Stefan Würtemberger is Vice President Information Technology at Marabu Inks and a member of the CyberCompare Advisory Board. He has experienced many different situations in his more than 20-year career in IT of industrial companies and their protection. He talks openly about the cyber attacks on Marabu and how the company was able to overcome them. He also drew on his experience to create a best-practice action guide for those affected.
In the following interview with Jannis Stemmann, CEO Bosch CyberCompare, he talks among other things about his personal experiences in IT security and tells how and what he had learned from the cyber attacks. In the context, he not only reports on his agreement with the management, but also emphasizes the importance of investing for some corporate protection.
Below you can find the official interview (option to play subtitles and read 🇬🇧 English translation):
So, Stefan, thanks again for taking the time today to do a short interview with us. If you can talk a little about the inside story: security is only a small part of your job. What is currently keeping your team at Marabu Inks and you so busy?
In addition to IT security, we have many, many other topics. We are still in the process of rolling out our ERP worldwide, which is going more or less well. But we also have many digitization topics on the agenda. We are constantly modernizing operational processes and trying to establish new technologies. We have also now learned through cybersecurity that security by design can also be an ethos to simply get things running more securely and faster, and that’s actually my main task today, let’s say making Marabu digital.
How do you see the topic, the expenditure for IT security, it actually increases every year and that’s true, it doesn’t really matter which company you ask and of course there are also statistics, which means that the statement is actually correct on average. Despite this, it seems that the number of attacks has not decreased, nor has the extent of the damage caused. So what’s your view on that?
Well, we will have to invest more and more money in cybersecurity in the next few years and it will be a significant part of our work to ensure the protection of the company. Due to the fact that many companies unfortunately pay money to the criminal groups in the event of ransomware attacks or cybersecurity attacks, it will not go back either. As long as this market is conditioned by the ransoms and these extortion funds, of course they, the perpetrators, will continue at the same level and increase it. If we learn to stand together as a company and tackle this issue together, talk about it, as we are doing here now, then at some point we will also manage to make this market shrink and then the extent will decrease badly and then I will have again less costs. But also with new technology, AI, which both sides will use, it will always go on like this as long as this market is served.
Now, if we get a little more specific. Penetration testing theme. This actually applies to every IT manager or every development manager, for example. And I think you have a very interesting agreement on penetration testing with management. Can you tell me a little bit about that?
Penetration tests are of course part of checking my security concept, which I have now developed with the team, which my boss cannot evaluate at all. But what he can do and what we have relatively well in line, is he takes care of the penetration tests being carried out without telling me when they are, that we are very close to the reality of a real cyber attack and I will then also be paid according to the degree of fulfilment, i.e. my variable part of my salary also depends significantly on a degree of fulfilment, that I configure the technical measures that I have proposed, for which I naturally also spend a lot of money, properly and then properly monitor and maintain. And I think that’s actually something that many colleagues should think about confronting the management level, CEOs, with because they inevitably have to deal with this topic. Well, this topic, yes, I have 400 projects and I even carried out 98 and 2 just failed because it wasn’t. Because you couldn’t deliver for some reason, because other departments weren’t ready, everyone knows that. And so, of course, I always get my salary standard screwed up. I cannot cheat penetration tests, well, because there really are things that aren’t configured or labeled correctly. You can’t reach 100 percent, you have to agree and be sure that the goal can be measured, but as I said, 95 percent certainty with the test results is my 100 percent. Anything beyond that, I get a little bit more.
If you had to suddenly give up a single security measure that you have today, which one would that be?
That would be my dashboard. My statistics and evaluations, the KPIs. There are a lot of foliage that has been established. They are good for checking and revision, but technically they do relatively little. That’s what comes out of it as a result. I wouldn’t do without anything else, because they are fundamentally important, that we have them and that we keep them.
How do you see the whole topic of OT security? Are OT security measures relevant at all from your point of view? Because it is actually the case that almost no attack is OT-specific, most of the time it comes from IT.
The problem, however, and we have often discussed this with colleagues, the modernization cycles of a machine are not the same as in the office world. I’m replacing my PC, laptop, I’ve got the new Office on it. It gets replaced every four or five years. Machines don’t. Machines remain standing for 20, 30, 40 years after purchase, since they have a completely different task. They produce something. And then of course I have to make sure that they are appropriately protected, because the hardware, the software, it gets old at some point and we have already discussed it, who still has a floppy disk drive today, which is often used in production becomes, which makes it almost elementary difficult in the recovery, if they have something. That’s why it’s still part of it, even if it never or not often comes from the OT area as an elementary component.
If you look back now from the experience of two cyber attacks, what is in your IT contingency plans or in business continuity management today that might not have been documented before?
