Cyber attacks on companies and institutions are often a well-kept secret, so that one hears about them with much delay, if at all. In other cases, word gets out, when the attack has been so successful that nothing works anymore, and customers and the public must be informed. While this may be understandable – who wants to talk about the fact that their own IT infrastructure was vulnerable? Unfortunately avoiding the subject also means a lost learning opportunity regarding these incidents, even if it is only comparably small learnings such as how frequent these attacks have become. Thomas Pilz, CEO Pilz GmbH, on the other hand, is taking exactly the opposite approach: as part of the AmCham After Hour on the topic of cyber security, on 15 February he spoke about the attack on his company in 2019. With Dominik Helble, Head of Cybersecurity at Festo AG, and Sven Schreyer, Director Cyber Security & Privacy at PwC in Stuttgart, the events were also able to attract two more top-class speakers.
Stakeholders expect more transparency with regard to IT security
At the end of the focused event at the premises of Pilz GmbH in Ostfildern, the consensus was that it is actually no longer a question of "if" one will become a target for a cyber-attack, but rather "when". The topic of Thomas Pilz at the start of the After Hour was how such a massive cyber-attack takes place and how a company can regain its ability to act. Pilz not only described the means the company used to regain access to its own digital infrastructure, but also showed the strategic learning effects. Above all, the quick, open and ultimately successful handling of the situation impressed the audience. Thomas Pilz is not alone in his conviction that transparency in cyber incidents strengthens the trust of employees, customers, business partners and the public in the competence of the company: a good three-quarters of the German companies surveyed for PwC's Digital Trust Insights 2023 are also convinced of this. This was reported by Sven Schreyer, who presented the results of the international PwC study on cyber security and - strategy in companies. In practice, however, things look different for many: Only 35 per cent of respondents assume that they can effectively disclose cyber security practices, strategies and incidents to the outside world. What they lack are acknowledged standardised, uniform processes on how to disclose cyber incidents. This is where the state comes into play: legal regulations and audits such as the CRITIS regulation can be drivers for more transparent reporting.
You never walk alone: bringing together cyber security knowledge and resources
In the subsequent panel discussion, Dominik Helble, Head of Cybersecurity at Festo, once again emphasised the central role of transparency for protection against cyber attacks: transparency builds trust and the basis for companies to cooperate in the field of cyber security in the first place. Helble investigated cyber criminals for several years as a criminal investigator at the Federal and State Criminal Police Offices. In addition to the call for more transparency and regular exchange, he suggested a regional cooperation structure in which companies join in clusters and support each other. In the meantime, he said, associations such as the VDMA are also very active in this topic. The Ministry of Economics also promotes numerous cybersecurity projects.
An open discussion took place in a small group. All participants rated the relevance of the topic as very high – after all, cyber attacks can threaten the existence of companies. The participants saw the solution in regularly discussing successful and effective strategies, measures and options to defend against cyber attacks, as well as pooling knowledge around emergency plans and resources. According to them while the buzzword resilience is omnipresent, it remains pure theory without real processes and structures. The seriousness of the situation must also come into sharper focus with the boards: without the appropriate resources, good cybersecurity is not possible.