Deutsche Telekom offers a growing portfolio of products and solutions outside of phone, TV and Internet services. A key part of the business is Internet security. Dirk Backofen, Head of Telekom Security, explains in an interview why, without robust cybersecurity, digital transformation is likely to reach its limit.
Dirk Backofen, data security is only ever in the news when there’s been yet another big cyberattack. In your view, how important is IT security for the future of the digital economy?
By 2020, the world’s population will have grown to 7.7 billion people. And these people will want to be connected, in many cases through multiple devices. We also expect that in two years’ time we’ll have 50 billion digital senders and receivers in the Internet of Things (IoT), from small beacons, or sensors, to entire fleets of interconnected machines. Factor in the dramatic upsurge in cyberattacks, and it’s clear that secure connectivity is vital to keep digital transformation on track. Without good security, key assets such as critical business information, patents and customer data will be vulnerable to cyberattack. Installing the right protections is a huge challenge.
What are the greatest risks in Internet 4.0?
An estimated 90 percent of enterprise networks have good or very IT security for their data centers or LAN and office structures. The picture is very different for industrial networks: only 10 percent or so currently have robust safeguards – despite the fact that the IoT comes under attack just as often as private and corporate networks. Many organizations have completely inadequate levels of protection.
The security spend for organizations with critical infrastructure is around 10 to 11 percent of the annual IT budget.
Why is this?
A case in point: organizations have installed smart network-connected sensors which can actively send information. However, the sensors do not have a real operating system of their own, making it impossible to install protection software directly. But effective protection is still needed at these touchpoints. Sensor gateways must be upgraded to provide more security. Another problem is that many production networks have to date been standalone installations, without an Internet connection. But once you start bringing robots into the production lines that use data from the cloud, you suddenly have your entire production hooked up to the Internet, because of the connections through the machines.
What would be the worst-case scenario if cloud security were to fail?
It’s an open door for cyberattackers to gain all sorts of information and access. They could intercept emails, customer data and finance details, view patents or even digitally sabotage applications, production systems and business processes.
That sounds ominous – do organizations have too little awareness of these dangers?
The big corporates have already done a lot. However, SMEs tend to reach the point where they’re unable to keep up with the fast-paced developments in IT security. They don’t have the staff or the expertise, and are simply not in a position to fully protect their networks day and night. This shortfall could also permanently stall progress toward
Industry 4.0. Organizations whose networks have grown steadily over many years might not even know which machines and production areas are in fact connected. To add to the challenge, the legal requirements for IT security are getting stricter and stricter, especially for critical infrastructures in sectors such as energy or banking.
To assess a system properly – and determine if it’s protected, or if there are weak points anywhere – we subject it to penetration testing. We have our own “cyberattackers” who scrutinize the systems on request of our customers, and alert them to potential security gaps. If our cyberattackers do find anything, we never just leave customers to it. We bring in our consulting and architecture engineering teams and advise customers how to proceed: how can they increase security? And how can a managed-security provider help?
Is there a general rule for how much a business should spend on cybersecurity?
Organizations should invest about five to six percent of their annual IT budget, capex and opex, in cybersecurity. Our statistics show that customers then have effective protection. The security spend for organizations with critical infrastructure is around ten to eleven percent of the annual IT budget.
How well protected is Deutsche Telekom against cyberattacks?
We are attacked on average around 12 million times a day, from all parts of the world. In June 2018, there was even a day with 15 million attacks. We detect them with a worldwide sensor system of traps, or honey pots, in which we simulate the range of system technologies used by Telekom and our customers. The honey pots fake certain vulnerabilities in order to provoke cyberattacks on devices and networks such as smartphones, pads, PCs or routers. We let these shadow systems be deliberately invaded as a way of learning how the hackers go about their attacks, and what new tools they have at their disposal.
We’d like to work with between 10 and 20 organizations to establish a security partner ecosystem that is equipped to fend off any and all attacks.
What do you do with the insights you gain?
The good news is that, on average, our systems can automatically fend off over 11.9 million of these attacks. But – here comes the bad news – every day we identify between three and eight attack patterns that we have never seen before. We analyze them in forensics and then train our real systems worldwide to ensure they stay protected in the event of an attack of this new kind. We do the same for our customers, including DAX and MDAX companies, which have outsourced their security monitoring to our CyberDefense and Security Operations Center in Bonn. The good thing is, when we detect an attack on a customer, we can take action using our “run book” of targeted and ready-aligned countermeasures. We don’t just do this for the attacked company, but also as an automatic preventive measure for the other companies we serve, even though they may not have suffered an attack.
Where do you get the expertise to guarantee this security?
We build knowledge within the Telekom Group, and learn daily through operating our own and our customers’ networks. Of course, we also work closely with partners, and have already added around 50 eminent cybersecurity partners such as Cisco, Symantec, Checkpoint, McAfee, Microsoft, Palo Alto, Zscaler and Zimperium to our Magenta Security portfolio.
Cyber security is essential both privately on the Internet and in the industrial IoT
Why do you need so many companies in your network?
There is a huge variety of attack patterns, and most companies specialize in only one part. That’s why we always have to offer every customer a mix of different solutions. In the medium term, however, the market will consolidate. We have a clear focus: we are already Number 1 in Germany, but also want to become Number 1 in Europe for cybersecurity. Going forward, we’d like to work with between 10 and 20 large-ish organizations to establish a security partner ecosystem that is truly equipped to fend off any and all attacks.That will also unlock value for customers, because we can of course leverage economies of scale. At the same time, being one of the largest companies operating in this field, we also have a sense of social responsibility.
What does that mean?
The bad guys can’t win if we all work together on protecting each other. Cooperation is the only way forward. It’s as simple as that. We have to get our expertise out there, share what we know with other organizations. Telekom’s “Life is for sharing” slogan applies equally well here: “Security is for sharing”. Let’s build an army of good guys, with customers, system suppliers and managed security service providers all working together to stop cybercriminals in their tracks. It also means if companies are victims of a cyberattack, they also have to talk about it.
Don’t they do that anyway?
Cyberattacks can and do affect nearly every organization in Germany, from SMEs to the big corporates. Perpetrators range from professional hackers and white-collar criminals to geeks testing the bounds of possibility.
Bitkom, Germany’s tech company association, estimates that in 2017 alone, cyberattacks racked up a cost of around EUR 43 billion to companies in Germany. Europe-wide, the cost is estimated at EUR 200 billion, and globally EUR 450 billion. But hardly anyone is talking about it. According to Germany’s Federal Crime Bureau (BKA), the total volume of damage reported last year was just EUR 15 million. And that’s the problem. We can only prevent attacks by making them public, identifying and prosecuting the offenders, and finding shared solutions for greater IT security.