DNV, a global independent certification, safety and risk management provider operating in more than 100 countries, has analyzed audit results worldwide. The analysis found that the greatest challenges in implementing the requirements of the ISO 9001 quality management standard are evident in Chapter 7, "Support," and Chapter 8, "Operations." Thus, about 56 percent of the audited organizations have a finding regarding chapters 7 and 8. 20 percent of them are deviations.

Chapter 7 Support

In Chapter 7, it is primarily the area of resources that poses challenges for companies. 32 percent of companies have findings in the implementation of Chapter 7.1 Resources. The findings relate primarily to the resources for monitoring and measurement (Chapter 7.1.5) to demonstrate the conformity of products and services with specified requirements, and to the infrastructure (Chapter 7.1.3) required to carry out the organization's processes. In addition, there are also opportunities for improvement in the areas of competence and documented information. 

Chapter 8 Operation

More than every second company has at least one finding related to the implementation of the requirements in Chapter 8, which is the core of ISO 9001. Most of the findings requiring improvement relate to the requirements of Chapter 8.4 on the control of externally supplied processes (24 percent) and Chapter 8.5 on production and service provision (25 percent).

"The analysis clearly shows which areas of the standard cause difficulties in implementation," explains Dirk Vallbracht, Manager of Training at DNV Business Assurance in Germany. "The fact that most of the findings are found in Chapter 8 is unsurprising in that this chapter is the main focus of ISO 9001. It thus contains significantly more requirements than other chapters." The findings and deviations per chapter are presented in the results report. This gives users an indication of the challenges most other companies are struggling with.

Audit results under the magnifying glass

The analysis is the start of a mini-series for which DNV initially evaluated all audits from the year 2021 in the area of the ISO 9001 quality management standard. This was based on 100,000 audit findings from 25,000 customers worldwide. All data came from DNV's Lumina™ tool, a digital service for all DNV customers to compare audit data. "Trainings from DNV in Germany also incorporate the analyses of Lumina's audit findings by identifying problem areas during implementation and then prioritizing them in the training itself. In this way, we enable training participants to achieve the best possible learning success," says Vallbracht. 

Source: www.dnv.de

In Switzerland, discussions about the electronic patient dossier continue, while the Federal Office of Public Health (FOPH) continues to identify deficits in the digitization of processes: Almost all illnesses still have to be reported in analog form, as was reported in various media. The reason given by the FOPH is that reporting by telephone or fax enables "very rapid measures to be taken to protect public health", according to the report. Data exchange by paper form despite digitization?

74 percent of patients welcome data sharing

This is contrasted by the rapidly advancing developments in telemedicine. An initial consultation via an online medical platform can make many doctor's visits superfluous and means a reduction in the burden on the healthcare system. But what should happen to the data collected during a consultation with an online doctor? In Germany, Axway, a provider of API management solutions, surveyed 1,000 patients to find out how they view the possibilities of telemedicine. The opinions revealed a tension between a convenient service experience, data security and control over one's own patient data.

74 percent of respondents think providers should share patient data with each other. 54 percent feel they currently do not have sufficient access to their patient records, as well as lab results or imaging test procedures; 27 percent have limited access and would like even more insight.

Hope for process optimization and increased convenience

Sixty-five percent want medical providers to always have access to the patient's current treatment status. For the following reasons:

• 29 percent: It could reduce misunderstandings and human errors.
• 26 percent: It would be significantly more convenient.
• 23 percent: It could save repeated filling out of forms.
• 21 percent: It could improve treatment.

23 percent would be unreservedly prepared to store their patient data centrally online or in an application and to grant access to service providers so that filling out patient registration forms would become a thing of the past. For 39 percent, this step would only be considered if the security of the data is guaranteed. 20 percent even reject this completely due to security concerns.

Data security and control is the biggest concern

For the majority of patients, the security of their data is the biggest concern in connection with telemedicine. 51 percent assume that health data is not safe from hackers, only 22 percent were of the opposite opinion. Twenty-six percent said they were unsure and could not make a definitive statement. On the other hand, when asked if patients would pay for an app that provides secure access to their immunization record and comparable medical data, two-thirds - 66 percent - answered "no." Uncertainty and lack of transparency also seem to be factors that concern patients: 72 percent of respondents would like to have more control over who can access their patient records.

