Every company operates in the digital world. Some like Deutsche Telekom also help form that world. In the third interview in the series “Digital Risks”, Thomas Tschersich, head of Group IT Security at Deutsche Telekom, discusses IT risk management. Tschersich is also giving a lecture together with Jörg Schönenborn, who heads corporate and commercial insurance at Deutsche Telekom, at the expert event “Digital Environments” organized by Allianz Global Corporate & Specialty
What place do IT risks have in your general risk landscape?
Thomas Tschersich: We consider IT risks to be an equally important component of our general risk environment. So what can you do to manage those risks? At Deutsche Telekom, when we begin a development phase – no matter if it’s for a product or an IT system – we include a security review that is observed just as rigorously as the other technical design requirements. We accompany the entire development process with our security and data protection considerations. At the end we do “digital crash tests”, safety assessments designed to reconfirm our target security level.
How important is IT security for the reputation of a company like Deutsche Telekom?
Tschersich: Essential. As a service provider, IT security is the foundation for the trust our customers put in us. From our perspective, without the appropriate IT security features, no business model is going to be successful in the internet world. Customers entrust us with their data, and they communicate using our networks. They need to assume that their data is going to be safe – and rightly so.
Thomas Tschersich: “We consider IT risks to be an equally important component of our general risk environment”
How do you “translate” IT risks so that your managers or at least your risk managers understand them?
Tschersich: There is always the danger of describing technical risks too technically. We try to solve this problem through catalogues that define easy-to-understand standards for these security features. The catalogues clearly show how not meeting a specific requirement will leave open a specific risk. Thus, for example, if I don’t include a user verification function in a system, this will result in the risk of the unauthorized use of this system.
We have defined about 20 standardized risks that all of our technical security features are designed to support. At the end of an analysis we will then have a list of standard risks that we can take to management and say if a system is sufficiently secure against unauthorized use. By making this a standard part of the development process, we create transparency and ensure a high level of security.
What can you say about the general approach to the prevention of IT risks at your company?
Tschersich: Prevention consists of three-parts: development, operation and disposal. As already discussed, you need to include IT security during the development process. Take the example of a car manufacturer. They can’t install breaks in a car after it’s left production. Then there’s the operation phase: just like you take your car to the shop for regular inspections, your IT system needs regular maintenance. And, to complete the car metaphor, at the end of it’s useful life, you need to dispose of it properly, which in the IT world means especially the thorough destruction of all data storage devices. A lot of the big IT attacks you read about these days are due to poorly configured systems. They would have been avoidable if people had just done the basics.
So it would have indeed been possible to prevent most of those losses?
Tschersich: Absolutely. But there’s something else: the antivirus industry discovers 50,000 to 60,000 new viruses every day – not all of them brand new, but still there is no longer anyone capable of analyzing them all and adapting their antivirus products to them. That doesn’t mean that you can do without antivirus programs, but we do need new concepts to deal with this many dangers.
What do you pay attention to most of all in your IT risk management? What is the largest potential threat? Cyber attacks? Human error?
Tschersich: It’s difficult to compare. Human error often opens the door for successful cyber attacks. Really, the most important means against attackers is well-trained IT personnel. The IT administrator is often regarded as a low-cost employee. But the fate of the company’s security lies in that very person’s hands. Nevertheless the job is usually located at the very bottom of the pay scale. I think that’s a grossly negligent mistake. It practically provokes human error. This is one of the most underestimated risks in today’s IT world.
And where do you see the biggest technical issues?
Tschersich: In addition to poor system monitoring and maintenance, definitely the accumulation of authorizations. You need to separate critical system components. Say you have an online shop and put your ordering functions, payment system and customer data all on the same server instead of separating them. If someone hacks into one of the systems, he has access to all three areas.
And when you look into the future, what trends to you see emerging in IT security?
Tschersich: On the attack side there’s definitely the issue of targeted attacks like Stuxnet. The second issue I see arising is the increasing professionalization of attacks. In particular you see what are called “Advanced Persistent Attacks”: attacks over a long period of time with a lot of energy behind them, not a bulldozer through the front door but rather lots and lots of little steps to infiltrate an IT structure. In the technology area, I think we’re going to experience a renaissance of digital rights management. Rather than putting the emphasis on protecting the device, it would be the specific data files that are protected.
The statements contained herein may include statements of future expectations and other forward-looking statements that are based on management’s current views and assumptions and involve known and unknown risks and uncertain-ties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements. In addition to statements which are forward-looking by reason of context, the words “may”, “will”, “should”, “expects”, “plans”, “intends”, “anticipates”, “believes”, “estimates”, “predicts”, “potential”, or “continue” and similar expressions identify forward-looking statements.
Actual results, performance or events may differ materially from those in such statements due to, without limitation, (i) general economic conditions, including in particular economic conditions in the Allianz Groups core business and core markets, (ii) performance of financial markets, including emerging markets, and including market volatility, liquidity and credit events (iii) the frequency and severity of insured loss events, including from natural catastrophes and including the development of loss expenses, (iv) mortality and morbidity levels and trends, (v) persistency levels, (vi) the extent of credit defaults, (vii) interest rate levels, (viii) currency exchange rates including the Euro/U.S. Dollar exchange rate, (ix) changing levels of competition, (x) changes in laws and regulations, including monetary convergence and the European Monetary Union, (xi) changes in the policies of central banks and/or foreign governments, (xii) the impact of acquisitions, including related integration issues, (xiii) reorganization measures, and (xiv) general competitive factors, in each case on a local, regional, national and/or global basis. Many of these factors may be more likely to occur, or more pronounced, as a result of terrorist activities and their consequences. The company assumes no obligation to update any forward-looking statement.
No duty to update
The company assumes no obligation to update any information contained herein.