Many, infinitely many processes have been added. My boss also said in the press: “We have to be able to survive in such a way that we can deliver with paper printed.” For example, everything has migrated to the emergency manual, which documentation, which documents are possibly necessary, which I have as a form of printed paper in order to be able to work without IT for at least seven days. After that it becomes critical, because then there will be no more customer orders, because we know today that everything is networked. But we have to manage the pure production of backlog orders for a week without it. One of these measures: Regular training and the training results anchored in it. The communication structures are regulated more clearly. Who takes care of what when and who talks to whom and how is it communicated? Restarts were completely changed because we had simply seen that emergency plans used to be written, the machines are still there, but the world around them has changed. This will be adjusted more regularly. There are now regular meetings to update the emergency manual, exercises are more simple than before. It is also practiced sometimes without anyone knowing that it is an exercise. In other words, so close to the real thing, and that has changed us as leaders in general. That we now deal with this topic much more consciously. Because we’ve been through most of it and we’ve done it twice now.
I find the exercises, the emergency exercises, very interesting. What do you think is suitable to prepare for and test, for example, as a tabletop exercise?
Well, everyone should call their boss at 4 a.m. and say, “Cyber attack in progress!” and then see how long it takes them to get here. These are topics that we often have, just think outside the box. We have now experienced two different types of cyberattacks, but they are not always the same. From the end of the day, if you know what it was, they’re always the same. But let’s put it this way, the upstream story of why it’s happening, who posted something again that might have contained critical company data. Who mailed something unencrypted again? It’s just looked at very differently today. And those are things that you just ask in an exercise, like, now show me your last 100 activities, what have you been up to, where did you enter your password where you shouldn’t have. Without employees being punished. It’s not supposed to mean that these tests have any consequences, it’s actually supposed to be there to know how we react to it if it happens again and it must never be the case that any wrongdoings result in any personnel consequences drawn. As I have already said, it is up to the company to say if you are subject to a cyber attack and it starts with the management and ends with the employee. Because unfortunately one also makes mistakes due to the many, many tasks that we all have to do today.
Are there any technical developments in the area of IT or OT security that you find particularly interesting?
There’s a lot of great stuff coming now. More and more AI technology that helps us to detect anomalies much much faster. And every cyber attack is some anomaly of normal everyday work. First here, suddenly there, who distributes packages and you can’t learn and analyze it as quickly as a machine can do today. And I’m curious to see how this AI technology will continue to develop and we’re already using it today partly, but seeing that afterwards, it can really relieve us of replacements and decisions, that will be exciting and I’m looking forward to it. Of course, the other side does it too, no, they also use AI, AI technology to make advanced areas and cybersecurity will look different in 10 years, the attacks will be very different in 10 years than the ones today.
Are there any false statements or half-truths that you perhaps encounter again and again, even from experts, or is there something about the whole topic of security that annoys you, for example?
Well, what annoys me about my colleagues is that they always say, “we’re too small and it doesn’t affect us” or “we don’t really have a problem because we know everything”. That’s actually the worst statement. This can happen to anyone at any time. It’s often the case with the manufacturers, everyone shouts, they have the best technology, they’re the best, they detect everything. Shouldn’t say that. You can’t recognize everything today, because I’ve often said that software is programmed by people and not everyone who develops thinks about attack scenarios. So they can’t be the best. They can be really good, they can be technologically advanced, but they can’t be the best on the market. Of course, my job is to always criticize myself, am I doing everything right, have I thought of everything? I also have to get advice, it’s so complex today, the topic of IT, OT with all the IoT that we have around it. You can no longer see everything today. And that’s why I have to let my bosses question me again and again, which I think is good that they also do it sometimes, am I doing everything right and you just have to be honest and say, “I can not know everything and then I also need advice”. It’s just important that I have the right consultants, who don’t come product-driven, just say, because they have the coolest technology, I’ll buy it now. Rather, he gives me the right advice on the subject so that I can then make the right decision for my company.
If you could put up posters on the streets all over Germany at this point, what would be written on them?
So it is important that cybersecurity is a top priority. IT leaders shouldn’t rely on being good. We’re all good, but we’re not perfect, you just have to keep checking yourself, is that still the case today? Because the way we are today, everything changes relatively quickly. We are always in transition. Those are actually always the two core issues I want to say. In summary: Management issue, IT, cyber still on course, you still have a bit of a challenge as far as IT security is concerned.
Should Bitcoin be banned?
Yes, directly all cryptocurrencies, because they promote the whole topic or they are supposed to make it so secure that they are comprehensible. It’s nice to have cryptocurrencies, they’re fancy, they’re great, but they promote this topic of cybercrime tremendously because nothing is traceable anymore. And then you have to ask yourself the question, well, if I have nothing to hide, do I have to fear my transactions that I make? Not really. Well, that’s the big price question. But if so, yes, I would ban it.
Thank you for the bold statement, Stefan.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.