Data exchange yes, but only if it is secure

"Patients in Germany are caught between the familiar convenience of digital services, data security and control," Yves Lajouanie, SVP and General Manager EMEA at Axway, commented on the results. "The survey's sentiment also reflects an international trend in the telemedicine market: big tech and big retail players, such as Amazon, are currently trying to extend the convenient experience their customers have grown accustomed to from them to the healthcare and medical space by acquiring medical services, and further tying them to their platforms. Healthcare is at risk of losing data sovereignty to private providers. It is therefore important for healthcare organizations to design their digital ecosystems in such a way that they can easily transfer patient data into and receive it from other systems and applications according to generally accepted security standards. In this way, they can succeed in delivering value and a fulfilling digital service experience to their patients."

To a large extent, these assessments from Germany can also be applied to Switzerland. Here, too, data security and the ability to control the exchange of data are the factors that decide whether an electronic patient file is a success or a failure.

Source: Axway

Foresight is becoming increasingly important for Swiss education and innovation policy. The new SATW study "Research Landscape Switzerland - A Technological Panorama" examines 49 technological developments from nine research areas and thus covers a very broad spectrum. Each chapter is devoted to one technology and describes its state of development as well as the associated opportunities and risks. The authors also identify the most important research hotspots in Switzerland and in an international context.

Research landscape with sufficient funding

The study is based on oral and written interviews conducted with around 60 scientists and industry representatives throughout Switzerland. They are essentially satisfied with the research funding in the field of technical sciences in Switzerland. For most of them, however, the difficult access to the Horizon Europe program is highly problematic.

Several interviewees suggested that future funding should also include infrastructure that would be available to both companies and universities. The reason for this is that in some cases this is so cost-intensive to establish that it exceeds the budgets of small companies and startups.

Shaping the future with technologies

The technologies under investigation require interdisciplinary thinking because they often affect several areas of life. In addition, the regular exchange between Switzerland as a center of thought and as a center of work is fundamental for the connection between research and industry. It is true that applied research topics play an important role in the success of new technologies. The state also has a number of opportunities to help new technologies achieve a breakthrough: Regulatory barriers could be reduced, for example, and the (international) networking of researchers and business representatives could be promoted. High-tech and niche applications, which can be developed by both established companies and start-ups, offer great potential for Switzerland as a business location. The resulting jobs and added value would make a rich economic contribution to society.

Source and further information: SATW

After successful editions in Aachen, Hamburg and London, and most recently two virtual editions, the 3D Metrology Conference is now returning to its founding venue, the Melaten Campus.

3D Metrology Conference with industrial exhibition

At 3DMC, up to 200 industrial users and academically renowned experts exchange ideas and shape the innovative and open character of the event. It is also reflected in the program design: A top-class lecture program is paired with an open industry exhibition, special interest sessions and dedicated networking formats. Prof. Ben Hughes and Prof. Robert Schmitt will moderate and shape the event as Chairman and Host.

Presentation of use cases and research results

The conference will focus on measurement technology as an innovation driver in automation and quality assurance. On the one hand, industrial end users will present successful use cases from various sectors, such as automotive engineering, aviation or the energy industry. On the other hand, internationally leading scientists will present advances in metrology itself, which enable new applications. 3D data and machine vision form the DNA of the conference and are complemented by other technologies, e.g. from the fields of digitalization and artificial intelligence.

Various innovations

In 2022, 3DMC will introduce two innovations: For the first time, the industry exhibition will take place in the new machine hall of the WZL, allowing exhibitors to present innovative use cases live and discuss them with the community. The advantages of an exhibition, a production technology laboratory and an expert forum will thus come together in one place. As a further innovation, selected presentations will be supplemented by an associated peer-reviewed article in the open access journal Metrology, which will further strengthen the sustainable scientific excellence of the conference.

Event website: https://www.3dmc.events

The joint white paper "Seizing the Potentials of Ecosystems" by researchers from EBS Universität für Wirtschaft und Recht, FIR at RWTH Aachen University, and the University of St. Gallen presents the core characteristics of business ecosystems based on the latest research findings and best practices. The team derives recommendations for sustainable competitive advantages.

