Signum Consulting starts this year with an initiative on the topics of digitalization and IT security.
Dr. Peter Tabeling, Lead IT Architect for gematik GmbH. This company is significantly involved in the digitization of the healthcare system in Germany with products such as the electronic health card or the electronic patient file.
Dr. Tabeling was a lecturer at the Hasso Plattner Institute in Potsdam and subsequently held a leading position in the digitization of business processes. Since 2018, he has been developing system architectures for secure e-health applications at gematik and supporting their implementation. He is author and reviewer of scientific articles and books.
Interview, Part I:
- Mr. Tabeling, are German companies in the Stone Age / Middle Ages / Modern Age / Postmodern Age when it comes to IT security?
The Stone Age and the Middle Ages are certainly behind us. As far as IT security is concerned, we now have a sound knowledge of how it can be achieved or at least improved. We are not dependent on “alchemy”, but can fall back on recognized technical and organizational means. In this sense, then, we have already gone through the reconnaissance process. As in many areas, however, knowledge alone – about data encryption, for example – is meaningless if it is not applied consistently and instead we save money at the wrong end or even rely on the principle of hope. In my opinion, problems with IT security are often due to the fact that people initially look only at the benefits and functions of IT solutions and too late at IT security.
- According to the Bitkom economic study (05.08.2021), German companies are more affected than ever by attacks in the form of theft, industrial espionage, or sabotage. The number of cyberattacks is also increasing sharply. What do you think are the causes of this development?
First of all, it has to be said that according to this and other studies, white-collar crime is generally on the rise. It is difficult for me to say what the reasons for this are. On the other hand, the fact that cyberattacks are playing a growing role here is probably simply due to increasing digitization. Value creation, for example, is increasingly taking place through automated processes, and sensitive and business-critical information is increasingly being processed and stored digitally instead of in the analog form. At their core, many cyberattacks are still theft, industrial espionage, or sabotage – only that in times of digitization, these are carried out by other means. Unfortunately, digitization not only opens up new opportunities for companies but also for criminals. You have to be aware of this and should protect yourself accordingly. Where plant security, high fences, or lockable filing cabinets are used to help, today firewalls, cryptographic processes such as encryption and digital signatures, for example, can protect against attacks. This must be supplemented by organizational measures.
- The budget for IT security has increased in the pandemic. How can companies protect themselves against attacks and position themselves better? What trends do you see here, e.g., know-how protection, screening of potential employees and freelancers, ISO27001?
In addition to the use of technology already mentioned, supplementary organizational measures are very important, because security is only created by the overall package. Technical measures alone are not sufficient if, for example, employees are not sufficiently sensitized and familiar with new risks. A password that is secure per se offers little protection if it is written on a piece of paper “hidden” under the PC keyboard. The study you mentioned points out that “social engineering” plays a major role in cyberattacks – in other words, exploiting the “human factor” as the weakest link in the security chain. Thus, holistic approaches such as IS027001 and IT-Grundschutz (BSI) are of great importance. The know-how protection you mentioned is a typical objective here. For example, protection against industrial espionage when traveling abroad is considered and suitable countermeasures are recommended. Among many other aspects, a separate chapter is actually devoted to the topic of personnel. Here, ensuring and checking the qualifications of personnel form important building blocks.
