‘The more digitalised a company is, the more of a target it becomes’

Florian Schütz, you have been dealing with cyber risks on behalf of the Confederation for two years now. What conclusions can you draw from your experience?

Over the last few years, we have been able to raise awareness of cyber security among the corporate sector and the population at large. But we are still seeing considerable differences in approach – especially among companies. Some companies are ill-prepared and continue to believe that cyber security is not a key issue for them. Others are taking the issue seriously, however, and investing accordingly. If you look at Switzerland as a whole, we are somewhere in the middle of the pack as far as cyber security is concerned. So we still have a lot of work to do.

Why is that?

Particularly in the business world, all too often there is still a tendency to see IT purely as a support service. It helps with financial accounting and is used for communications. The truth is, however, that IT is now a key cornerstone of any business. That’s why IT engineers should also be represented on management boards, for example, so that they can raise topics such as cyber security at that level. This has long been the case at international technology companies.

‘Criminals only need to identify one vulnerability in order to penetrate the system, while engineers cannot afford to make even a single mistake.’

You yourself worked for companies such as RUAG and Zalando and have over a decade of experience in IT security. What developments are currently at the forefront of this area?

One particular challenge is to develop IT systems that are as resilient as possible. The thing is, it is not a fair fight. Criminals only need to identify one vulnerability in order to penetrate the system, while engineers cannot afford to make even a single mistake.

Which companies or sectors are particularly at risk?

It’s not about companies or sectors, but rather the degree of digitalisation. The more digitalised a company is, the more of a target it becomes for cybercriminals. And the greater the amount of damage they can cause, for example by stealing personal data.

Many companies are blackmailed after such incidents, known as ransomware attacks. Either you pay up, or the data will be published or deleted. Should companies respond to such demands?

No, absolutely not. Companies must not allow themselves to be blackmailed by cybercriminals. Anyone who pays the ransom ends up supporting the business model and, worse still, the organised criminals behind it. It is better to contact the police or us to discuss how to proceed.

What can I do as a company or individual to protect myself from these attacks?

You should always keep your system up to date. As well as setting up a firewall, that means downloading the latest security updates for your hardware and software and activating the most recent version of your antivirus program. If you protect your personal computer from attacks, you are also helping companies in the process, because personal computers are often misused for attacks on companies. It’s also helpful to back up your data so that it is not lost in the event of an attack or any other incident such as a fire.

Cyber risks are seen as being difficult to assess, and rapid digital advances are making this process even more difficult. Is it even possible to carry out in-depth and timely risk assessments?

It’s certainly not an easy undertaking, but a risk assessment can definitely help a company evaluate the risks present in its business processes. You can never be totally secure, however. And nor would you want to be: If risk were reduced to zero, a company would lose its agility. What is more, different companies have different risk profiles. A start-up can afford to take more risks than a company that is already firmly established.

‘Organised cyber crime, which accounts for 80 per cent of online crime, is a real problem. Ransomware attacks alone have increased by 30 per cent in recent times.’

What is the biggest IT security risk at present?

There is no single biggest risk. Organised cyber crime, which accounts for 80 per cent of online crime, is a real problem. Ransomware attacks alone have increased by 30 per cent in recent times. The targets are often international organisations, meaning that close cooperation with foreign law enforcement authorities is important.

What about critical infrastructure such as the electricity grid? Is this effectively protected against cyber attacks in Switzerland?

Things are at different stages of development. Some bits of critical infrastructure are well protected, while for others there is still work to be done. We are currently in the process of establishing a mandatory reporting system for cyber incidents. This will allow us to assess which infrastructure is most at risk. Fundamentally, however, attackers would have to be extremely motivated indeed to mount an attack on critical infrastructure. There are much easier ways of making money.

Is it possible to take out insurance for cyber risks like these?

Yes, there is such a thing as cyber insurance. I cannot judge how good the coverage is. This sort of insurance could well be an attractive option for some companies. It is important that the insurance company plays by the rules and doesn’t give in to ransom demands either, even if this might well be cheaper than assuming the costs of recovering the data.

What role does the federal system play in dealing with cyber security?

It has pros and cons. When incidents occur, the coordination of the response between individual cantons can be somewhat sluggish. Each canton has its own strengths, however. Zurich and Vaud are strong in law enforcement, Ticino has a good track record in digital education, and the canton of Zug is committed to security testing for products, to name but a few. We are working to further improve the links between the cantons so as to make them more resilient to cyber attacks.

The COVID-19 crisis has led to more flexible forms of work such as working from home becoming increasingly important. What new challenges does this trend present in terms of IT security?

Working from home blurs the boundaries between private and working life, and this also has implications for cyber security. Home computers are often used for both personal and work-related purposes, which can lead to security gaps that criminals are able to exploit to attack the company. With this in mind, people should either have separate personal and work devices, or employers should set up secure access to the company’s IT infrastructure. It is also advisable to lock your computer when you are not at your desk. Children are curious and could end up disclosing valuable data purely by accident.

Let us finish with a look into the future: We often hear that quantum computers could become a major security problem, because they could crack encryption in the blink of an eye. What is your take on that?

I am not a quantum computer specialist. But quantum computers can also be used for encryption, a process known as quantum cryptography. There is some exciting research in this field being conducted in Switzerland. It will be interesting to see whether we can use quantum computing to improve the world’s cyber security.

About

Florian Schütz is the Federal Cyber Security Delegate. He is the point of contact for politicians, the media and the general public on all matters relating to cyber security. He heads the National Cyber Security Centre (NCSC) and is responsible for the coordinated implementation of the national strategy for the protection of Switzerland against cyber risks (NCS). Schütz has an MA in Computer Science and a Master of Advanced Studies in Security Policy and Crisis Management from ETH Zurich.