Cyber security part 3 – security vs. attacks: how technology helps
Thomas Sinnwell: Welcome to our new podcast. Today we are producing the third episode in our Cybersecurity series. And I have a very special guest. Today I'm talking to Chief Inspector Marc Schmitt from the Cybercrime Department of the LKA in Saarbrücken. Welcome, Mr Schmitt.
Marc Schmitt: Thank you.
Thomas Sinnwell: Mr Schmitt, please be so kind as to introduce yourself briefly so that our listeners know who I have the pleasure of speaking to today.
Marc Schmitt: Of course I would be happy to do that. My name is Marc Schmitt. I am the deputy head of the cybercrime department at the State Police Headquarters, and I am also responsible for the Cybercrime Central Contact Point. I've been in the department since 2013, a founding member, so to speak, since it was established, and I got there because I had already been involved in the cybercrime cyber security area in another area and then continued it. Logically.
Thomas Sinnwell: Yes, thank you very much. I would like to delve a little deeper into what the department does or talk in particular about the Central Contact Point for Cybercrime. But before that, I want to give a little review for the listeners who may not have heard episode one and episode two. In episode one, I spoke with Professor Mana Mojadadr about cybersecurity, of course. However, the focus was on people. The topics were: Yes, what is it actually like when you are hacked? What happens then? How do you feel then? But also very important points in this episode were: how can I start with the topic of people? How can I create awareness and how can I make my employees a very important building block in my defence against cyber attacks? And that was the focus of episode one. In episode two, I had Prof. Holz from CISPA as a discussion partner and together we made a total change of perspective and went to the dark side of power and asked ourselves the question. Yes, how do hackers operate? What tools do they use, how does it work, what are their objectives? Today, in episode three, I would like to work out together with Mr Schmitt what companies can do to prepare themselves for cyber attacks. And perhaps I should say it right away. My view of things is not the question: will I be attacked, but the question is: when will I be attacked? But before we dive into the actual topic, I would like to take this opportunity to ask you to introduce the Cybercrime Central Contact Point for the business community. This is exactly how we met. And I must admit, I have only known for a year what is behind the abbreviation ZAC.
Marc Schmitt: In 2013, with the founding of the cybercrime department at the regional police headquarters, a point of contact was created for business enterprises and other institutions, so that they no longer have to report their case to different police institutions one after the other, but have a direct contact person to bring their case to. Previously, it was experienced that companies reported a cybercrime case to a police inspection or a police station and were then connected several times to the responsible office. We wanted to get around this with this direct contact point for cybercrime, with a single point of contact at the police, which has also been staffed by computer scientists since its founding, so that the special feature here is that police officers represent the police part of cybercrime cases and the computer scientists represent the technical part. In other words, synergy effects are created in order to map this special area of criminal offences. Furthermore, with the Cybercrime Central Contact Point, a contact point has been created that can be reached around the clock. In other words, the companies can call it day and night and, if the case makes it necessary, they will be connected to experts who, if necessary, will also come to the companies on site to see with the injured parties or the persons in charge of the company what can be done on the part of the police or the state.
Thomas Sinnwell: Then, depending on when a company calls, they almost have an idea where the attack could come from?
Marc Schmitt: Yes, you can.
Thomas Sinnwell: It just crossed my mind while listening. Depending on the time zone.
Marc Schmitt: Yes, depending on the industry, you can actually, I'll say it, guess the origin of the attack. Depending on what the company is doing or what, let's say, the political situation is at the moment, you can, let's say, put one and one together from experience and know what is possible. I don't always have to prove that, but that is indeed the case.
Thomas Sinnwell: Yes, okay, that's what I thought. How is it with the ZAC now? Does the ZAC only come into play when the baby is in the well? Or is the topic of prevention also located at the ZAC?
Marc Schmitt: That is an important point you raise. The ZAC feels responsible for two things. On the one hand, as you say, when the well is dry, to be a quick contact and competent contact within the police for companies, for commercial enterprises. On the other hand, as you have also described so well, to be a contact for companies in the preliminary phase, before the child has fallen into the well. How can I protect myself? What can I do? Where can I turn? Not only to the police, but also in general, if I want to prevent the whole thing, carry out prevention. That is, the preventive aspect is to discuss with companies what I can do to be prepared for the worst case scenario. On the other hand, which offices can I contact at that moment to save time? What can I have ready, for example, also for the police if they initiate criminal proceedings? What does law enforcement need for this and what can I as a company already have in place so that there is no more delay?
