New Work: People are the number 1 risk factor
New working methods and technologies mean that people remain the number one risk factor
Picture (from left to right): Christoph Mondl (Managing Director Quality Austria), Marlies Temper (Head of Study Programme at St. Pölten UAS), Harald Erkinger (Managing Director CIS GmbH) © Anna Rauchenberger
Austria’s leading companies discussed the challenges and opportunities of New Work and digitalisation at this year’s CIS Compliance Summit on 19 September 2023. Around 250 decision-makers from Austria and abroad accepted the invitation from Harald Erkinger, CIS Managing Director, and discussed cybersecurity measures.
With its short communication channels, digitalisation has accelerated globalisation and thus also fuelled New Work. Pandemic-related remote working has catapulted us into the new normal. Employers and employees are no longer discussing the VUCA world – they have long been right in the middle of it. “When we talk about New Work, it is still far too often overlooked that the new flexible working models don’t just affect the physical location. The establishment of different remote work tools in everyday working life opens up numerous gateways for cyberattacks that need to be closed,” said Harald Erkinger. There is an urgent need for action because, according to a study by the American cybersecurity company Tenable Inc., around 67% of cyberattacks that damage business are now specifically aimed at people who work remotely. “An all-in-one mix of employee sensitisation, specialist training and the highest management and security standards should be implemented today rather than tomorrow,” the expert recommended. Companies that want to remain attractive to employees must enable flexible and agile working models. This presents employers in particular with the challenge of protecting their networks and data, especially when employees connect via private or even public Wi-Fi. Cloud services, apps, mobile working and access to sensitive data must be regulated, secured and constantly scrutinised.
AI – friend or foe?
The new ways of working don’t just affect the physical location where employees do their job. It has also long been about AI, new ways and channels of communication with customers. All aspects relating to work need to be secured.
We are currently in a development process when it comes to AI. How do we deal with employees using AI? What do we do when suppliers rely on AI? And what problems and challenges can arise from the use of programmes such as ChatGPT? In addition to personal responsibility and creating awareness and know-how, we urgently need binding regulations such as the planned AI Act,” said Marlies Temper, Head of the Data Intelligence and Data Science and Business Analytics degree programmes at St. Pölten UAS.
In order to keep organisational structures flexible, employees need to be trained and sensitised. This is because most of the problems and challenges relate to internal IT. “We first need to train our employees internally, expand the community and learn from each other so that we can then protect ourselves from external threats,” said Erkinger. In view of new reporting obligations such as NIS 2.0, this is also urgently necessary. According to the Zero Trust concept, companies must assume that their systems can always be compromised, i.e. exposed to external attacks. In the event of attacks or data breaches, security systems in a networked world must inevitably function across organisations.
NIS 2.0 as part of a package of measures
The challenges and dangers of digitalisation and New Work must be addressed on several levels simultaneously. One important concrete measure is the EU’s Network and Information Security Directive, which primarily imposes reporting obligations on companies. “Companies should urgently clarify now to what extent they are affected by the new NIS Directive. Resources must be planned in good time and, above all, responsibilities must be clarified. One person in the company should have primary operational responsibility for implementing the regulations,” Erkinger recommended.
People at the centre
The experts at the CIS Summit agreed that people should be at the centre of all measures. After all, people are both a target and a security factor. AI systems can help to monitor network activities and user behaviour and react quickly to unusual events. Regular automatic security updates, infrastructure scans and vulnerability management should be standard. For these measures to be effective, contingency plans are needed to ensure that security incidents are dealt with immediately. Even if AI is used sensibly and data security is massively increased, human employees in particular need to be educated and sensitised.
The experts recommended clarifying responsibilities, creating awareness and learning to live with uncertainties.
“Regular fire drills are standard in most companies. In the same way, safety incidents should be practised and possible scenarios run through”, Erkinger recommended. Above all, employees should be continuously trained in their responsibilities. CIS offers accredited training courses for information security managers and auditors as well as on data protection and cybersecurity.
A wealth of know-how and expertise
Many other speakers from practice and theory shed light on the topic of “New Work” and its opportunities and challenges from different perspectives. We have summarised the most important statements and highlights of the day for you. Want to find out more? Here you can download the speakers’ presentations in the “Programme” section!
Christoph Mondl, qualityaustria CEO, addressed the customers of CIS and Quality Austria in his opening words. He emphasised the shared DNA of the two companies and the importance of passing on value-creating content to customers with passion and a great deal of expertise.
José Torre and Marco Kolbas from fiskaly GmbH discussed the relevance of “zero trust models” in their presentation in order to enable working from anywhere. The hacks they cited as necessary included workflow-based workflows, a secure corporate culture and defined processes.
examined the topic of “New Work” from different perspectives: the user, cardholder and facility management perspective. The associated advantages were also mentioned from a security perspective, such as the integration of existing IT and company processes.
Michael Brunner, Certainty GmbH and Clemens Sauerwein, University of Innsbruck highlighted the current status of the European Cyber Resilience Act (ECRA) and a related study of SMEs. The ECRA is currently before the EU Parliament as a draft law, is an essential component of the European Union’s security strategy and is a regulation that makes software and hardware in general subject to obligations.
Gerlinde Macho, IT entrepreneur and Michael Bendl, COO, MP2 IT-Solutions addressed the requirements and challenges of the current VUCA world (volatility, uncertainty, complexity and ambiguity). The VUCA model describes the increasing change in today’s world in terms of agile management and leadership as well as holistic agile information security management.
“Security governance in fast-growing environments” was the title of the presentation by Nikola Dinic, CISO, Convotis Group. He gave examples of some of the measures that need to be recognised, implemented or even avoided in order to ultimately be able to react faster and better. These include measures such as communication, clear responsibilities, a comprehensive cyber strategy and security management.
Stefan Hofbauer, Information Security Manager at Volksbank Wien AG, first gave an overview of current cyber security incidents – including the ENISA Threat Landscape Report 2022 – with top threat scenarios such as ransomware, malware and social engineering threats. His recommendations for action included awareness training, no disclosure of company data by employees and, in case of doubt, quickly contacting IT security or the relevant law enforcement agency.
Finally, Robert Jamnik, Head of Audit Services at CIS, gave an update on information security. From 31 October 2023, only certifications according to ISO 27001:2022 will be possible. Certificates according to ISO 27001:2013 will lose their validity on 1 November 2025. The CIS team is always available to answer any questions you may have.
Save the date
Next year, the CIS Compliance Summit will take place again in Vienna on 10 October 2024.
