There is a growing threat of cyberattacks on mid-sized companies, the German operations for PwC, one of the world’s largest management consultants, told Handelsblatt.
Norbert Winkeljohann said that the emerging benefits of digitization—like autonomous driving and networked houses—could be destroyed unless companies took care to protect themselves from hacking and other cybercrimes.
He warned that security is not a technical issue, but an operational one, and that responsibility for it belongs with senior management.
Mr. Winkeljohann said the objective threat was increasing, as was fear surrounding the question. Both could be damaging to organizations, and the only real answer was to invest strategically in coherent processes and systems. Whereas large companies had mostly woken up to the issue, progress had been slower down the scale. “Above all, mid-sized companies are not investing enough in this,” he said.
There was absolutely no question that cyberattacks on the “Mittelstand”—the name given to Germany’s large number of small and medium-sized industrial companies, often in family ownership—was increasing. Numbers were hard to come by, he said, since many attacks were never made public, but a hotline established by PwC had been increasingly busy.
Mr. Winkeljohann said he knew of one industrial firm which had recently been conned out of several million euros. That case revealed the broad spectrum of threat: it was not a hacking attack, but email fraud.
The biggest danger comes from top management who pay too little attention to the question of information security. Norbert Winkeljohann, Senior Partner and Chairman, PwC Germany
PwC’s response team, sent out to deal with cases, includes compliance experts who examine systems to ward off future problems and Mr. Winkeljohann said companies’ greatest weakness is not staff and not individual machines, but “top management who pay too little attention to the question of information security.”
Far too often, he added, businesses put responsibility for IT security with the IT department. Understandable, but a serious error. “As a result, staff are not aware enough of security threats,” he said.
Information security was not simply a technical matter—“it is a continuous process, and should be incorporated into every risk assessment,” said Mr. Winkeljohann. Firms would find individual solutions, but a basic principle was the separation of oversight and implementation: IT people should inform and implement key parts of security strategy, but it was not their job to oversee it. Here, executives had to take responsibility.
As a consultancy, PwC is investing heavily in cybersecurity, which they see as a significant future growth area. Of course, this is not an issue that only affected Germany. “It is important in all of the 157 countries where the company does business,” Mr. Winkeljohann said, adding that there are already 150 cybersecurity specialists are working in PwC’s German operations, with more than 3,000 worldwide. Operatives came from different backgrounds; it was possible that in future, an autonomous global cybersecurity division would be created. In the next few years, the consultancy’s security business was expected to triple in size.
Growth at speed could involve takeovers, but Mr. Winkeljohann had no specific news in that area. PwC had its eyes open for good value companies that would fit in with the PwC culture and structure, he said. In recent years, the acquisition of cybersecurity specialists Persion and digital identity management firm Everett had strengthened their capabilities. Their aim was simple and ambitious: to be the market leader in Germany and the world.
The PwC boss insisted that not being an IT consultancy was a distinct advantage. “Our audit experience has brought us into the very heart of organizations. We know the operations, the processes, the IT structures,” he said. “We know where data flows, how it is protected, we know compliance systems. Strengthen that know-how with technical expertise, and you can offer holistic security consultancy,” he added.
As for what PwC hoped to gain, he said that companies could easily spend 0.5 percent of revenue on cybersecurity: huge market potential. That could add up to something like $3.6 billion in total security consulting revenue.
Germany already has a Federal Office for Information Security, or BSI, which is to set up a rapid reaction force to deal with cyberattacks on business. Mr. Winkeljohann said it was right that the BSI would take the lead in reacting to criminal cases, and consultants would always operate in conjunction with them. He also spoke about the 2015 IT security law: he said it was greeted with skepticism when it passed, but had made real progress in setting security standards for some industrial sectors.
We know where data flows, how it is protected, we know compliance systems. Add technical expertise, and you can offer holistic security consultancy. Norbert Winkeljohann, Senior Partner and Chairman, PwC Germany
The great thing about the new law, he said, was that it forced all sectors to raise their game: weaker players were pressured by stronger to improve security. Cybersecurity was often still surrounded with an aura of shame, he said, particularly when companies had been the victim of attacks. “Many cases are not even reported to the police,” he said. Far more openness was needed, he said, so that vital cooperation could take place between affected firms.
Cooperation was also needed with state agencies, nationally and internationally. “The United States and Britain has substantially better exchanges between business and the military and political authorities on this subject,” he said. That included the secret services—they were very well informed and could be of help, he insisted. “Why shouldn’t business use their know-how, and be available to exchange information with them when it is of use,” he added.
With German federal elections due in less than seven months, Mr. Winkeljohann said foreign powers may well attempt to hack election systems. The fact that Germany’s system was low-tech—still based on pencils and ballot papers—was a blessing for the country, making it far harder to breach electoral security. In this field, simpler was better. A safe electronic voting system could probably be built, but trust would be very low. In this area, the existing methods were trusted.
Sven Afhüppe is the editor in chief of Handelsblatt. Grischa Brower-Rabinowitsch leads Handelsblatt's coverage of companies and markets. Bert-Friedrich Fröndhoff leads a team of reporters which covers the chemicals, healthcare and services industries at Handelsblatt. To contact the authors: [email protected], [email protected], [email protected].