Thomas Sinnwell: This raises the question of what actually happens when a company finds out that it has been hacked, fulfils its duty to inform, informs the data protection authorities depending on the nature of the incident and its own level of knowledge, and then turns to the ZAC. What happens then in concrete terms? I think there are also very nebulous ideas about what then happens in the company, which is more influenced by the media. What does it really look like?
Marc Schmitt: As an injured or affected company, you call the police. This can be done by dialling the emergency number 110. But also via a ZAC hotline, via a hotline number that we have set up especially for companies when they are affected by IT incidents. As already mentioned, this number is available day and night. Then the company reports the incident and during the day we deal with it directly in our department and see what measures need to be taken. At night, expert officers also answer the phone and check whether immediate measures need to be taken or whether it is perhaps a matter that can be dealt with, let's say, the next day. And if it is necessary, we colleagues from the department will also come to the scene at night. As I said, if it's necessary, we try to take initial measures with the people responsible for the company to keep the damage to a minimum. What has to be said clearly. You just mentioned -nebulously- what are the police doing? There is still a very, very big fear. The police come to my company seize all the computers and all the servers and the company life, the company activity comes to a standstill. That is not the case at all. We always see as the police as ZAC that this happens in agreement with the companies. Of course we want to secure evidence, but only to the extent that the company's heart, let me call it that, is not stopped and the company can continue its daily business. And so, if necessary, we also secure evidence during ongoing operations. So far, this has always been done in good agreement with companies or business enterprises.
Thomas Sinnwell: I think that is very important information for our listeners, because I have also heard some people worry: Yes, I will now be paralysed, but that is obviously not the case and is, of course, from my point of view, absolutely the right approach. We have now seamlessly arrived at the topic. Now the baby is in the well, something has happened and, well, ultimately, cyber criminals are responsible for this happening. Here, too, I have noticed that such an image often prevails, or even if you look at your TV colleagues when a crime scene or a thriller deals with the topic of cyber security. There is always the evil hacker and then he breaks into a company in a very targeted way. And from my point of view, this leads to the view that - well, my company is not interesting for the hacker. Is that the right picture?
Marc Schmitt: The picture is not correct. You can say that everything is fine in the small Saarland, that nothing is happening there - but the Saarland is also a place of cybercrime, for example. You certainly can't rely on television images. On television, everything is always presented in a somewhat distorted or often distorted way. Every company, whether it is a two-man business or a large global corporation, can be affected by cybercrime. No one is immune. Even the private person next to the companies, next to the business enterprise is affected by cybercrime, so you cannot be safe as a company. I am so small and insignificant. I am already not being attacked by any cybercriminal. You have different qualities of attacks very well. On the one hand, you have beginners, script kiddies, who download usable tools from the internet and try something out. They also have a great potential for damage, but they often make so many mistakes that you quickly get on the trail of such criminals. And then we have a scale upwards where it becomes more and more professional.
Thomas Sinnwell: To the bitter end, then also the intelligence services.
Marc Schmitt: Exactly. They leave a lot of traces on the internet, which can then be recorded and so it is easier to identify such perpetrators. Then it goes on to more professional hackers. That's what I would call it, who move around more skilfully, cover up their traces more skilfully or even cover them up, all the way to state actors or actors close to the state leadership who act very professionally, where it becomes really difficult to identify such actors and then ultimately to prosecute them.
Thomas Sinnwell: Yes, I would like to go into another level of structuring and simply address this type of attack again. If we arrive at the upper end of the scale with intelligence services or with very professional cybercrime, then I'm more in the area of targeted attacks, where a lot of energy is put into it. In this case, I think we can distinguish between two objectives. The one you mentioned - sabotage. I break something. I damage a company, a country or I try to get hold of information. And then I quickly get to the subject of industrial espionage, perhaps trying to get hold of something that a market competitor knows and what I would like to know myself. Is it true, however, that this statement means that the greater trouble actually comes from these rather non-targeted attacks, at least as far as the broad mass of companies is concerned? And I'm just thinking about the topic of ransomware.
