While the big companies can afford whole armades of IT departments with the appropriate IT specialists, the medium-sized companies and above all the whole individual entrepreneurs and self-employed fail here.
It's really great how EDP has developed into such an efficient IT since 1970. It's hard to believe, but the astronauts of Apollo 11, the first lunar landing mission under Neil Amstrong, got by with an on-board computer - Apollo Guidance Computer (AGC) - that is mercilessly inferior to modern smartphones. For comparison: The AGC had a working memory of 32,768 bits or 4,096 bytes. 4 gigabytes of RAM are currently common with current iPhones, which corresponds to 34,359,738,368 bits and thus a little more than a million times that of the Apollo computer. The differences are also phenomenal when it comes to permanent storage. The AGC could access 72 kilobytes of ROM (Read Only Memory), which corresponds to 589,824 bits. Compared to current smartphones, which now have 512 gigabytes or even a terabyte of internal memory, this is downright tiny. For comparison: 512 gigabytes are around seven million times more than the AGC's 72 kilobytes.
Just as a small informative throw-in about the luxury and which performance calculators we have in our pockets today, just as a small informative throw-in about the luxury and which performance calculators we carry in our pockets today.
While our IT has become more and more efficient with regard to the actual functions, the downside has always grown with it. And strictly speaking, those involved in cyberattacks are a nose's length ahead of everyone else. So if a security hole in a system or program is discovered and closed, the next hole is guaranteed to be open elsewhere. And against the background of what the AGC has achieved - a flight to the moon plus landing and a successful return flight - we should be aware of what our IT equipment can do today.
It is most stuck in medium-sized and small businesses, where IT security is better equated with standard settings or solutions because the budget is insufficient. But that's not all. In both sole proprietorship and medium-sized companies, it is the shortage of skilled workers that makes IT security suffer. Improper handling of the data leads to security problems with both groups. These include a lack of backup concepts, the tendency to put all data in the cloud or to use entire applications in the cloud. The relocation of data and activities to the cloud in particular harbors an immense security risk because those involved place themselves in the care of external data centers and no longer have any influence on the business policy of the respective operator. What happens to my data there, despite the encrypted connection to the clouds? What else do the applications in the cloud do in the background during the connection between my work computer and the cloud?
The same scenario can be continued in email traffic, which has almost replaced the old letter post. These days I was able to show a friend on my own mail server what information an administrator and anyone who gains administrative access to a mail server can get from the mail. So far, my friend thought that only she could read her email traffic on her laptop, no one else. Just think now of the many free webmailers or those of the large ISPs, where a mail account is now part of the basic equipment for telephone and internet connections. These are very glaring security gaps in the respective IT, in contrast to your own mail servers. But not everyone has to own a mail server, although that makes sense as an entrepreneur. You can also secure the mail traffic via these webmailers and via these standard ISP mail servers with very simple on-board means: With encryption of the sent content. And in the end it works everywhere, even without special mail software. And the mails are suddenly only readable by the recipient and the sender, just like the old letter post. Smartphones can of course do that too.
The self-employed or sole proprietorships tend to have security gaps in the IT infrastructure and software used. Off-the-shelf network components are used above average, but in the truest sense of the word, because here convenience triumphs over security. The default settings are taken over unchanged due to the fast availability of Internet access due to a lack of firewall and router knowledge. The same applies to the printed administrator password as well as the SSID names and their passwords. All data that are distributed en masse to the mass product's love, thus also to the attackers who only need to look up lists on the Internet/Darknet.
When it comes to the choice of software, it is absolutely no different. What is taken is what the majority already had on the computer when they bought it and what was somehow already presented in the training. The only difference to medium-sized companies is that you may already be able to afford specific industry software in terms of budget, but it also suffers from the fact that it also sets up mass systems whose bug fixes must first be removed by experienced IT administrators.
Due to the approach of the self-employed and the approach of the self-employed and sole proprietorships in the procurement of IT infrastructure, there is a lack of emergency concepts for failure safety and data redundancy right from the start in order not to jeopardize their own productivity. The only security measure that works here is the installation of a virus scanner, which means that the unanimous opinion is that the systems are then already "safe". But viruses are only a small part of what constitutes the IT of a company or of private individuals. And virus scanners only work if they always contain the latest data and are correctly installed and configured.
In principle, we are only scratching the surface of IT security so far. Shadow IT does not affect small companies with few employees as much as companies with many employees, but for them too, shadow IT is one of many gateways. Even in large companies, IT administrators usually do not know the scope of shadow IT in their own area of responsibility. We are talking about the potential dangers of social media in employee communication, services such as clouds and software as service or self-developed Access / Excel applications and the increasing use of business intelligence. Hardware such as PCs, printers, routers from retail stores instead of experts promote shadow IT as well as the numerous smartphones and tablets that are integrated and used in their own company network without policies. Each employee has their own preferences for the smartphone OS and the installed apps. And as far as support structures are concerned, in most companies the support model “colleague helps colleague” counts, a catastrophe for IT security in practice.
In the meantime, at least almost every company has a data protection officer. But less because you are offering your company more IT security with such an expert, but because it can now become very expensive if you do not handle the data of your own employees and all customers correctly, in the sense of our case law. Unfortunately, the need for an IT security officer for every company is still stuck. And a lack of IT security does at least as much, if not more, damage than non-compliance with data protection. Anyway, those who actively take care of their IT security are also at the forefront when it comes to data protection, data protection is a sub-area of IT security.
Status check is also necessary for smaller companies and SMEs
According to the industry association Bitkom, three out of four companies with 100 to 500 employees have been affected by IT security incidents in recent years. While large companies can afford their own IT security departments, the IT teams of small and medium-sized companies are usually fully occupied with maintaining the operability of their infrastructure. Almost every day there are new reports of successful attacks - ransomware, Trojans and discovered security holes.
Improving IT security in medium-sized and small businesses is not an easy process. But how can such a company protect itself comprehensively? Classic antivirus protection alone is no longer enough. The first step is a security assessment. With this service, companies get a good and cost-efficient overview of possible weak points in their own IT. Such a status check is usually at the beginning of dealing with the complex topic of IT security. In contrast to a full pentest, a status check is also affordable for small and medium-sized companies and the results can be used sensibly. A review of the company's own IT ideally leads to the fact that policies for passwords and other security-relevant processes are also put to the test or even defined in the first place. Because hardly a professional attacker does not rely on these attack vectors.
Awareness campaigns for employees
Employees play a crucial role when it comes to fending off a cyber attack. This is why SMEs are particularly dependent on the active awareness of their employees due to the lower use of technology. Regular training on IT security topics is just as natural as training units on fire protection or first aid.
Provision for the worst case
In general, the same recommendations exist for SMEs and sole proprietorships as for larger companies:
Companies should prepare for an IT security incident just as they should for other critical events. Worst cases in IT should be examined preventively according to the principles of Business Continuity Management (BCM). The maximum tolerable downtime (MTA) for critical systems should be known. All necessary data, such as a network plan or contact addresses, should also be available at all times without the company's IT infrastructure. A minimal solution for maintaining communication, for example via cellular network or a separate DSL solution, should be prepared. To compensate for the SME-/self-employed- typical weakness in incident management - it is advisable to conclude incident response service agreements with competent partners. These should already be included in the preventive measures.
The Apollo Guidance Computer (AGC) would have exactly the same problems today as its larger, more powerful siblings. Today only they have to struggle with the global networking of all devices and participants.