Ecosystems as forms of value creation

Ecosystems represent new forms of value creation across company and industry boundaries. They are emerging in all industries and form the basis for the most valuable companies. Between 2015 and 2021, for example, 23% of all startups rated as "Unicorn" (i.e., valued at more than 1 billion $) had their business model significantly aligned with ecosystem value creation. At the same time, 22 of the S&P (Standard & Poor's.) Top 100 companies operated significantly in ecosystems, representing 40% of the S&P Top 100 market capitalization.^*)

White paper explains nine core properties

Successful companies are proving that both customers and companies benefit from ecosystems. The enormous potential for value creation is arousing massive interest in this new form of business, but there is often a lack of common understanding of what ecosystems actually are and can achieve. An interdisciplinary team of researchers has therefore characterized the nature of ecosystems on the basis of three levels and a total of nine core properties:

Ecosystem Core

1. Shared purpose and vision
2. Co-creation between stakeholders involved
3. Modular, complementary solutions

Ecosystem Relationships

4. Multilateral relations
5. Autonomous actors
6. Information-based value creation

Ecosystem environment

7. Shared values
8. Common technological infrastructure
9. Network effects

Based on this classification, the research team provides concrete recommendations in the white paper for achieving sustainable competitive advantages in the technological, social and economic environment in ecosystems. Best practices from experienced managers from established industrial companies and digital startups illustrate how the core characteristics of ecosystems are put into practice. The whitepaper is available at seizing-ecosystems.fir.com/white-paper/ available for download free of charge.

Working from a home office has become a part of everyday life at many companies. Since the term "home office" is used quite inflationarily, however, a clear distinction must be made here, because only very few employees actually have a classic home office: namely, a workstation in their own four walls or at an external location that is not only equipped with the necessary software and hardware by the employer, but also has access restrictions that comply with data protection regulations (e.g., lockable room, sole and exclusive use of components from the employer, etc.). What many workers resorted to in the crisis years of 2020 and 2021 is more like mobile working, which brings many new challenges. It became particularly dangerous when solutions were introduced quickly and not with due diligence, just to keep the business running, even if at the expense of security and data protection. Closing these security gaps will continue to occupy many companies in 2022.

Secure connection of home workstations

The impact that the transition to modern home working has had on operational processes in German companies depends crucially on the business model, the individual requirement profiles of employees and, not least, the company's IT infrastructure. For example, what demands are placed on communication and data exchange? While simple document sharing is sufficient for one person, for example, another employee needs a remote workstation to work on a complex 3D model. Many businesses have also had to send more workers to work from home than operational resources were available. "Against this background, we have recorded a significant increase in requests to date, in some cases to enable several hundred workstations to work remotely and to close the existing security gaps. The principle: The user accesses a virtual desktop environment (VDI: Virtual Desktop Infrastructure) of the company with his private work device via a hardware-authenticated terminal session. The private operating system environment and the company application interface are physically completely separate system worlds at all times. No company data can be stored on the private end device, as there is no data access between the private and company environments. This is a simple and effective solution for connecting a large number of home workstations and also ensuring a sufficiently high level of protection for all clients from an economic perspective," says Holger Priebe, Team Leader Microsoft and Virtualization at Netlink. "Accordingly, it is no surprise that VDI, VMware Horizon and collaboration applications such as Office 365 with Teams and Sharepoint currently represent the largest growth areas for us as an IT system house, which are also currently taking up our largest personnel resources," he adds.

Physical capacity bottlenecks

The conceptual question of connecting to the corporate network is followed by questions about the physical capacities of the existing network: Do I have a sufficient firewall and enough bandwidth to connect all my mobile employees remotely via VPN at the same time? Do the employees need to work remotely on Microsoft machines at all, or is it sufficient to let them work via a classic client, e.g., by accessing the Office 365 cloud locally, so that the bandwidth of the company's own network is not burdened? It should be noted that it is not enough to establish access once. Load tests must also take place due to dynamic adjustments to the IT infrastructure in order to ensure smooth and reliable live operation without interrupting workflows. 

But the employee also needs sufficient bandwidth in the home network to work remotely with the usual IT quality. Is the employee only online with one client, so that it is sufficient to set up a VPN tunnel, or does he perhaps even need to be connected via a remote access point? The private WLAN may also already be busy due to other users or may not meet the company's security requirements. Here, an LTE card and an LTE modem from the employer can improve the performance and security of the connection at low cost.