Marc Schmitt: That's exactly what we're talking about. Ransomware is the greatest threat, already relatively long-lasting for the digital sector or cyber sector, because it is so lucrative for the perpetrators to damage and extort companies in the ransomware sector. Some of the perpetrators are very professional. You mentioned these state actors, who really do act in a very targeted manner. Here we also have professional perpetrators who are ultimately structured like real companies nowadays. There is a division of labour in these ransomware groups, from developers, sales people in inverted commas, to a support that is offered to the victim, so that there is a boss somewhere in the background, the CEO, so to speak, who coordinates and directs and then the whole thing is spread over several shoulders. The whole thing is called Ransomware as a Service, so I have different structures here, each of which is an expert in their own field. Unfortunately, it is so lucrative because the security level of many companies is still such that there are ultimately points of attack with which these groups can infiltrate companies, encrypt data and then, if reasonable precautions have not been taken, these companies are ultimately blackmailable, as the Ransom sector also aptly describes.
Thomas Sinnwell: When you look back at the cases that you have been able to accompany, what do you think is perhaps the greatest weakness that makes these attacks possible?
Marc Schmitt: The greatest vulnerability overall, one can actually say quite clearly, is still the human being sitting in front of the machine. I can try to secure the machine, the computer, the networks one hundred percent with software hardware. If the person who operates the whole thing is not appropriately sensitive beforehand, for example, opens everything, clicks on everything that appears on the computer screen, then I have the biggest, the greatest weak point here. Protection stands or falls with the human factor, which has to be sensitive, especially nowadays for certain things in the area of cybercrime.
Thomas Sinnwell: I think that is a wonderful point that we have now reached in order to enter into this core topic. What you can say right now, of course, is that companies should invest in their own employees, then create awareness for the topic of cyber security, train employees so that they can perhaps look more closely - more specifically - at e-mails. Is it genuine or is it manipulated? Or also in the direction that one dares to ask, did you really just give me the order to transfer 1.68 million to the account number? I think that makes sense in any case. And it's a very important point.
Marc Schmitt: Exactly, in the whole context of protecting oneself, that is a very important point, as you just described, that the employee knows what he is doing. Nowadays, malware is so sophisticated that when a system is compromised, it partly falls back on existing e-mail conversations. So I receive an e-mail that originates from a real question, answer or conversation, and a document or malware document is incorporated into the e-mail, which I am then supposed to open. This sensitivity, to recognise or when my gut feeling tells me that this is not true or that it happened so long ago. The important thing is to create this sensitivity, so that the person then calls his counterpart and doesn't trust him. Aha, that will be all right, that will be important or serious, but to give in to the feeling, to call the other person, to ask. And then either to find out that no e-mail came from me at all and then we have created this sensitivity so that malware doesn't get a chance. That is the essential factor. The other factor on the hardware side, to create appropriate protection, so to speak, is just as important, to create a sensitivity among people that you have to protect the system, not rely on it. We are so small or whatever, so insignificant, nothing will happen to us.
Thomas Sinnwell: I would like to build up this topic systematically now. Of course, you are absolutely right. If I sensitise my staff, train them, conduct awareness training, then I have - certainly - a very good first line of defence and that can keep a lot of trouble at bay. But some of these things are so well done: the e-mail that an employee receives gives the impression that it has been sent from within the company. It has the right signature, as you just said. Perhaps it even refers to an e-mail exchange that has taken place. And there is now another reply or a forwarding. And that can be very perfidious, very clever. And no matter how well trained I am, it can happen that the wrong link is clicked on and that the whole thing takes its course. In this respect, these technical measures are of course very important in the second line, and this is also a topic that is very much on our minds. Now I would like to build up this topic systematically. I myself am a fan of the five-phase model of the National Institute of Standards and Technology. It's quite comparable to what our American colleagues are doing, to what the BSI is doing. I like the model so much because the jobs I have to do are described so terribly precisely in the five phases. But now I don't want to give our listeners the feeling that, oh God, we're going to go so deeply into medias res or into some kind of model. I would also like to look at a second aspect, namely a minimal scenario, which perhaps already ensures a higher level of cyber security in practice. What is your minimum scenario that you would recommend to a company?
Marc Schmitt: The minimum or basic scenario for companies is first of all to choose secure passwords, where possible, and to use two-factor authentication, i.e. double security, two locks, so to speak.
