Attack on companies via USB-Stick

Whoever finds and picks up an expensive-looking USB-stick on the parking lot of their company endangers the security of their firm. Resourceful hackers arm the tiny memory devices with malware and place them on parking lots on purpose to make employees connect the stick to a company computer. Afterwards malware and spyware can install itself.

The ploy to use a lost USB-stick was only one of the possible IT security holes that were discussed during the information and discussion round “Digitalisation and IT security in medium-sized businesses” on April 13 at QASS in Wetter (Ruhr). About 40 guests from local businesses visited the event that QASS, in cooperation with the economic development agency Ennepe-Ruhr, invited to.

Medium-sized businesses have catching up to do
​
This topic has explosiveness: Digital attacks on businesses cause damages of about 51 billion Euro each year. That is what an analysis by the inter-trade organisation Bitkom has shown. According to the analysis, especially affected are the automotive industry, the chemical industry, and the finance sector. According to Bitkom particularly medium-sized businesses have catching up to do. QASS was able to gain Dr Olaf Röper as a speaker, the former head of IT at ThyssenKrupp Industrial Solutions AG. He talked about the process of digitalization in businesses. “Between 2003 and 2013 the economy has changed”, said Röper, “70 per cent of the highest selling, global businesses on the Fortune 500 list are new.”

When the user is the product
​
According to Röper digitalization is more than just the automatization of products. It applies to a steadily increasing number of corporate sectors. As an example Röper used manufacturers of farm vehicles, whose cars contain more and more sensors, which forces the companies to offer complete agrarian management systems to their clients.
Following rule of thumb also belongs to this new economy, according to Röper: “If the user does not have to pay anything, he is the product.” With this Röper hints at internet companies like Google, Facebook, and Twitter which offer their services to users free of charge, but collect relevant data for advertisers.

Self-deception in IT security
​
Dr Peter-Christian Zinn, physicist at QASS: “In IT security there are three big self-deceptions. First: E-mails are safe. Second: The cloud is safe. Third: The technology is safe.” With this Zinn brought the human into the focus, which poses a great risk for companies. Tomas Garcia, assistant IT manager and team leader of the IT organisation at Dörken Service GmbH, gave one example: “I have called an IT hotline of a company once. I posed as an employee and spelled the name wrong on purpose. Then I told them that I had lost my password and needed it urgently to do something for the CEO.” Only Moments later he received the password without the IT department checking the identity of the caller.

„Social Engineering“ concerns one fifth of companies

„You have to sensitize all employees. For that there are two guiding principles: Security before politeness and comfort.” Garcia gave the tip to always lock the screen when leaving the desk. At the same time, security guidelines and a guarantor should be established. Attacks on employees are also called “Social Engineering”. According to the inter-trade organisation Bitkom one fifth of all companies have already noticed such attacks, which are a manipulation of employees to attain security-relevant information.