Securing access

Securing access is always a neuralgic point here. "WLAN access should be provided with a strong password that is changed at regular intervals. Ideally, a guest WLAN access is used for home work, so that any company data is not transferred via the same network that other users in the house use. Depending on the role and authorization, the question also arises as to whether logging into the network using only a user name and password offers sufficient protection or whether access security should be increased with two-factor authentication, e.g., with tokens or one-time passwords, via smart card or with the help of biometric features," explains Niklas Lay, Team Leader Network and IT Security at Netzlink. "If you need additional protection for individual work devices, you can also activate the encryption of the hard drive - after all, Windows 10 already includes a so-called bitlocker in the operating system to prevent unauthorized data access, for example in the event of loss or theft." 

BYOD - Raising awareness of risks

A latent danger for companies is to tolerate the use of private end devices without existing guidelines, for example, in order to maintain a supposedly high level of employee productivity. Even after two years in crisis mode, private end devices pose a serious risk to corporate data security because they are largely beyond corporate control. "Many employees here also lack the security awareness that smartphones are mobile and quite powerful little computers, sometimes with significant data stores, that need to be secured via firewalls and up-to-date virus protection just like their desktop counterparts. In the event of a sudden change in the work situation, many users are not in a position to assess the dangers and risks for themselves and the company. In this respect, it is in the interest of companies to raise employees' security awareness for the use of private smartphones at work with appropriate guidelines in order to protect the company from external attacks on IT," warns Lay.

Tools for the next crisis: Emergency plan in your pocket

With the increasing use of mobile working, ICT operations are becoming even more important for all companies. The applications and data simply cannot be allowed to fail anymore. The best preparation for successful business continuity management is an emergency manual. This is used to maintain and continue critical processes when certain events disrupt or prevent operations. The complex (IT) structures of our global collaboration networks make us highly dependent on continuous business operations between all process participants - internal and external. This is becoming even more important as digitization progresses. Sustainable risk management must be part of every organization to limit the negative impact of disruptions on business operations. Unfortunately, a damaging event often has to occur before action is actually taken. Responding appropriately to disruptions requires a pre-planned and rigorously methodical approach that takes into account all critical processes, establishes responsibilities and defines communication processes in order to return to productive ICT operations in the shortest possible time.

To give companies a quick overview of the (equipment) technical basics and the personal requirements that make companies and employees fit for mobile working, the Netzlink interested readers an e-booklet to download free of charge an. 

In the case of position sensors, the focus is on communication capability with regard to Industry 4.0, and IO-Link as the first IO technology certified worldwide for this purpose (IEC 61131-9) is a central topic. Thanks to it, the intelligence of the sensors can be used to the full extent for the automation network, which means a significant added benefit without additional costs. Novotechnik therefore has a whole range of displacement and angle sensors with IO-Link interface in its program. These include, for example, robust single-turn encoders of the RFC-4800 series, which have already proven themselves in many industrial and mobile applications, are compact, easy to install, and measure the angle of rotation over a full 360 degrees with a resolution of up to 14 bits. Other sensors with IO-Link include, for example, the absolute, magnetostrictive TH1 displacement transducer in rod form for direct integration in hydraulic cylinders, and the TP1 (magnetostrictive) and TF1 (inductive) displacement transducers in profile form. The latter is suitable for extremely fast positioning applications thanks to an update rate of 10 kHz. Since all these sensors operate without contact, their mechanical service life is virtually unlimited.

Automation technology and mechanical engineering can benefit equally from the position sensors with IO-Link interface (Fig. 2): During commissioning, the user can easily change parameters such as zero point or traverse direction, thus reducing the number of variants. In addition to pure position information, further information such as status or diagnostic messages and statistical data on operating time or environmental conditions (e.g. temperature) can also be exchanged. Errors in the control loop can be localized quickly because the setting parameters are stored centrally. A sensor can therefore also be replaced in a short time and easily re-parameterized. Installation is practical and the sensors can be easily integrated into Ethernet- or fieldbus-based communication networks. Condition monitoring and predictive maintenance concepts thus become feasible.

Further information

Babtec is a leading provider of software solutions for quality management. For more than 25 years, companies of all sizes and from all industries have been using products from this manufacturer to ensure the quality of their processes and products. Today, the Wuppertal-based company employs over 180 people at six locations.