Thomas Sinnwell: Most people know this from their online banking. It has become quite standard there.
Marc Schmitt: Exactly. It's really important that companies also use the latest patches, the latest software versions, that when an update is offered, they also install it and don't say, "Do I really need this?
Thomas Sinnwell: We'll do it next week.
Marc Schmitt: Exactly, and that is still very often the case with various points of attack, where one or where the BSI, for example, in checks, see Microsoft Exchange as an example, finds six or three quarters of a year later that hundreds of thousands of companies in Germany as a whole have not yet applied existing updates or existing patches. So that's an up-to-date system, that's very important. What is of elementary importance, also for companies, are backups - backups of their software of the software status at a certain point in time - which, if possible, should not be permanently attached to the running system. Because in the case of ransomware, for example, they are also encrypted. And then I don't need a backup if it is permanently attached and then also encrypted. These are, for example, points that I should definitely consider in order to have basic protection and basic protection is also available for many companies almost free of charge or can be researched or obtained free of charge via the BSI, for example. Where I can look at, I just have to or I just have to have the willingness to invest time to deal with the topic and then I can provide or set a basic protection already for very little money or even free of charge for my system.
Thomas Sinnwell: Yes, I think that is very, very important information for the listeners of our podcast. You don't have to invest huge sums of money to build up effective protection and especially the backup you mentioned - which should of course be tried out - whether you can import it and whether it will work again. Because if I do that for the first time in case of an emergency and it doesn't work, then all the work was in vain. But once you have checked that it works, yes, then it means maybe, depending on the size of the company. Then I might stand for a day, two or a week and re-spin systems and not lose too much of the work done. And if I, as a company, stand for weeks or months, costs are incurred that break the bank for most companies.
Marc Schmitt: That's exactly an important point that you mentioned, that you try, that you have a plan. At the beginning we talked about this prevention, that I as a company have an emergency plan, so to speak, that I check whether the plan works. Another important point for companies is that the bigger they get, the more they segment their systems, their networks, so that one system is not responsible for everything, so that the perpetrators win the lottery, so to speak. you get to a system where everything runs in one system, then also the whole company, as you just said, stands still. Or that really often breaks the companies' necks. By segmenting the systems, I can at least make it much more difficult for the perpetrator to compromise the entire company.
Thomas Sinnwell: Well, maybe for our listeners, just to explain the topic of segmentation: you don't create a large network, so to speak, which is completely flat and once I'm in there, I can jump from one point to the next. And the malicious code can run free and reach many systems and then also damage them. But I have structures and I can't easily get from one structure to the other. And if I have malicious code somewhere, it is not so easy for the malicious code or if there really is a human being involved who is at the back, to get into the next segment or to paralyse the whole company. But this is perhaps also a good opportunity to talk about the five-phase model I mentioned. I'll explain it very briefly for our listeners. It simply distinguishes between five phases in which one has to complete very different tasks in order to be as well positioned as possible in the area of cyber security. The first phase is called IDENTIFY. In this first layer or phase, it is about knowing what IT infrastructure I have in my company by really taking stock. If you do it more professionally, you can also operate something like a CMDB. Then I have all the information stored there, but I need an up-to-date overview in any case, and then of course I can think about what is particularly important once I have that. Or what would be terrible if the knowledge stored in the systems were to be lost, or what would be a disaster if the system no longer worked? And if I then know my risks, I can of course consider where to start with the protective measures. That's what phase one means. I would actually add that I think it's a good idea to determine what I have and what I want to protect, to train the employees or to raise their awareness. We had talked about that. From my point of view, this is a very favourable point. You can also do this with service providers, some companies also do it on their own, but it is not that cost-intensive and has a lot of effect. Is that how you see it?
Marc Schmitt: It is an important and correct point to raise awareness in the companies, in the commercial enterprises, as you have just described. It is also important that I sensitise everyone in the companies, starting with the cleaning lady, for example, who also has access to the company intranet, for example, to be able to look up information, up to the manager, the management, that I sensitise everyone who has access to the intranet or the company network, that everyone knows or is sensitive to news. We just mentioned that when an email comes with an attachment, you don't just click on it, you ask, that everyone in the company is aware. And everyone knows that it's possible that an email comes, perhaps from the boss, but it only looks as if it's from the boss. But in reality, as we have just discussed, it is malware. This sensitivity is important for everyone.
