times higher than the benchmark.
