Interview with Sascha Maier, Head of IT IWC
Interview with Sascha Maier
Sascha Maier is Head of IT & Cyber Resilience at IWC, the Schaffhausen-based Swiss luxury watch manufacturer. Previously, he headed the security and cloud services department at SwissCloud. The business information scientist is also a lecturer at various institutes on the subject of IT security and is involved in various organizations. In November 2020, his technical book on the topic of «Business risk cybersecurity» was published by Springer Verlag.
In the fall of 2020, the Swatch Group became the target of a cyberattack. Could this also happen at IWC?
Looking at the current situation on cybersecurity, there has been a sharp increase in attacks, particularly in the final weeks of 2020 and in January 2021. For example, the National Cyber Security Center NCSC reports receiving over 300 reports per week. After a majority of general fraud incidents, phishing attacks are in second place, and these are only the known incidents that were also reported. Many cases of extortion, e.g. as a result of a ransomware attack, remain in the dark, mostly for fear of loss of reputation. The situation has become much worse as a result of Corona, as many processes have been digitized. We at IWC have also taken this situation into account and have subjected our existing measures to intensive testing and strengthened security. However, there is never a definitive security. It is therefore all the more important to prepare the entire company for a cyber attack. In the event of an emergency, the damage must be limited and the continuity of processes must be restored as quickly and securely as possible. This requires not only technologically supported tools, but also sophisticated and meaningful monitoring. Above all, the organization and all its employees must be prepared.
What do you think are the biggest risks for Swiss companies in the area of cybersecurity?
In addition to the already known threats such as DDoS attacks, increasingly better and more difficult to detect phishing attacks and fraud incidents such as CEO fraud are coming to the fore. The spread of ransomware is currently particularly strong. Last year saw a veritable wave of attacks on Swiss companies. And that brings us to one of the most important topics: the greatest vulnerability, which in my view needs to be given even more attention, is the «human factor». The technical security of a company can be as good as it is, but it is weakened or even useless if, with the help of social engineering, people are knowingly or unknowingly tricked into disclosing security-relevant information to outsiders. We must also pay attention to this gateway for cyber attacks in Swiss companies.
Currently, since Corona, the risks have changed once again compared to the situation before. Anyone working in a home office must have a secure workplace at their disposal. The use of home networks and possibly also private devices such as printers or smartphones should meet the requirements of the company itself. Employees therefore need clear specifications and guidelines, but also practical support when working from home.
What measures should companies take to minimize these risks?
At IWC, we started equipping and training our colleagues with digital tools long before Corona. Older colleagues in particular may be unsure about using new technology and should perceive IWC Schaffhausen's IT as a reliable partner: We do not leave our colleagues alone here, nor are we above all exclusively rule-givers who punish in the event of a breach. On the contrary, we actively support, give advice and provide constructive help in simplifying (= digitalizing) work processes. I urge companies to see their employees as partners in the fight for cybersecurity.
Looking at technology alone is definitely not enough in 2021. There must be a harmonious triad of technology, people and organization. What do I mean by that? Cybersecurity, not something that can be produced statically and once. It is a longer process and must always be fought for anew and put to the test. It should go without saying that a company should appoint a cybersecurity officer from top management. However, this function must not be a fig leaf. All business units must be involved in protecting their own «crown jewels». A team of stakeholders across the company must be aware of the specific threats and support their own colleagues in arming themselves against them. Which specific measures are taken must be derived from the corporate strategy and anchored in the corporate culture.
What level of maturity do you think most Swiss companies have in the area of cybersecurity? Where do you see potential?
By and large, I think we are on the right track in Switzerland. Talking to many colleagues in IT security in other Swiss companies, I learn that the topic of cybersecurity is getting more and more attention. IT security teams are being strengthened and investment in measures is also increasing - certainly not least because of the strong growth in home offices.
Politically, the topic has also arrived in Switzerland. Think, for example, of the adoption of the «National Strategy for the Protection of Switzerland against Cyber Risks (NCS) 2018-2022» and the appointment of a dedicated «Delegate of the Confederation for cybersecurity» in 2019. Personally, I think it is very important and sensible to link the goals and measures across all cantons and to involve both business and universities.
How does a company prepare for an emergency?
In our book «Business risk cybersecurity. Guide to establishing a resilient security ecosystem», published by Springer Gabler late last year, Sandra Aengenheyster and I take you through 5 sequential steps to a resilient enterprise that is less susceptible to cyberattacks. As the subtitle already conveys, the emergency must be fought from a long way out. In a nutshell, these are the following five steps are.
- Step 1: Define Goals
First, protection goals must be identified and evaluated. The resulting risks must be evaluated, ideally as already mentioned in a defined project team in order to take into account all aspects relevant to the company. Together, the further course of action can then be determined.
- Step 2: Survey Maturity & Delta
Survey the status quo, e.g., number of attacks measured, number of employees to be trained, available communication channels/means, etc. From this information, it is possible to ascertain how far away you are from the targeted goal and what effort needs to be invested in achieving the target state.
- Step 3: Derive Solutions & Roadmap
You can now move on to developing solutions, in each case on the basis of the previously identified fields of action. The solutions should be evaluated in advance, particularly with regard to the factors of feasibility as well as effort and benefit. The concrete roadmap for implementing the solutions can then be drawn up.
- Step 4: Implement Measures & anchor Processes
In the run-up to the complete implementation of all measures, it makes sense to carry out pilot projects to test their acceptance and effectiveness. During the implementation phase, you should also regularly check whether the measures are effective and understood. The active and visible involvement of management is also very important in this phase. They should reinforce and exemplify the messages sent.
- Step 5: Monitor & optimize Results
This step is often forgotten, but it is extremely important. Measuring and evaluating success with the help of key figures provides information on whether the desired goals were achieved. Have requirements changed, if necessary? Then the direction of travel must be corrected. Last but not least, lessons learned should be used to determine what the next steps are and what further improvements can be implemented.
What best practices and methods do you recommend to sustainably strengthen companies' resilience against cyberattacks?
As I said before, it's a long road to becoming a company that is resilient to cyberattacks. In order to sustainably build and connect the three core elements of technology, people and organization, I believe that awareness is still the priority. Awareness campaigns are a popular means of anchoring cybersecurity step by step in the company. However, it is important not to leave it at short-term and individual activities. Rather, continuous campaigns that build on one another help to increase efficiency in the long term. At IWC, we started our first campaign in 2013, at that time focusing primarily on information and workplace safety. In 2018, we built on those foundations and rolled out our expanded awareness campaign, «WATCH IT». We broadened the focus, established a team of influencers across multiple business units, and actively engaged them in the campaign. Change and the solidification of new behaviors do not happen overnight. Awareness measures need to be well-thought-out, close to practice and well communicated on a permanent basis. Therefore, all our topics are well coordinated, and we use a wide variety of methods and communication channels.
We have held face-to-face events such as lunch&learn sessions or training courses (these days, however, exclusively online), publish a digital magazine that appears once a quarter (our colleagues from production can follow the content on info screens, by the way). We publish regular intranet postings, in which, for example, information about current cyber threats is provided in short postings, etc.
Feel free to contact me.
Chief Information Security Officer
Dipl. Business Informatics Specialist HF