Thomas Sinnwell: Now I have to remember that I was at a CYBR360 event last week. In the end, it was initiated by the Saarland Ministry of Economics, an association of companies, but also users who deal with the topic of cyber security and other players. And I simply heard from many users. It would be important if the boss could really understand it. That means that the topic of awareness training came up right away. Yes, but the boss also has to know that, because otherwise I have no chance in my company. I can't get it through because I don't have any backing. In this respect, I believe that it is very, very important that awareness is created and know-how is built up in the executive floors, in the boardrooms. Otherwise, the levels below will have an incredibly hard time.
Marc Schmitt: Exactly. It really is the case that awareness is often recommended from the top. But you hear it stops somewhere at a hierarchical level below the management. And the boss is of the opinion that he knows his stuff, but that's often not the case. Cybercrime or cyber offences are special. The perpetrators are very perfidious or very clever and you are not immune. And that's why, as I just said, awareness should prevail at every level, including the management level, so to speak, and they should not be exempt and should not simply click on the attachment just like the employees.
Thomas Sinnwell: Then I would like to move on seamlessly to this second phase of the model, which is called PROTECT. Because we have established that I can sensitise my employees, but attacks are so well done that something can still happen. And there are other possibilities. There are internal perpetrators. Depending on how a firewall is configured, if you're good enough, you might be able to get through. There's the internet, there's the fake website, the e-mails. There is a huge range of ways in which I can get cyber security problems into my house. So I have to protect myself. What can be done? We had addressed an important issue: not building a flat network, but segmentation. Now, if you listen or perhaps ask yourself the question right now, it's a good test question in your own IT: do we have a flat network - if I don't know - or are we segmented? And if I'm working with service providers, maybe that's also a question, "Can they help me segment my network?" If the other side then shrugs its shoulders, maybe you should think about changing service providers. Because many companies are also dependent on IT service providers. Yes, what else do I need for protection? Firewall. That's the first thing that comes to people's minds. It's a very important story, of course. There is an extended version of the whole thing, called Next Generation Firewall. And then I also have intrusion detection in there. Also, I would say, state of the art; certainly something recommendable and virus protection. Of course, that's also one of the reasons why I need protection, but then I have even more options. You mentioned the two factors of authentication and that also goes a bit in this direction, such zero-trust approaches, that I first assume that I cannot trust any technical component. You can do a lot of things, but then everything is already advanced. And I have deliberately listed them in this order, as I perceive it, in order to give the listeners an idea of where they can start and where they can end. But then we can also move seamlessly into phase three. This is called DETECT, and ultimately Detecting, noticing. The point here is that if a problem has already arisen due to the human factor or a technical vulnerability and malicious code is spreading in my company, then it is of course crucial how long it takes until I notice it. That is to say, and I can't just lay my hands on it, I have to do it now, somehow I need tools. In my view, that would be the next level of what you can and perhaps should do. What do you think about this, from your experience - now?
Marc Schmitt: As I said, all the rules or all the areas that you have now mentioned are very important, especially for companies, that you establish in advance or when you develop a plan, how do I protect myself, that you establish that this is my condition now, this is the normality. These data, depending on the company are the normal flow. So that then with. You have just established or set out that companies just establish with tools or appropriate mechanisms when this is no longer the case. So there is no longer a normal flow in the review or in the data, then there is an anomaly, so to speak, where I have to take a closer look, where practically the person who looks after it is also sensitive. Aha. Or an alarm, figuratively speaking, appears on a monitor. Now there's an abnormal state. Look, what exactly happened there? And then I also have a relatively quick reaction to a malware incident, which always changes the system in some way, let's say. And to determine this change is important and therefore it is elementary important to also have a plan, as you just said, the NIST model is this five-phase model is very suitable for determining this. I have an anomaly and can react directly to it.
