Crime scene economy

Experts agree: cybersecurity must be massively improved in many respects. In Switzerland alone, there are thousands of known vulnerable systems - ranging from remotely controlled machines with open interfaces to financial service providers who have not equipped their operating systems with the latest security upgrades. Nicolas Mayencourt of Dreamlab Technologies AG already pointed this out at the Swiss Cyber Security Days, which took place on 27/28 February in Fre- burg. On the Swiss Quality Day, he will speak about global and local IT security. And he can provide impressive figures: "The top 10 Internet companies make 500 billion US dollars profit per year. Profits from narco-traffic are estimated at 750 billion US dollars per year. Cybercrime 'earns' 1500 billion, three times more than those internet companies with all their nice products." In short: cybercrime is indeed an economic factor, albeit on the "wrong side".

Well organized crime
Nicolas Mayencourt is actually a hacker. He, or rather his company Dreamlab Technologies AG, penetrates foreign computer systems. However, Nicolas Mayencourt embodies the "good side" and tests systems for their security with his hacks. And this security is not the same everywhere. But who are the people who exploit these security gaps for criminal activities? What are they after? "Usually money," says Nicolas Mayencourt. He distinguishes between different types of cybercriminals. First of all, there is the cyber-activist. "He develops criminal activities for various motives. These include so-called web deface- ments, i.e. the unauthorized modification of websites, e.g. with relevant political messages. This is what we experienced in the run-up to the minaret initiative or in 2017, for example." It is quite different for those who simply hack into other people's computer systems and scan them for usable information. With such information - credit card data, internet identities, "open" IP addresses, leaked social media profiles and more - mafia-like networks make a lot of money on the darknet, for example.

"These organizations are highly profes- sional and are equipped with the highest quality and resilience skills," Nicolas Mayencourt knows. "One could also learn from them."

Small cause, big damage
The cybersecurity expert describes phishing and trickery of all kinds as "evergreens": "The perpetrators are becoming more and more sophisticated. They can use leaked social media profiles to pose as a CEO, for example, imitate his choice of words and thus get a CFO to quickly transfer a million euros to a certain location," says Nicolas Mayencourt, outlining an increasingly common scenario. And SMEs are often affected by this. They are the victims of a sometimes too non- chalant approach to personal information on the Internet. But you can also get a "stupid" infection by accident, as happened to the logistics group Maersk in 2017: the "Notpetya" computer virus led to a complete loss of data. The company was completely paralyzed. With the help of the customers - who depended on the deliveries - each individual container had to be reallocated correctly by hand and in analogue form. "Within three months, Maersk had to invest 250 million euros in damage management alone. And it was just a matter of getting the IT back up and running, nothing more," says Mayencourt. Reason enough for the Maersk CEO to go public with this case and demonstrate: Hey, wake up, this could happen to any company, so invest more in cybersecurity!

Cybersecurity is a competitive advantage
A call that Nicolas Mayencourt cannot repeat enough: IT security must no longer be seen merely as a cost factor, but as an investment in competitive advantage. "Of course, people don't like to see something costing 1000 francs more just to make it really secure. But quality in security is also a competitive advantage." The state, the media and the economy have a duty to raise awareness of cyber security. He warns: "We are in the midst of the digital age, 5G is about to be introduced, nothing will work anymore without the digital world. And if this digital world is not secure, it will collapse." Switzerland would therefore be well advised not to jeopardise its reputation for quality when it comes to cyber security.

Nicolas Mayencourt in conversation
Self-responsibility is written large in Switzerland. But your examples of a lack of cybersecurity show that the path to negligence is not far, and the risk for the entire economy is considerable. What would it mean if the state had to "order" certain measures that should actually fall under personal responsibility?

Nicolas MayencourtCyber does not stop at cantonal borders. It also doesn't matter whether you are a civilian or a military. Our data protection is very well developed, almost the gold standard, and the separation of powers also works very well. We have a very stable political system. But the fact is that cyber is calling these basic concepts into question. We must not allow that to happen. In other words, we need to share more information with each other and we need to establish common standards. Whether this

"The 'doing' can be delegated, responsibility cannot"

Whether it comes by decree from above or from below is of secondary importance. Cyber connects all of us. If we don't all have the same level and don't help each other, then any measure will be useless. If, for example, I have a high level of security in my company, but the electricity supply in our canton fails, then this security is no longer of much use to me. We should therefore launch a public debate on how we can continue to maintain our separation of powers, but still share certain information, including with the business community, and mandate the flow of information - in both directions. It is about how we achieve a common level of security.

So it is about the exchange of information, about the transfer of data as well. You mentioned our well-developed data protection. But we are getting in each other's way, aren't we?
Right, that is a contradiction. We will not get around defining certain exceptions and rules that contradict data protection - for certain uses.

In other words, it is a question of weighing up the benefits: what should be given greater weight: data protection or security?
That is the great challenge.

If you look at the "risk map" of an average SME, for example, from which directions does the greatest danger threaten?
Ransomware, phishing attacks and trickery will not stop. However, with the advancing digitalization, the effects are becoming more and more fatal. The probability of accidentally rattling into an infection will increase.

So hiding behind antivirus programs and firewalls will work less and less the longer ...
... that has never worked 100% and never will. You have just described the first-generation security concept that we have been practicing since 1994. We have now reached the fourth generation. People play a very critical role. All SMEs should now wake up and be sensitized, starting from the board of directors down to the ordinary employee. Everyone needs to develop cyber-awareness. Otherwise, you will simply become a victim of CEO fraud or phishing. There are still not enough effective answers or products in the industry that allow us to stop thinking for ourselves.

But it seems to me that this awareness is not yet present everywhere. Cybersecurity issues are simply delegated to the IT department or the Internet provider ...
Of course, it doesn't work that way. "Doing" can be delegated, responsibility cannot. I don't understand why we as a society haven't made any progress yet. We have fantastic technologies. But for 30 years we have been applying these technologies in the most sen- sible areas without considering what we are actually doing. If this is good enough, "verhebt's", to put it in Swiss German. Now that the technology is here, it can no longer be removed. But it would be wise to make it safer. Ultimately, security is a question of survival, be it economic or absolute.

How should risk management be structured?
Training, awareness, control. There is actually no longer a threat from "outside" or "inside". The boundaries are becoming blurred. If I have an infection on my private smartphone and go into the company with it, then "outside" is the same as "inside". In a protection plan, it is therefore important to consider the "inside" as "outside" and to act accordingly. Risk profiles should be zoned in such a way that the zone transitions can be monitored. A protection system also distinguishes between roles. It is actually nothing other than a professional organisation that is also adapted to the cyber sector. That's where we lag behind reality. Everything that we have already done well in the real world, we do not apply enough in the cyber world. It would actually be so simple: If I also technically depict my organization chart with security zones, then I am already a big step ahead. The fact that a marketing assistant should not have access to financial transactions is logical in the "analog world", but should also be self-evident in the cyber world. The best-case scenario is to focus on quality and security by slowing down a bit, i.e. taking an extra year or two to do something and doing it properly until it is stable and secure and brings us the benefits we expect without collateral damage. The recipes for this are mostly known.