Certificates aim to create transparency

The EU Cybersecurity Act, which is due to come into force at the beginning of next year, aims to remedy this situation. The act also provides for an expanded and stronger European Network and Information Security Agency (ENISA), which will be tasked with developing a framework for certification – participation will be voluntary, however. The objective is to establish fixed criteria, making it easier for companies to discern how they need to design their product so that it can be considered safe. Up to now, this has been difficult to derive from highly abstract regulations that require interpretation, for example, in view of data protection. Many experts welcome the certification scheme. It not only creates market transparency, facilitates the selection of software and hardware suppliers, but also helps companies to prove that they are in line with state-of-the-art standards in the event of a data leak.

Critics of the EU law argue that a certification scheme does not enhance protection against cyberattacks in Europe and is simply unnecessary for many companies. Because lawyers are not technology experts, this will require close cooperation and regular exchange with the company’s IT and cybersecurity professionals on issues such as: How does software work? What threats does it face in the online environment? Which technical devices can be used to fulfill the legal requirements? “The cornerstone of an effective cyber defense is collaboration between the departments,” says Jörg Vocke, Chief Counsel Technology at Siemens AG. “Company lawyers do not have to know how to program, but they should acquire a basic understanding of IT. Having lunch with the company’s experts can really be helpful.”

Focus on firmware

Defending against hackers and deficiencies in the security system does not stop at the factory gate. “The legal department is called upon to establish minimum standards for procurement and supply contracts. Four principles must apply to communication between machines and between people: confidentiality, authenticity, integrity and availability.” Suppliers of products that include embedded software must also be taken into account.

Preparing for emergencies

In the event of a hacker attack, companies should already have appropriate procedures and defined responsibilities in place. Information and support duties must be ensured along the entire supply chain. If an attack is detected, the first step is analysis: Which company data is affected? And how serious is the attack? The next step is to inform customers and law enforcement authorities. Company lawyers are also responsible for examining claims against suppliers and, also conversely, the risk and amount of claims for damages against their own company.

Although hackers are becoming increasingly professional in their activities and developing more and more sophisticated technological methods, it remains of the utmost importance for companies to keep an eye on their people: Employees are often an easy target for cybercriminals.

As a result, Chief Counsel Vocke considers one of his most important tasks to be raising awareness among employees via training measures about the dangers of social engineering, for example, in which criminals manipulate employees by taking advantage of their trust and willingness to help. “It takes the right mentality to make cyber security everyone’s job.”