Thomas Sinnwell: Well, now that you've mentioned the topic of anomalies, from my point of view that's the tip I would like to give our listeners. If you think about monitoring systems - there are so many - just to throw in a few words, at the beginning intrusion detection or when an attack is detected based on a signature - signature-based means that it has already happened somewhere in the world - is in the database and the provider of my intrusion detection system knows it, has loaded this signature onto my system and thus the system recognises when such an attack comes in and if it can still block it, then it is simply in intrusion prevention. Otherwise I just see it and then it's Intrusion Detection. But then it goes on seamlessly. Then you can use sandbox systems. Maybe that's more of a topic for larger companies, classically. Then there is the area of network detection and response, which is actually the track where I look at the network traffic in the north-south and east-west and can of course detect changes and anomalies that need to be looked at. There are very strong machine learning-based anomaly detection methods, which I have to be able to master, then I need the corresponding team. They are very powerful and certainly, in terms of detecting zero-day exploits, perhaps the best technical option, but it has a price. It's actually not manageable for small structures. And if I then continue and at the end of the chain, at some point, I also arrive at End Point Protection, if I have a German antivirus manufacturer or a large American one, then I actually already have End Point Protection. Of course, there are other systems that go a bit further, and at the very end there are SIEM systems. This is now a technical zoo and I would like to tell everyone that it is important that when the system reports something, that I, as the person sitting in front of it, can do something with it, because otherwise what you have just mentioned is not possible at all. Oh God, I see a problem, an attack, high criticality. But now comes the crucial question, what do I do then? And that is then also the seamless transition to this fourth phase in the RESPOND model, i.e. to react somehow. And that is a decisive point. In this respect, this is a very important criterion for me in the monitoring system; they help me not only to see the problem, but perhaps to give me something to do - what is the best thing to do now?
Marc Schmitt: This is exactly where we come to an important point, or perhaps the most important point here, how do I react to such an incident? Here, too, I would like to remind you of the plan that I should make for myself as a small, medium-sized or large company, the emergency plan. Emergency IT plan, so to speak, for the emergency now, when I react to this incident, then I need to know who can I call, where can I call? Ideally, who is my contact person? Maybe we have discussed beforehand, what do I do, what does the person need here? Do we also come as police or as ZAC? This is a tool that ZAC wants to provide, a contact person. People have discussed things beforehand, they know each other's faces, then everything goes faster. I, as the person concerned, already know within the framework of this process what I have to have ready, what I can hand over to the police or prosecution directly. Who do I inform of this plan if I already have it in the drawer? Then I can always react to an incident much, much better than if I find out as you have just described. Oh, it's something, an anomaly has occurred. What do I do now? And now I first brainstorm or think about valuable time that is lost, that when I pull a plan out of the drawer I have already bridged and can go straight into incident response, so to speak. That's why this response or reaction phase is incredibly important, also to know, practically, to have an emergency plan.
Thomas Sinnwell: Exactly. And that's where I would just say again - sequences from the first and second podcast on the topic of cybersecurity come to mind. That's when the human factor also comes into play. When you suddenly realise, oh dear, am I to blame, did I ...? What am I actually doing now? Oh God, what's happening? Maybe my telephone system is already encrypted. I can't even make a call. And then panic quickly sets in. If I don't have an emergency plan, it's very difficult to act rationally and sensibly. But if I have the checklist, I can run through it. Now I do this, then I do this, then I do this. And that helps immensely.
Marc Schmitt: That's exactly where I want to intervene again. That's why it's important. You just said, maybe the telephone system is encrypted or the whole system is encrypted. That's why it's always advisable to keep this emergency plan or the emergency contacts in analogue form in the digital age, to have an emergency folder on the shelf, so to speak, that I can pull out, where I have the emergency numbers, the contact details of whoever, the BSI, the police, my IT company that looks after me, so that I still know them and don't just have everything in the then encrypted computer, which then no longer helps me. That's why it's also important to have this plan printed out in analogue form in the cupboard.
Thomas Sinnwell: Absolutely. I would like to take this as an opportunity to come to the last point of the five-phase model. To the area of Recover. If it has really happened and the malicious code has spread, and maybe I'm lucky and have a segmented network, and maybe I even have monitoring solutions that help me to understand which segment is actually affected? And maybe it's only two of my fifteen? Yes, but then I have to set up the systems in these two segments that are affected again. Then I need a functioning backup. I need the know-how or the right service provider. And these are all the things you do in this last phase. I think we have now made quite a broad breakthrough through all these possibilities. And when you hear it like that and you're not a specialist, it may seem a bit - maybe a bit - oh God, what, it's so complex, but I don't even need to start there. I think you can do it in small steps. And you can also approach the ZAC when you take these first steps to become more secure, to maybe get one or two pieces of advice.