Following several offices in Germany and subsidiaries in Austria and Spain, the software manufacturer is now establishing a subsidiary in Switzerland. The entry in the commercial register was made on June 1, 2022. According to Peter Hönle, Head of Customer & Solutions at Babtec, the new company was founded as a result of the growing success of the quality management software from Wuppertal in Switzerland: "We won our first Swiss customer back in 2001, and now more than 100 companies in Switzerland and Liechtenstein - the future service territory of Babtec Schweiz AG - manage their quality with our software solutions. This demonstrates the high quality standards of Swiss companies and the increasing demand of the local market for effective digitalization in quality work. This is why we have decided to be represented by a Babtec location in Switzerland in the future."

At the new location, Babtec says it plans to focus primarily on supporting existing customer projects and expanding its sales activities.

Source and further information

An analysis of Atlas VPN shows that GDPR fines total €97.29 million in the first half of 2022, an increase of 92 % compared to the first half of 2021. The data for the analysis comes from Enforcementtracker, a platform that provides an overview of fines and penalties imposed by data protection authorities within the EU under the EU General Data Protection Regulation (GDPR, DSGVO).

Atlas VPN's overview and analysis shows that companies and individuals were charged a total of €50.6 million in GDPR fines in the first half of 2021. On the other hand, the number of court cases decreased slightly, from 215 in 2021 to 205 in 2022. In other words, even though the number of GDPR violations decreased slightly in 2022, the severity of those violations was significantly greater - and so was the amount of GDPR fines. The most striking difference between 2021 and 2022 can be observed in February, where the total amount of fines imposed differs by almost 28 million euros. The following trend is also striking: around 70 % of GDPR fines are imposed in the first quarter.

A few particularly blatant cases

Atlas VPN also points to a couple of significant cases of GDPR fines issued in the first half of 2021 and 2022. For example, in June 2021, the Data Protection Commissioner of Lower Saxony fined notebooksbilliger.de AG €10.4 million. The German company had video-monitored its employees for at least two years without any legal basis. The unauthorized cameras recorded workplaces, sales rooms, warehouses and common areas, among other things. The company countered that the surveillance served to prevent and solve crimes and to track goods in warehouses. However, video surveillance is only lawful if there is reasonable suspicion against certain persons. If this is the case, it is permitted to monitor them with cameras for a certain period of time. In this case, however, the surveillance was not limited to specific employees or a specific period of time.

In turn, in May 2022, the Information Commissioner's Office (ICO) fined Clearview AI Inc. £7,552,800 for using images of people in the UK and elsewhere collected from the internet and social media to build a global online database that could be used for facial recognition. Clearview AI Inc. has collected more than 20 billion images of human faces and data from publicly available information. The company has not informed anyone that its images have been collected or used in this way. Furthermore, the company actually monitors the behavior of these individuals and offers this as a commercial service.

GDPR buses as "wake-up calls

The General Data Protection Regulation was necessary because the old laws were written before the advent of new technologies like smartphones and tablets, which meant that users were not protected from companies misusing their personal data. The GDPR provides EU citizens with more clarity on how and why companies use their data. In addition, the GDPR significantly limited the data that companies can collect, allowing citizens to browse the internet and use services with much more privacy. In Switzerland, the new Data Protection Act (NDSG) will move in a similar direction. This is scheduled to come into force on September 1, 2023; Companies would do well to prepare themselves for this already today.

Cybersecurity costs money. As long as the IT systems and infrastructure are functioning, it is often difficult to invest the resources that would be needed to reduce risks and ensure smooth operation in the future as well, in other words: to establish cyber resilience. When organizations systematically underestimate their cyber risk, it has to do with several misconceptions. In the following, we look at six of the most common misconceptions.

Assumption 1: It only affects the others anyway

"Our company is not interesting enough for a cyberattack after all." This assessment is anything but rare. Unfortunately, the reality is completely different. Statistics show that as many as 99 percent of all cases of cyber damage are the result of attacks that were not targeted at all. In other words, the vast majority of attacks are spray-and-pray. Using the watering-can principle, cybercriminals launch a general attack attempt without a specific target. Then they simply wait to see which companies or organizations, for example, are successful with the mail containing the phishing link. Unfortunately, for many companies, the hurdle for an initial compromise of their IT is not high enough to withstand these attacks in the long term. This plays into the attackers' hands. Especially if they have primarily financial interests and want to blackmail the company, for example, by encrypting it with a crypto-Trojan or ransomware. Here, the spray-and-pray approach is usually the most profitable for cybercriminals. This in turn means that every company is a potential victim.

