Cyber attacks: How dangerous they are and how to protect yourself

"I want to protect companies from the kind of person I used to be," explained ex-hacker Patrick Brielmayer. The IT graduate used to program viruses and Trojans or execute DDOS attacks, i.e. the deliberate crippling of web pages. He was never caught – "but I always had to watch out and was nervous." That's why Patrick Brielmayer has changed sides and set up an IT security company. Today, corporate customers willingly open their networks to him so that he can comb them for traces of cyber attacks. His specialty is analyzing malware, "I find out how the attack took place and what damage was inflicted." Brielmayer's mission: He wants to bring companies up to speed about the risks of cyber criminality and contribute to better protection.

This concern also drives Daniel Nussbaumer. The lawyer with a PhD is the head of the cyber crime department in the Zurich Canton Police. His team now encompasses 15 detectives and 30 specialists in digital forensics, including many IT graduates. Increasing digitization has made police work more complex, since the Internet has created completely new ways to commit crimes. 

According to Daniel Nussbaumer, many SMEs are affected by, for example, “CEO fraud”: Cyber criminals recreate a typical e-mail from the boss. In it, he asks for an urgent payment of CHF 5,000 to be made. But when the bookkeeping department makes the payment, it ends up with the hackers. "Usually there are complete teams behind it all," he explained. "One programs, one's good at writing and the third one does the research." The police specialist advises to always double check by calling back in the event of unusual e-mails.

In addition, the police is often confronted by so-called crypto-ransomware: Malware encrypts all of the information in the computer system of the company affected. This is followed shortly thereafter by a ransom demand, usually in bitcoin. "Naturally, our advice is not to pay," said Daniel Nussbaumer. "Every payment finances new attacks." Furthermore, you never know whether the blackmailers will actually release the data. And if the hacker used previously unknown crypto-ransomware, even professionals cannot help. This is why Daniel Nussbaumer urges all companies to prepare for such attacks.

Christian Zanvit is Head of Cyber Underwriting at Zurich Switzerland, and it was his team that developed Zurich Cyber Insurance. Crypto ransomware attacks are a grave problem for him. He even speaks of a security myth: "Many companies believe they're already protected with regular back-ups." However, if the back-up is not taken off the network it will likewise become the victim of an attack. Furthermore, malware is often only activated some time after the attack. By then, the back-up may also be contaminated. "Moreover, it's a lot more expensive and time consuming to restore the data than people think."

According to the ex-hacker Brielmayer, the companies often only learn of a cyber attack when the attacker demands something – or the data of the company turns up somewhere. Feeling safe thanks to a firewall and anti-virus program is an illusion. You can obtain basic protection against known viruses with customary commercial instruments, but newly written malware will not be recognized: "It's a cat and mouse game." So as not to allow malware into the IT network in the first place, he recommends that SMEs also sensitize their employees via IT security training at least once a year. Zurich expert Christian Zanvit is also convinced of this, because "People are often the weakest link. Most hacker attacks occur due to a lack of attention on the part of employees." This is also confirmed by the experience of our partner company, SoSafe: Almost one in three people are tempted to click on potentially harmful content in phishing emails. 

Patrick Brielmayer considers the theft of company data to be the greatest cyber risk in Switzerland: "Every SME has its secrets with which it also makes money – ideas, recipes, construction plans, customer or bank data, or insurance policy numbers. If this data gets out, it's pretty serious." Daniel Nussbaumer from the cantonal police force also confirms this. Every SME could become a victim and therefore has to ask which of its data need particular protection.

For Patrick Brielmayer, e-mail applications, faked complaints or product queries are the perfect vehicles for cyber attacks. These days, classic phishing emails are also often so well done that even an attentive reader could be deceived by them. Sometimes the hackers even forge complete web pages with forms, which cannot be distinguished from those of telecom companies or online department stores. Or the cyber criminals pretend to be technicians and ask for customer data by telephone.

Companies with online shops are particularly at risk, in Brielmayer's view. If these are crippled with a so-called DDOS attack, business can break down for hours or even days. "It's even worse if customer data is stolen or published. I know of such cases – and they have far-reaching consequences." Once the criminals are inside the network, they look for documents they can use, explains insurance expert Christian Zanvit. For SMEs, business interruption and data loss caused by a successful attack are particularly relevant, but claims for damages may also result.

From Patrick Brielmayer's point of view, catching cyber criminals is very difficult, "They can be anywhere in the world." Daniel Nussbaumer sees this differently, "Complete anonymization doesn't hold up forever, because the perpetrators are people too. And people make mistakes." In addition, the Zurich cantonal police cooperate closely with the police authorities of other cantons and countries. "Consequently, we certainly have opportunities to catch foreign perpetrators too." Even money withdrawn can often be recovered.

Daniel Nussbaumer from the Zurich cantonal police department regrets that many companies do not bring any criminal charges, "We probably only see a small portion of the cases. Consequently, we lose the opportunity to clarify the situation." His recipe for preventing cyber risks from becoming a catastrophe, "Prevent attacks through good IT and sensitization of the employees towards this issue. Limit possible losses. And if something happens after all: do not hesitate to contact us. It's no disgrace to become a hacking victim – it can happen to anyone."