Marc Schmitt: The police or the Cybercrime Central Contact Point is there for all companies, for all commercial enterprises, whether small, medium or large. We don't make a distinction and say we only become active when a company has fifteen or fifty employees. Even small companies that have a question in this area can contact us via this ZAC hotline or telephone number. Of course, we cannot take on the advisory function of a cyber security company. We don't want to and we're not allowed to. But even such a company, I mentioned it at the beginning, is advised that there are possibilities, for example, via the BSI or various institutions, associations, which are partly free of charge, partly cheap, then upwards as in all areas ...
Thomas Sinnwell: ... open at the top.
Marc Schmitt: Open to the top, money cost-wise can inform and then secure. But we already discussed it at the beginning. Basic protection, even for very small companies, can actually be realised as good as free of charge. And this is the information service provided by ZAC, which does not differentiate between small and large enterprises. What we have to say again is that the Cybercrime Central Contact Point is aimed at commercial enterprises and institutions or authorities. It is not aimed at private citizens, because that would simply be too large a group for an advisory company. But this association or Cyber 360 has now created an opportunity for private citizens to inform themselves about certain protection options here in Saarland. But as I said, we are available for companies, both large and small.
Thomas Sinnwell: That's nice and maybe that's a good point to draw a conclusion now and I would like to do it in this form. What would you like to give our listeners at the end of our podcast? Yes, in the context of simply being able to create more cyber-resilience in one's own company.
Marc Schmitt: On the one hand, what is important to me is to see the police as partners. As I said, we are active both preventively and repressively, which means preventively contacting us, not being afraid to contact the police, even if an incident has occurred. We don't flatten systems, so to speak, or come into the company and take everything away. We always work together with the company. Even if an external security company is hired by the company, we do that in cooperation with the respective service provider, so that the police always weigh up between securing evidence and the viability of the company. Secondly, it is important to know, another fear nowadays, that if I contact the police, tomorrow I will be somewhere in the press or on the radio or on the internet. The police do not do their own press work without consulting the company itself. When we are approached, we always refer to the company concerned and do not naturally say, let's go to company XY, a cyber incident happened there, then no aggrieved company will ever notify us again. Elementary is to bring information together, to display things. The mindset that this happened to me, nothing will come of it anyway, the perpetrators are somewhere XY on another continent. If many people think that, then years later something comes to light by chance and valuable information to perhaps identify structures is lost. That is to say, if something has happened, even if at first you think it will happen, nothing will happen or no one will be investigated. Nevertheless, it is important in the context of such things to bring information together. The success of the investigation stands and falls with the information. And as I said, companies should protect it. One should think about the topic of cyber security, so that one does not have to deal with it only when the child has fallen into the well, as you said.
Thomas Sinnwell: I would now like to add another thought that crossed my mind while listening to your conclusion. I would like to come back to this event at CYBR360. The auditorium also brought in the aspect that, well, you also have a social responsibility and in this context I find it quite appropriate, because something like this happens to me as a company, if I contact the police in time, if there is evidence, I can definitely make a contribution or there is a chance that it won't happen to too many companies afterwards, because it is always possible to identify groups of perpetrators and in addition to this aspect, I also think it is important that one speaks openly about it. There is no shame in that. It can happen to any company and it doesn't matter at what stage I am in this five-phase model, whether I have just started or am already fully professional. It can happen to anyone. With that in mind, I hope we were able to do a little bit of educating for our listeners. I enjoyed talking to you, Mr Schmitt. Thank you very much for supporting me.
Marc Schmitt: Thank you! Thank you for inviting me here.
Thomas Sinnwell: Yes, to our listeners. This was now the last episode in our three-part series on cyber security. I hope that my discussion partners and I have succeeded in giving every listener something to take away with them in order to achieve more cyber security. We are now taking a well-deserved winter break. Have a good time, stay tuned. Bye.
Marc Schmitt: Bye.
Dear listeners. We hope you had a good start to the new year. The consistec team is saying goodbye at this point as we take a break from our Querverlinkt podcast. We hope you enjoyed the season finale and that we were able to show the topic of cyber security from different perspectives. As always, you can find further links to the current episode in the show notes. And if you want to find out more about what we're up to at consistec, feel free to follow us on our social media channels. We wish you a wonderful 2023.
See you then. Bye!