Tomaso Vasella, scip AG: “cybersecurity risks are frequently misunderstood or simply ignored”
With more companies going digital, cybersecurity remains a pressing issue as some businesses try to cut corners with their cyber defenses.
Seemingly small gaps in digital security can easily have extremely negative consequences. For example, despite a well-known rule of having strong and different passwords for every account, over 81% of data breaches still happen due to weak passwords. And that’s only one of an array of cybersecurity issues organizations must deal with on a daily basis.
Identifying and implementing security measures is a must for a company that doesn’t want to find itself paying a hefty ransom or notifying its customers of a data breach. scip AG – a cybersecurity consulting company – is here to support organizations in testing and building their defenses against cyber threats. Tomaso Vasella, CEO of scip AG, shared his insights in an interview with us.
How did the idea of scip AG come about? What has your journey been like so far?
scip AG was founded with the vision to start a company focusing on security testing. At that time, we were among the few pioneers in the Swiss security testing sector. Much has changed in the cybersecurity industry since the foundation 20 years ago, and we have broadened our service portfolio while staying true to our focus on cybersecurity. scip has always been pursuing a strategy of sustainable, long-term solutions both for our clients and ourselves, and we are proud to be a trusted partner for our national and international customers.
Can you introduce us to what you do? What are your main fields of focus?
Our expertise is reflected in three main areas: The offensive security professionals in our Red Team focus on simulating real-world adversaries and breaking into defenses while our Blue Team provides security consulting to protect our clients' critical assets. The Titanium Team offers advanced research services in topics such as cyber threat intelligence, darknet monitoring, and artificial intelligence.
What kind of tests and checkups should be a part of every company’s routine?
Every company should have an idea about its exposure and its most valued digital assets. Network security assessments, phishing simulations, and web application penetration tests are good approaches to obtain a concrete picture of the current weaknesses that might be exploited by external attackers. This should be done regularly, but it is necessary to complement this with good practices. From a technical perspective, one of the most important ones is to ensure up-to-date software and systems, so checking for outdated components and applying patches promptly must not be neglected.
Have you noticed any new security threats arise because of the recent global events?
Our cyber threat intelligence showed increased information-gathering activities by the aggressor before the attacks and there is an increase in phishing trying to leverage topics related to the recent global events.
The number of companies affected by cyberattacks grows exponentially, yet, a large number of organizations take action only after an incident occurs. Why do you think people are reluctant to keep up with online security?
Security is often perceived to be too cumbersome and expensive, sometimes even after an incident has happened. Many companies are driven by the belief or the hope that direct hard hits are not that likely and will only hurt others. All too often money is only spent in areas with immediate and tangible returns while a good cybersecurity level is characterized by nothing bad happening. Cybersecurity risks are frequently misunderstood or simply ignored, which is a serious misjudgment that has already caused major damage to many organizations and has put quite a few out of business.
It seems like remote work is not going anywhere, so what actions can businesses take to protect their workers and essential customer data?
Remote access to corporate resources and assets requires appropriate technical security of the services being accessed, for example, the company's VPN or generally the corporate applications, at the endpoint, that is, the users' workstation and everywhere data is transmitted. The challenge is to find the right balance between controls, technical restrictions, and usability. For example, access to corporate resources from non-corporate devices might be restricted or could be allowed only by passing certain security checks. At the same time, businesses need to provide user-friendly and performant solutions for remote work to avoid encouraging potentially unsafe workarounds.
Talking about individual users, what personal security tools should more people implement?
Using an anti-malware solution and a firewall and ensuring that your software is up to date helps a lot. Also, using a password management solution and two-factor authentication for online services are very good ideas. However, security awareness is at least as important: don’t click on everything.
In your opinion, what kind of threats are we going to see more of in the next few years?
Ransomware. It is just too easy for attackers to make money this way. Also, the continuous acceleration of new technologies, more features, and shorter life cycles will continue to increase complexity which is generally adversarial for cybersecurity.
Share with us, what’s next for scip AG?
Over the last years, we have seen a growing demand for full-scale red team assessments, and scip is excited and very well positioned to further expand our market position in this area. We expect demand for our cyber threat intelligence and research services to continue to increase, also on a global level.