Politically motivated attacks are clearly distinct from this: Here, success is ultimately only a question of available manpower, because in an ideologically motivated attack, monetary cost-benefit considerations play a completely subordinate role. In such cases, zero-day attacks, which exploit security vulnerabilities in software that are not yet publicly known, are also used more frequently. With a zero-day exploit, the attacker plays a joker, so to speak. Because when the new attack method becomes public through its use, this attack vector is ultimately burned, because software manufacturers then roll out corresponding security updates.

Assumption 2: Attacks from the supply chain do not play a major role

In fact, supply chain attacks are on the rise. In this class of cyberattacks, software solutions, devices, or machines that are supplied to a company and that it uses to conduct its business act as the attack vectors. For example, the Log4j vulnerability disclosed in December 2021 was a zero-day vulnerability in a Java logging library. Log4j is used to create and store logging information from software, applications and hardware appliances. However, because Log4j is sometimes deeply embedded in many different solutions, in thousands of instances, a simple vulnerability scan is hardly sufficient to identify all vulnerable instances here.

In general, even open source software is not immune to security vulnerabilities. For example, a professor at the University of Minnesota succeeded in introducing vulnerabilities into the Linux kernel in the context of a study. To do this, he and one of his students pretended to provide bug fixes for the Linux community. The aim of the controversial action was to demonstrate how vulnerable even open source projects can be. A security vulnerability in the Linux kernel is potentially so serious because Linux is so widely used. It can now be found in servers and smartphones, and also in a wide variety of embedded devices - from cars to smart homes and machines.

With the increasing digitalization of our economy and our lives, networked devices can also become a gateway for cybercriminals. For example, a supermarket chain was hacked when the attackers chose the smart refrigerated shelves in the stores as an attack vector. The same risk exists for networked devices in the smart-home sector. They too represent potential points of attack - a serious reputational risk for the device manufacturer or distributor. In both the private and commercial sectors, therefore, a much more conscious approach to installed software and purchased devices is required. In the manufacturing industry, for example, where a machine can have a life cycle of several decades, sooner or later only mitigating measures are usually available to reduce security risks. This is because manufacturers then no longer exist, or they no longer supply security patches after a few years. Sometimes the only option is to seal off the machine from the rest of the network and accept the residual risk. As a general rule, it would be negligent for a company to shift responsibility for its cybersecurity entirely to its suppliers. Threats from within the supply chain are real and commonplace today. Companies therefore not only need appropriate risk awareness, but also experts who can support them in establishing effective cyber resilience.

Assumption 3: Our employees already have sufficient safety awareness

All too often, employees' careless behavior is still a convenient gateway for cybercriminals to enter the company. Creating and maintaining appropriate risk awareness is a building block for cybersecurity, the importance of which a company should never underestimate. Only if they are aware of the danger will employees consistently avoid passing on passwords over the phone, for example, or carelessly clicking on a dubious link in an e-mail. Sometimes the potential danger is also a direct consequence of daily work. Employees in the HR department, for example, open applications almost every day without knowing whether or not the digital resume contains malicious code. The same applies to invoice PDFs in the mail inbox of the accounting department. That's why companies need technical measures to protect themselves against such attacks.

But it is equally important to reduce the likelihood of successful phishing attempts by creating awareness of the dangers of social engineering attacks more generally. Social engineering means that attackers use deception to gain unauthorized data or access. Human psychology methods are misused to manipulate employees and persuade them to transmit information or perform certain actions - such as fatally clicking on the link in the phishing e-mail or telling the password to supposed support staff on the phone.

Assumption 4: The scope of this safety check will already be sufficient

Putting corporate cybersecurity to the test with penetration tests is an important building block in building cyber resilience. However, if the scope of the pentest is too small, little is gained. This creates a false sense of security. A typical example is the exclusion of certain systems, such as those that are at the end of their life cycle because they will soon be shut down or replaced anyway. As long as they are not shut down, however, it is precisely these legacy systems that often offer the most tempting attack vector. Another example: the server running a web application to be checked also runs an FTP service, which allows the server to be completely compromised - but all services except the web application are excluded from the check. Similarly, it happens that, for example, a financial institution chooses the scope of its audit to be only as large as is required by regulation and officially. Again, the result would be a deceptive sham security.

