Thomas Tschersich: We consider IT risks to be an equally important component of our general risk environment. So what can you do to manage those risks? At Deutsche Telekom, when we begin a development phase – no matter if it's for a product or an IT system – we include a security review that is observed just as rigorously as the other technical design requirements. We accompany the entire development process with our security and data protection considerations. At the end we do "digital crash tests", safety assessments designed to reconfirm our target security level.
How important is IT security for the reputation of a company like Deutsche Telekom?
Tschersich: Essential. As a service provider, IT security is the foundation for the trust our customers put in us. From our perspective, without the appropriate IT security features, no business model is going to be successful in the internet world. Customers entrust us with their data, and they communicate using our networks. They need to assume that their data is going to be safe – and rightly so.
How do you "translate" IT risks so that your managers or at least your risk managers understand them?
Tschersich: There is always the danger of describing technical risks too technically. We try to solve this problem through catalogues that define easy-to-understand standards for these security features. The catalogues clearly show how not meeting a specific requirement will leave open a specific risk. Thus, for example, if I don't include a user verification function in a system, this will result in the risk of the unauthorized use of this system.
We have defined about 20 standardized risks that all of our technical security features are designed to support. At the end of an analysis we will then have a list of standard risks that we can take to management and say if a system is sufficiently secure against unauthorized use. By making this a standard part of the development process, we create transparency and ensure a high level of security.
What can you say about the general approach to the prevention of IT risks at your company?
Tschersich: Prevention consists of three-parts: development, operation and disposal. As already discussed, you need to include IT security during the development process. Take the example of a car manufacturer. They can't install breaks in a car after it's left production. Then there's the operation phase: just like you take your car to the shop for regular inspections, your IT system needs regular maintenance. And, to complete the car metaphor, at the end of it's useful life, you need to dispose of it properly, which in the IT world means especially the thorough destruction of all data storage devices. A lot of the big IT attacks you read about these days are due to poorly configured systems. They would have been avoidable if people had just done the basics.
So it would have indeed been possible to prevent most of those losses?
Tschersich: Absolutely. But there's something else: the antivirus industry discovers 50,000 to 60,000 new viruses every day – not all of them brand new, but still there is no longer anyone capable of analyzing them all and adapting their antivirus products to them. That doesn't mean that you can do without antivirus programs, but we do need new concepts to deal with this many dangers.
What do you pay attention to most of all in your IT risk management? What is the largest potential threat? Cyber attacks? Human error?
Tschersich: It's difficult to compare. Human error often opens the door for successful cyber attacks. Really, the most important means against attackers is well-trained IT personnel. The IT administrator is often regarded as a low-cost employee. But the fate of the company's security lies in that very person's hands. Nevertheless the job is usually located at the very bottom of the pay scale. I think that's a grossly negligent mistake. It practically provokes human error. This is one of the most underestimated risks in today's IT world.
And where do you see the biggest technical issues?
Tschersich: In addition to poor system monitoring and maintenance, definitely the accumulation of authorizations. You need to separate critical system components. Say you have an online shop and put your ordering functions, payment system and customer data all on the same server instead of separating them. If someone hacks into one of the systems, he has access to all three areas.
And when you look into the future, what trends to you see emerging in IT security?
Tschersich: On the attack side there's definitely the issue of targeted attacks like Stuxnet. The second issue I see arising is the increasing professionalization of attacks. In particular you see what are called "Advanced Persistent Attacks": attacks over a long period of time with a lot of energy behind them, not a bulldozer through the front door but rather lots and lots of little steps to infiltrate an IT structure. In the technology area, I think we're going to experience a renaissance of digital rights management. Rather than putting the emphasis on protecting the device, it would be the specific data files that are protected.
