Three Steps to Cyber Protection

Cybersecurity at Siemens

That doesn’t apply to me, everything has been fine up to this point and it’s a really bad time for a software update right now: Many small and medium-sized companies don’t take protection against hacker attacks very seriously. Even though good protection is vital – and by no means unreachable. The Charter of Trust has developed a three-step plan. 

Why are small and medium-sized enterprises (SME) repeatedly targeted by hackers – and don’t notice until it’s too late? What risk do employees bear? And: How do companies stand to profit from investing in more protection against intruders from the Web? The first of four posts from the series entitled “Cybersecurity in small and medium-sized enterprises” have answered these and many more questions. Now it is up to the fifth and final post to answer the most important question of all: What can be done? How can a company with limited resources protect itself against most attacks? “With a comprehensive security concept,” recommends Christian Haas, Head of Fraunhofer IOSB's Cybersecurity Training Lab in Karlsruhe, Germany. Having good cybersecurity is often an organizational problem at SMEs: unclear responsibilities, lack of know-how when it comes to cybersecurity in production, priority simply given to volumes, just to name a few. The Cybersecurity Training Lab would like to change that. There companies can simulate hacker attacks and use the resulting knowledge to create better underlying security for their own production IT. 

Waiting for the explosion

However, things almost never work out like that. Many companies are unaware of the dangers, laments Ernst Esslinger. “Cybersecurity in the industry is regarded as something of a sword of Damocles.” Esslinger is the Director for Methods and Tools at Homag, a German manufacturer of woodworking machines in Schopfloch, Germany. Homag machines are completely connected, because that is what today’s furniture industry requires: Customers configure closets online, thus automatically generating production data for machines, which is then used to cut the boards and drill holes in them. In terms of security, there is still some room for improvement. The mechanical engineer was a coordinator in the research project IUNO, which assessed concepts to ensure IT security for Industry 4.0 and was promoted by the German Federal Ministry of Education and Research. Siemens was also a partner. According to Esslinger, IUNO developed security solutions for all four application areas, however, there is currently hardly a demand for security-related topics. The excuses are familiar: Companies believe they are not interesting for hackers. Or that the installation of a firewall will suffice. And updates for machines are postponed, because no one can afford downtime right now. “But at some point things explode,” warns Esslinger. 


Just like the Fraunhofer researcher Christian Haas, Ernst Esslinger has seen less technical but rather more organizational hurdles and a lack of awareness. The Charter of Trust, which Siemens launched with international companies and research partners in 2018, has also come to this conclusion. The initiative has developed a catalog of measures with three phases.  It is intended to address precisely those areas.

Phase I: Establishing a culture of cybersecurity

Cybersecurity concerns all employees – first and foremost management, which prefers to wash its hands of the matter by delegating the IT department to come up with the necessary measures. Instead, managers should declare this topic a top priority and assume responsibility. First measure: risk assessment. Companies’ own employees pose the highest risk. According to Kaspersky, a provider of security software, more than 80 percent of security incidents are the result of human error. Classic examples of this are fraudulent e-mails and simple passwords. The only remedy here is regular training courses. “These training sessions are also important, because they let companies prove that they have taken all of the necessary measures that are outlined in the General Data Protection Regulation,” emphasizes Markus Schließ, a Stuttgart-based lawyer who specializes in IT law. 

Phase II: Implementing and incorporating measures

The threats are known – now it is a matter of concrete organizational measures. SMEs should carefully examine and optimize data protection, security policies, physical security and access management and start conducting training measures. These measures are also recommended by the Charter of Trust, which Siemens has added to its Terms & Conditions for suppliers. But that’s not all: Particularly companies offering digital and connected products and services must incorporate cybersecurity as part of these products. This is where the key concept comes into play: security by design – from development via operation of the product through to service. This is closely related to security by default: All protective measures should be in force upon the time of delivery, such as stronger passwords instead of the still frequently used “0000”. 

Cyber protection is not a product that you simply invest in once and can then forget all about. It is rather an ongoing process.

Phase III: Communicating measures and acting as a role model

Do good work and tell people about it. This recommendation also applies to measures aimed at cybersecurity. It means more than just “Public Relations”, but rather individual proof of the security status by means of certification measures such as IEC 62443 or ISO 27001. Companies that set a good example encourage others to take the same approach. This is important, because cyberattacks do not simply stop at corporate or national boundaries. That is why cybersecurity measures must always be seen in context, such as throughout supply chains or for example with service providers who are later responsible for product maintenance.


If a company has completed these three phases, then it is well protected from hackers, but not forever, since criminals are constantly developing new malicious methods of attack. Cyber protection is therefore not a product that you simply invest in once and can then forget all about. It is rather an ongoing process that constantly requires attention, but this is also precisely why it is a more sustainable form of protection.


But therein lies the opportunity: Good cybersecurity serves as the basis for change and new digital business models. These already exist in the furniture industry, one such example is the online configuration of customized furniture. However, many other industries are still at the very beginning, notes Ernst Esslinger from Homag. And he thinks this has to change: “There’s only one thing that I recommend to make sure you don’t miss out on the many opportunities that the digital world offers – do more for cybersecurity.” 


Click here if you would like to know more about the cyber risks that small and medium-sized enterprises face and learn what you can do to tackle them — including with assistance from Siemens.

Our series of five articles explains what small and medium-sized companies can do to protect themselves against cyber risks. This is the fourth article in the series. The series examines why smaller companies are more frequently impacted by attacks and what role employees play. The articles also provide tips on how companies can protect themselves against attacks at reasonable expense and leverage this as part of their business strategy — for example with concrete assistance from Siemens. As soon as a new article appears in a two-week interval, it, too, will be linked in this article.


Part 1: Room for improvement

Part 2: Far too low-hanging fruit

Part 3: Human beings: the chink in the armor

Part 4: Digitalization, sure - but secure