If pentests are to be truly meaningful, they must not just focus on a section of the company's IT. Rather, they must be holistic in nature. After all, the goal of a penetration test is not just to make management feel good about cybersecurity - it is to identify real vulnerabilities and potential attack vectors so that they can be fixed before they are exploited by criminal attackers.

Assumption 5: Penetration testing can be done by the IT department on the side

In most companies, pentesting cannot be an in-house task at all. After all, IT administrators have one thing above all else to do: they have to ensure that the company's systems run reliably. As a rule, the administration team is already working at 100, if not 120 percent capacity with its operational tasks. In addition, penetration testing requires highly specialized and cutting-edge expertiseThis is something that the IT department usually does not have at its disposal. It is important that management understands that a pentest is not something that can simply be done on the side. At the same time, internal IT staff must realize that a security audit is never about discrediting their own cybersecurity work, but about strengthening it. A meaningful penetration test would not even be feasible with in-house resources because know-how and time are lacking. This is only different if the company is large enough to afford its own dedicated Red Team - the attackers - for more or less continuous pentesting. This Red team is then countered by a dedicated Blue team with the defenders. But even a dedicated Red team can sometimes benefit greatly from external support from Ethical Hackers.

Assumption 6: Our backups save us in case of emergency

A little more than five years ago, this statement might have been true. Today it is no longer, not in every case. It's important to remember that the quality of malware has increased significantly. Crypto-Trojans that encrypt corporate data for extortion purposes no longer do so immediately. There is now ransomware that first nests in a company's backups and gradually destroys them. Only months later, when the backup has become unusable, does the crypto-Trojan then set about encrypting the company's data - and the actual extortion begins.

That's why it's important today, Backups firstly, to secure them against malware with suitable protection concepts and, secondly, to check them regularly. Only a backup that can actually be set up can be relied on in an emergency. Companies should therefore regularly test, practice and try out their disaster recovery. And if a company encrypts its backup for security reasons: This backup key itself is also a potential point of attack, because cyber criminals can of course also encrypt the company's backup key. The backup would then, in turn, be unusable, and the extortion attempt through the encryption of the company's data could begin. That's why it's important that companies keep their backup crypto keys offline and also document their disaster recovery training offline.

Conclusion: From cybersecurity to cyber resilience

The threat of cyberattacks has not diminished; on the contrary. If a company wanted to conclude from a past that went smoothly that it will continue to be safe from cybercrime in the future, this would perhaps be the most serious misconception of all. Operational reliability can only be established in IT if a company establishes, maintains and further develops its cyber resilience with suitable, holistic concepts and measures. In any case, it is worth the effort to deal with this, because the financial damage in the event of an emergency weighs many times more heavily than the foresighted investment in cyber security. As in medicine, prevention is better than cure when it comes to cybersecurity.

Authors:
Michael Niewöhner and Daniel Querzola are both managers and penetration testers at Ventum Consulting, Munich  

"Best Managed Companies," the competition conducted in 48 countries by Deloitte Private, compares companies in a comprehensive assessment against the consulting and auditing firm's globally recognized benchmark. This has been continuously developed in the 25 years since the Best Managed Companies Award was launched. Companies that submit to the in-depth analysis receive an independent and substantive assessment of how their operations compare to a global community of over 1,000 exemplary managed companies in four key business areas.

Intensive evaluation process

All participating companies undergo an intensive multi-stage coaching and assessment process. Their performance is comprehensively assessed in the areas of strategy, productivity and innovation, culture and commitment, and governance and finance. Only companies that excel in all four categories have a chance of winning the award.
"The companies honored this year share several elements that are particularly critical to success today: They are all highly agile, flexibly organized and have a clear focus on growth. They also manage not to insist on outdated traditions and still maintain their core values. The 'Best Managed Companies' award is an incentive for all decision-makers in the Swiss economy to shape the future of their companies with foresight, innovative strength and a sustainable management culture," said Andreas Bodenmann, Program Officer and Head of Deloitte Private at the gala event on July 7, 2022 at the SIX ConventionPoint in Zurich.

