October 7

Event takeaway: Deutscher IT-Security Kongress


My key takeaways

  • hardening backup systems is key
    • disconnected from the AD
    • designed in a way, that it may continue functioning even if all other systems are shut down
  • due to testing and verification of software patches in most B2B environments before rollout, the time a system remains unpatched is prolonged
    • more time for the black hats to pop a system
    • alternative: some manufacturers are pretesting the patches for their clients in a client-specific sandbox
  • Incident response is key
    • be prepared with business continuity plans
  • Remmers Logistik is part of a supply chain
    • A company may also be affected if another company in the supply chain is held hostage: no delivery, no production, no sales
  • How do you document transactions in an emergency situation so that the data can be transfered in a new ERP afterwards? <- think ahead
  • It not hit&run anymore: ransomware criminals are using exfiltrated data to contact customers or business partners with these information, so that the shame builds up pressure for the victim to pay
  • If the emails get compromised, the contained information is used to create highly targeted spearfishing campaigns
    • the information in the emails may seem worthless, but for an attacker it might be valuable information to build a pretext
  • There are not so much more attackes but they get much more sophisticated and targeted
  • The State Commissioner of Data Protection for Niedersachsen recommends to not use Microsoft Office 365 due to issues regarding GDPR
  • A successor for safe harbour is unlikely
    • Binding Corporate Rules may be a required
  • Main security concerns with remote working employees
    • connectivity: no business contracts with Telcos, no SLAs
    • access: who can listen to conversations? Who can read the screen in a public environment?
    • access control: eg theft of hardware, what data is on the devices
  • Printing is also an issue when working from home
    • more and more business try to become paperless
    • secure disposal or printed information otherwise also a major concern
  • Awareness trainigs does not want to make every employee a security expert. It creates awareness. Best case is encouraging to question a situation, due to this awareness.
  • Training must be attractive not just required
    • storytelling
    • short sequences of 20-60 min
    • multimedia
  • Awareness training for employees is often required to get a cyber insurance


additional links


awareness training, GDPR, MS365, privacy, ransomware

You may also like

Summary of a LinkedIn Post Series: Ideas and Insights for Effective Security Awareness in Cybersecurity Awareness Month

Summary of a LinkedIn Post Series: Ideas and Insights for Effective Security Awareness in Cybersecurity Awareness Month

Event takeaway – SecIT 2023

Event takeaway – SecIT 2023
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}