Cyber attacks: How companies can protect themselves in the current situation

"I want to protect companies from the kind of person I used to be," explained ex-hacker Patrick Brielmayer. The IT graduate used to program viruses and Trojans or execute DDOS attacks, i.e. the deliberate crippling of web pages. He was never caught – "but I always had to watch out and was nervous." That's why Patrick Brielmayer has changed sides and set up an IT security company. Today, corporate customers willingly open their networks to him so that he can comb them for traces of cyber attacks. His specialty is analyzing malware, "I find out how the attack took place and what damage was inflicted." Brielmayer's mission: He wants to bring companies up to speed about the risks of cyber criminality and contribute to better protection.

This concern also drives Daniel Nussbaumer. The lawyer with a PhD is the head of the cyber crime department in the Zurich Canton Police. His team now encompasses 15 detectives and 30 specialists in digital forensics, including many IT graduates. Increasing digitization has made police work more complex, since the Internet has created completely new ways to commit crimes. 

According to Daniel Nussbaumer, many SMEs are affected by, for example, “CEO fraud”: Cyber criminals recreate a typical e-mail from the boss. In it, he asks for an urgent payment of CHF 5,000 to be made. But when the bookkeeping department makes the payment, it ends up with the hackers. "Usually there are complete teams behind it all," he explained. "One programs, one's good at writing and the third one does the research." The police specialist advises to always double check by calling back in the event of unusual e-mails.

In addition, the Zurich detectives are often confronted by so-called crypto-ransomware: Malware encrypts all of the information in the computer system of the company affected. This is followed shortly thereafter by a ransom demand, usually in bitcoin. "Naturally, our advice is not to pay," said Daniel Nussbaumer. "Every payment finances new attacks." Furthermore, you never know whether the blackmailers will actually release the data. And if the hacker used previously unknown crypto-ransomware, even professionals cannot help. This is why Daniel Nussbaumer urges all companies to prepare for such attacks.

Stephan von Watzdorf heads the team Professional Liability and Cyber Risks, which developed the Zurich cyber insurance. Crypto ransomware attacks are a grave problem for him. He even speaks of a security myth: "Many companies believe they're already protected with regular back-ups." However, if the back-up is not taken off the network it will likewise become the victim of an attack. Moreover, malware is often only activated weeks after the hacking attack. By then, the back-up is usually also already contaminated. "Moreover, it's a lot more expensive and time consuming to restore the data than people think."

According to the ex-hacker Brielmayer, the companies often only learn of a cyber attack when the attacker demands something – or the data of the company turns up somewhere. Feeling safe thanks to a firewall and anti-virus program is an illusion. You can obtain basic protection against known viruses with customary commercial instruments, but newly written malware will not be recognized: "It's a cat and mouse game." Therefore, it also makes sense for SMEs to sensitize their employees at least once a year in an IT security course. After all: "People are the weakest link, most of the hacks occur due to the inattentiveness of employees," the Zurich expert Stephan von Watzdorf is convinced.

Patrick Brielmayer considers the theft of company data to be the greatest cyber risk in Switzerland: "Every SME has its secrets with which it also makes money – ideas, recipes, construction plans or customer data, such as credit card numbers, bank data or insurance numbers." If this data gets out, it's pretty serious." Daniel Nussbaumer from the cantonal police force also confirms this. Every SME could become a victim and therefore has to ask which of its data need particular protection.

For Patrick Brielmayer, e-mail applications, faked complaints or product queries are the perfect vehicles for cyber attacks. These days, classic phishing e-mails are also often so well made that even an attentive reader could be deceived by them. Sometimes the hackers even forge complete web pages with forms, which cannot be distinguished from those of telecom companies or online department stores. Or the cyber criminals pretend to be technicians and ask for customer data by telephone.

Companies with online shops are particularly at risk, in Brielmayer's view. If these are crippled with a so-called DDOS attack, business can break down for hours or even days. "It's even worse if customer data is stolen or published. I know of such cases – and they have far-reaching consequences." Patrick Brielmayer even thinks some Swiss companies may be paying "protection money" regularly to avoid having their online shops hacked. Daniel Nussbaumer from the cantonal police force does not know anything about this. He is convinced that with current technical precautions, a relatively large number of DDOS attacks could be prevented. "Yet there is no 100 percent protection – because hackers always discover new ways."

Once the cyber criminals are inside the network, they procure the credit card data of customers, for example, use it to buy bitcoin and charge prepaid credit cards, explained insurance expert von Watzdorf. For SMEs, the reputational damage is above all relevant, but claims for damages can also arise. 

If their own money is stolen, many SMEs feel secure, which is a mistake. They believed their banks would be liable for the losses. "But that's incorrect," according to the Zurich expert. The cause in any case usually lies in the IT of the SME affected: For example, the hackers install a Trojan and observe the bookkeeper until s/he logs into their e-banking account. "The hackers then take over the session while the employee stares at a black monitor. Later he finds out CHF 100,000 have been transferred."

From Patrick Brielmayer's point of view, catching cyber criminals is very difficult, "They can be anywhere in the world." Daniel Nussbaumer sees this differently, "Complete anonymization doesn't hold up forever, because the perpetrators are people too. And people make mistakes." In addition, the Zurich cantonal police cooperate closely with the police authorities of other cantons and countries. "Consequently, we certainly have opportunities to catch foreign perpetrators too." Even money withdrawn can often be recovered.

Nussbaumer regrets that many companies do not bring any criminal charges, "We probably only see a small portion of the cases. Consequently, we lose the opportunity to clarify the situation." His recipe for preventing cyber risks from becoming a catastrophe, "Prevent attacks through good IT and sensitization of the employees towards this issue. Limit possible losses. And if something happens after all: do not hesitate to contact us. It's no disgrace to become a hacking victim – it can happen to anyone."