Best Managed Companies: Beacons of the Swiss Economy

Four traditional family-owned companies were honored as "Best Managed Companies":

• The Wipf Group is a Swiss family business that can look back on a history of more than one hundred years. It uniquely combines entrepreneurial tradition with forward-looking, innovative solutions and has thus successfully established itself throughout Europe as one of the leading suppliers of packaging solutions.
• Groupe Acrotec SA brings together independent companies in the field of micromechanics under a common "a passion for precision" philosophy and efficiently creates mutual synergies. In doing so, it smartly exploits the governance advantages from the combination of group structure and partnership.
• The SUHNER Group impressed with the leadership renewal initiated by Jürg Suhner and the successful realignment. The company impresses with a clear strategic orientation on its comprehensive competence in tools, processes and materials know-how for metal and focuses uncompromisingly on solutions for the creation of success-critical metal components for its customers.
• Precipart, founded in 1950, convinced as a family-run company with its successful and clear focus: The company offers high-tech solutions for its worldwide clientele in the medtech, aerospace and space as well as industrial markets by means of innovations and an "engineer possible" approach.

Next, two other exemplary managed companies received the "Best Managed Companies" award:

• MindMaze, which is active in the field of digital therapy, was the first mature start-up, a so-called scale-up, to receive an award. It is driving its strong growth by means of cleverly structured governance, thereby ensuring the company's agility in the long term - a strong corporate culture provides significant support in this regard.
• The competition does not end after one year either, as all companies can regularly undergo the test and contest the workshops. The beverage manufacturer Capri Sun, which is highly successful in more than 100 countries, was the first company in Switzerland to do so, and its growth strategy geared to sustainability won over the jury as an excellently managed company.

Further strengthening Switzerland as a location

"Privately owned companies are and will remain an important innovation driver of a diverse and strong Swiss business location. Deloitte has been actively addressing location issues for many years. Switzerland must do everything in its power to shape regulation in key policy and technical areas in such a way that companies have the entrepreneurial freedom they need to develop sustainably," explains Reto Savoia, CEO of Deloitte Switzerland. "Unfortunately, this freedom is being restricted again and again. This is now evident almost every quarter with ever new, sometimes radical popular initiatives or even referendums against perfectly sensible laws."

On this year's jury, Nadia Lang, CEO of the ZFV-Unternehmungen cooperative, Jens Breu, CEO of SFS Group, Gilles Stuck, Head of Market Switzerland at Julius Baer, and Prof. Thomas Straub, Associate Professor at the University of Geneva for Strategic Management and Corporate Strategy, advised and evaluated the participating companies.

Source: Deloitte

The Lindenhof Group is one of the country's leading privately-run listed hospitals. Its three hospitals treat over 140,000 patients a year, of which around 27,000 are inpatients. In addition to comprehensive interdisciplinary basic care, the hospital group offers a spectrum of specialized and highly specialized medicine. The services offered focus on orthopedics, internal medicine, visceral surgery, gynecology, urology, neurosurgery, cardiology, angiology/vascular surgery, oncology, ENT, radiology, radiation therapy, nephrology and emergency medicine. The group employs about 2,500 people. "In the canton of Bern, we are the quality leader in medicine and care," explains Guido Speck, CEO of the Lindenhof Group. "A position that brings with it responsibility - also towards the employees."

The workload for nursing staff has also increased in the Lindenhof Group. "Despite the challenging overall situation, we have therefore decided to make a further substantial contribution to improving working conditions in nursing," explains Guido Speck. A comprehensive package of measures is now intended to underline the Lindenhof Group's claim to leadership as a progressive and attractive employer. It is also intended to confirm the importance that the Lindenhof Group attaches to the health and well-being of its employees.

In concrete terms, this means that in addition to the wage increase granted to all employees on April 1, 2022, nursing employees will receive compensation that corresponds in total to a reduction in weekly working hours to less than 40 hours - with the same pay. In addition to the increase in time credit for night duties from 20 % to 30 %, nurses who work 24-hour, 3-shift operations will receive an additional 7 days of vacation. Employees can also decide for themselves whether they want days off, take vacations or work fewer hours per week. An enormous improvement that brings more flexibility and quality of life.

To further ease the burden on existing employees, the Lindenhof Group is launching a targeted campaign to recruit new qualified professionals. It is intended to inspire young people to take up the nursing profession and to further relieve the burden on existing employees. "Your health is our calling - your well-being our obligation. This is the motto of our daily work. A guiding principle that also includes our employees," adds Raul Gutierrez, Head of HRM. "We are continually committed to being and remaining our employees' first choice. Out of gratitude and as a sign of appreciation for their achievements."

Source and further information