Successfully preventing cyberattacks

Dr Hansen, companies and authorities are increasingly being targeted by cyberattacks. The inter-trade organisation Bitkom estimates annual damages, just in Germany, to be EUR 200 billion. What measures can companies take to protect themselves?

There is no such thing as 100% security. No matter how much money companies invest in technical measures and employee awareness, there is no invulnerability. At the same time, many attacks could be prevented with a smart IT security strategy. The most important thing – make IT security a top priority in your company. 

What happens during an attack?

Most of the time, hackers carry out a ransomware attack. Malware, for example a Trojan horse disguised as a legitimate email attachment, is infiltrated into a company network in such a way that all data, including operational control and operating systems, is encrypted. Often all systems come to a standstill. The blackmailers copy the data and then threaten to publish it if their ransom demands are not met.

How should you deal with ransom demands?

First of all, it is not illegal to pay a ransom. Especially if there are no clean and unencrypted backups, you should consider paying a ransom. At the same time, ransom payments increase the incentive for criminals to commit further crimes. Therefore, political demands are repeatedly made to legally prohibit paying ransoms.

What does a good emergency plan look like?

An emergency plan primarily contains the immediate measures to be taken. In the event of an attack, it is important to be able to react within minutes or hours in order to limit the consequences. Firstly, who needs to be informed and how does this happen if email and telephones no longer work? Who will pull the plug to prevent the attack from spreading further? How can business activity be maintained or restored as quickly as possible? Ideally, the company already knows which external experts should be called in from incident response, IT forensics, crisis communication, and law. 

Which damages are covered by insurance?

Insurance covers damages caused to the attacked company – for example in the event of a business interruption, or costs for restoring IT systems. Cyber liability insurance covers damages caused to third parties as a result of the attack – for example, the customer. Affected companies without special cyber insurance should take a look at their liability insurance. Cyberattacks are often covered there.

Cyber risks are difficult to calculate. Insurance companies are taking a closer look at the existing IT infrastructure before approving a policy, and they are demanding significant investments in IT security.

Which liability risks do board members and managing directors take on?

The obligations of the company and its management in connection with IT security have not yet been centrally regulated by law. However, as part of its responsibility for corporate compliance, management is required to take appropriate measures to identify early developments that endanger the continued existence of the company. In addition, new EU laws such as the NIS2 directive are trying to increase the pressure on management by making them personally liable if they do not pay sufficient attention to the issue of IT security. In the future, it can no longer be ruled out that management will face claims for damages if neglected IT security has led to damage.

Is it true that hacked companies also face official fines, meaning they are asked to pay twice?

This is certainly conceivable, especially if the IT infrastructure is not state-of-the-art. The German legislature underlines the importance of IT security through a legal regulation in the General Data Protection Regulation, and wants to raise awareness of this through financial pressure on companies. In other EU countries, data protection authorities have already imposed fines worth millions in this context. German regulators are taking a different approach. They correctly see hacked companies as victims who should not be punished further.

Dr Hauke ​​Hansen is a specialist lawyer for IT law, certified data protection officer (TÜV®) and Partner at the business law firm FPS. He is an expert in cybersecurity, IT law and data protection. He designs cyber security strategies to protect authorities as well as entrepreneurs and companies. In the event of an attack, Mr Hansen coordinates the necessary immediate measures and supports his clients in defending against claims for damages and administrative fines. WirtschaftsWoche recently recognised Dr Hansen in a ranking as a leading lawyer in data protection law. Contact Hauke.