When it comes to cybersecurity, the economy is relying too heavily on defensive measures and neglecting self-assessments using autonomous penetration testing solutions to assess its cyber resilience.
This is the criticism of Rainer M. Richter, Head of Europe and Asia at the cybersecurity company Horizon3.ai. He points out that the European Central Bank (ECB) has been conducting stress tests to measure cyber resilience in the financial sector for years. "Companies in all sectors would be well advised to voluntarily undergo regular stress tests," Rainer M. Richter advises.
Penetration test
In a stress test, known in technical jargon as a "penetration test" or "pentest" for short, so-called white hat hackers are hired by the company to crack into its computer network to uncover vulnerabilities and other weaknesses.
White hat hackers are hired by the company to crack into its computer network to uncover vulnerabilities
Rainer M. Richter points out, "White hat hackers are no longer needed because there are autonomous pen-testing solutions used for stress testing that are available from the cloud at a reasonable price. The German Federal Office for Information Security (BSI) writes in its 2023 situation report "The threat from cybercrime is higher than ever before," underscoring the urgent need for robust cybersecurity measures.
Increasing demands for measuring Cyber Resilience
Rainer M. Richter points to the increasing demands being placed on the economy in terms of cyber resilience as a result of ever more stringent EU legislation. In addition to specific security requirements for the financial sector, many other sectors of the economy that are part of the “European Programme for Critical Infrastructure Protection” (EPCIP) are affected, says Rainer M. Richter.
As an example, he cites the new NIS2 (Network and Information Security) Directive, the EU-wide legislation on cybersecurity that came into force in 2023.
Cyber risks
Cyber risks exist not only within a company's operations but also with suppliers and distribution partners, emphasises security expert Rainer M. Richter.
He points out, "An attack on a business partner or supplier can spread directly to all associated companies. That's why NIS2 covers the entire supply chain."
Security breaches
Security breaches can also be fatal for companies that are not EPCIP-rated, Rainer M. Richter points
However, security breaches can also be fatal for companies that are not EPCIP-rated, Rainer M. Richter points out.
He explains, "When a company, regardless of sector or size, falls victim to a cyber attack, it not only can cause significant damage but also raises the question of who's to blame. Board members and managing directors who neglect the issue of cyber security will find themselves with one foot, if not both, in court."
Pentests are "affordable for every SME"
The security expert emphasises that autonomous pentests from the cloud are "affordable for every medium-sized company". "The costs scale with the number of workstations and the size of the computer network," Rainer M. Richter adds.
According to him, the operation is so simple that the pentest procedure, which was originally developed primarily for the corporate world, can now also be easily used by SMEs without having to hire external hackers.
Financial decision
The pentest costs must also be considered alongside the potential financial repercussions of cyber attacks, stresses the security expert.
With the European Union Agency for Cybersecurity (ENISA) estimating the total annual cost of cybercrime to the EU economy at approximately 180 billion Euros, investing in pen-testing solutions becomes a prudent financial decision, offering invaluable protection against devastating losses.
Checking all connected devices and machines
Cloud-based pen-testing solutions can also assess other connected machines and devices
In addition to the low cost and ease of use, he categorises the fact that cloud-based pen-testing solutions can also assess other connected machines and devices in the test as a further advantage.
"If hackers take control of the security cameras on the factory premises, it jeopardises the security of the entire company," says Rainer M. Richter, giving a concrete example of how the call for greater cyber resilience extends far beyond companies' computer systems.
Security vulnerability
What's more, the time between the discovery of a security vulnerability and its exploitation by criminals is becoming increasingly shorter. As a result, companies have less and less time to check whether their computer networks are at risk.
"Given the complexity of today's IT landscapes, companies can't determine in good time whether they are potentially affected by every new vulnerability that emerges, not to mention the enormous costs involved," analyses Rainer M. Richter.
Home working and AI-driving attack scenarios
Companies of all sizes are too careless, warns Rainer M. Richter. Most IT departments have long since lost track of all the potential vulnerabilities in their computer networks, says the security expert.
This is understandable "because computer and network constellations are becoming increasingly complex, and attacks are becoming more sophisticated and faster."
Drivers for cybercrime
As Horizon3.ai has discovered in attack scenarios commissioned by companies using NodeZero™
Rainer M. Richter has identified two main drivers for the rapid growth of cybercrime: the trend towards working from home, which is integrating more and more poorly secured PCs into corporate structures, and the weaponisation of artificial intelligence (AI), which is making cyber-attacks "faster and more dangerous than ever before".
As Horizon3.ai has discovered in attack scenarios commissioned by companies using its autonomous pentest platform, NodeZero™, companies' defences can usually be breached within minutes.
Open-Source Intelligence (OSINT)
According to the company, NodeZero also uses Open-Source Intelligence (OSINT) to exploit human weaknesses, such as when an employee reveals the name of their dog on social networking sites and uses it as a password for the company network.
"Typically, a single vulnerability is all it takes for attackers to gain access to a company's digital infrastructure," says Horizon3.ai's head of Europe and Asia.
Europe: Epicentre of 2023 cyber threats
Rainer M. Richter is certain that the majority of businesses are well aware of the threat situation, but are relying solely on defencive measures alone.
"Many companies have 20 to 40 separate security systems running at the same time to defend against cyber attacks, but have no way of measuring how well they will work when the company comes under attack," says Rainer M. Richter.
IBM Security X-Force Threat Intelligence Index
He refers to the IBM Security X-Force Threat Intelligence Index 2024, according to which Europe was the most frequently attacked region in the world.
"Given the heightened risk of cyber attacks, stress tests, i.e. penetration tests, are recommended every day, but once a week," advises the expert.
NodeZero
The scanners do find vulnerabilities that should be patched; however, they do not assess the ‘exploitability’
Many companies rely on so-called vulnerability scanners to uncover known vulnerabilities in the software they use, but the feeling of security associated with this is deceptive, says Rainer M. Richter. The scanners do find vulnerabilities that should be patched; however, they do not assess the ‘exploitability’ of such vulnerabilities.
"No IT department is in a position to plug all the security gaps that become known," says Rainer M. Richter. “Rather, it is important to focus on the vulnerabilities and weaknesses that can be exploited by attackers. This focus is only possible by using solutions like NodeZero that are designed to safely attack your own company, because only then will the relevant risks come to light," emphasises Rainer M. Richter.
Cyberattacks with ransomware
The security expert quotes from the BSI status report on IT security in Germany, which states, "The BSI is observing a shift in attacks involving cyberattacks with ransomware: The focus is no longer only on large, solvent companies, but increasingly also on small and medium-sized organisations as well as state institutions and local authorities."
"The citizens of the country are often directly affected by successful cyberattacks on municipal administrations and municipal businesses in particular: this can result in citizen-centred services being unavailable for a period or personal data falling into the hands of criminals."
