In today's digital world, the IT security of corporate data and digital business assets is of paramount importance and has a highlighted relevance. The new SonicWall Cyber Threat Report 2024 offers revealing insights into the current cyber security and IT security situation that every company should be aware of. As one of the leading regional IT service providers in Bremen, b.r.m. IT & Aerospace offers customized solutions to master these challenges. We specialize in IT service, IT security and green IT.
Strong growth in cyber threats
The new report from SonicWall shows an alarming growth in digital threats. Cases of malware, encrypted threats and cryptojacking attacks are on the rise. The rapid 659% increase in cryptojacking is particularly critical. These findings underline the need for a robust and professional IT security strategy for companies.
Customized IT service for companies in Bremen
At b.r.m. IT & Aerospace, we are convinced that every company has individual security needs and benefits from a customized IT service. Our experts use the latest findings and modern technologies to develop security measures tailored to your needs. This enables us to protect your company - today and tomorrow. Offensive measures are the best defense. With proactive monitoring and threat intelligence, we can identify threats before they can cause damage.
Cyber Threat Report underlines the relevance of professional IT service
The findings of the SonicWall Cyber Threat Report 2024 highlight the need for a strong IT service. As a professional company with over 30 years of experience, b.r.m. IT & Aerospace is ready to support you and your company with first-class IT service and customized security solutions. Please contact our managing director Harald Rossol to find out more about our IT service in Bremen. You can reach us by phone at +49 421 34 14 94 and by e-mail at brm@brm.de.
b.r.m. IT & Aerospace GmbH was again awarded the prestigious EcoStep certificate on February 23, 2024, making it the first company with a management system for a U-Space Service Provider (USSP), a certification that combines the most important standard requirements of ISO standards 9001, 14001 and 45001. This is another milestone and very special moment for us and underlines our commitment to the field of unmanned aviation. This multiple certification recognizes our approach to quality, environmental protection and health and safety at work.
U-Space Service Provider (USSP)
As a U-Space Service Provider (USSP), b.r.m. IT & Aerospace will play a decisive role in the integration of unmanned aerial systems (UAS). The EcoStep certification demonstrates our commitment to the highest standards in quality, environmental management and occupational safety. Furthermore, this award confirms our daily work to develop innovative and safe solutions in the field of UAS and USSP. The management system of b.r.m. IT & Aerospace was the first company to be certified for the U-Space Service Provider (USSP) sector.
EcoStep - More than just a certificate
We were awarded the EcoStep certificate for a management system that verifies internationally recognized ISO standards in the areas of quality management, environmental management and occupational health and safety. An audit was carried out by GUT Zertifizierungsgesellschaft für Managementsysteme mbH. With this award, we prove that the use of innovative technologies and responsibility and sustainability are compatible and not mutually exclusive.
UAS opportunities with b.r.m. IT & Aerospace
The opportunities for unmanned aviation are enormous. Please contact us to find out more about the possibilities of UAS, USSP and advanced air mobility. As a certified aviation company, our experts around our managing directors Mr. Harald Rossol and Mr. Markus Rossol will advise and support you in your case. You can reach us by telephone on +49 421 34 14 94 and by e-mail at brm@brm.de.
Compliance with the DSGVO and GDPR is more important than ever in the age of the internet. They are the basic rules of data protection and data security. They also form the basis of transparent handling, which is intended to limit the misuse of data.
What is the GDPR?
The General Data Protection Regulation (GDPR) originates from the European Union and provides rules for the processing of personal data. The regulation must be applied if data is stored or is to be stored in a file system during processing.
These apply throughout the EU in both the private and public sectors. This means that every company that processes personal data must comply with the GDPR. This also applies to natural and legal persons, as well as to companies working on behalf of a third party.
What does GDPR stand for?
The General Data Protection Regulation (GDPR) forms the new legal framework of the European Union. The regulation defines exactly how personal data may be collected and processed.
Since May 2018, these regulations have applied to all organizations based in the EU that process personal data. It also applies to all organizations worldwide that process the data of EU citizens.
DSGVO and GDPR at b.r.m.
The Bremen-based IT service provider b.r.m. is known for its GDPR-compliant data center. In addition, b.r.m. has strengthened its security through several parameters. From technical and organizational measures (TOM) to security analyses and risk assessments, business ressource management is ideally positioned.
In addition, Harald Rossol and Thorsten Brendel from b.r.m. are engaged as company data protection officers. They are experts in data protection and will be happy to answer any questions you may have.
In an increasingly digital world, modern IT services are more in demand than ever, as is an attitude towards solid IT security. In addition to qualitative and rapid processing of upcoming tasks by effective service providers, the area of data and network security, or IT security for short, is still an often underestimated sub-area.
As stated by our expert partner Sonicwall in the latest annual report, cyber attacks by ransomware and encrypted threats are increasing significantly. Ransomware attacks in particular have risen by 105% compared to the previous year and by as much as 232% compared to 2019.
In addition to our data protection resources through Harald Rossol and Thorsten Brendel, we also have extensive expertise in IT security and GDPR. Together with our partners, we have the concepts to keep your security up to date.
Ransomware - money or computer?
The method of extorting a 'ransom' by blocking the computer has increased considerably in recent years. The user of a computer then only sees the attackers' 'ransom note' on the monitor. The particularly perfidious thing about this is that if the victim agrees to the demand, their computer usually remains blocked anyway. It is therefore very rare to be able to 'buy your way out'.
Ransomware no longer affects just one operating system. Whether Linux, Mac OS or Windows, all users are affected by this digital form of highway robbery. There have also long been many instructions for building ransomware, known as 'crimeware kits', on the DarkNet. Ransomware usually does not encrypt the entire computer, but rather the data that is important to the user, such as the 'My Documents' folder under Windows.
Protection against ransomware is similar to protection against other viruses or Trojans. For example, a user receives an email with the attachment of an unpaid invoice, with a threat of punishment from the Federal Criminal Police Office, or with alleged usage violations by GEMA. Anyone who opens such an attachment has then handed the blackmailers the 'house key' themselves.
You should therefore NEVER open an e-mail attachment that does not come from an absolutely trustworthy source. GEMA and the BKA still use the good old letter post. It is also important to regularly back up all relevant data on external data carriers, as this keeps it out of reach of the blackmailers. Browsers can be protected against the execution of Java commands by installing applications such as 'NoScript', and ad blockers also offer increased protection.
Firewall: Overcoming walls
A program must always open a 'port' - or at least a porthole - if its generated content is also to be visible on other monitors worldwide. As in the case of a homepage, for example. Where something can leave such a 'port' or 'harbor' into the virtual world, something can of course also enter it. This is why 'firewalls' were created to protect a computer from unwanted access from the network. These security programs make sure that only the desired guests enter the home port according to defined rules. As a rule, every access must overcome two such protective walls: the first at the provider, the second at the client on the network computer.
Privacy by design - IT security as a holistic concept
The two terms 'privacy by design' and 'privacy by default' are older than the new General Data Protection Regulation (GDPR). However, the law has given them a whole new meaning (Art. 25 GDPR).
'Privacy by design' means that the technical structure of a data processing system must be designed in such a way that data protection is automatically integrated into the system. In other words, data protection and IT security must be a system feature. This is done through the 'Technical and Organizational Measures' (TOM) when installing the computers and implementing their programs. This is the manufacturer's turn.
'As quickly as possible', 'create transparency', 'minimize', 'enable' - all phrases that have so far created little more than a wide scope for interpretation. In short, the rule of 'privacy by design' does not allow for a standardized answer; it depends on the respective data protection requirements. However, it is clear that the possible requirements of the GDPR must be taken into account when setting up a data processing system and when selecting and implementing the technology and software used.
Interested readers can find the complete Cyber Thread Report 2022 from our partner Sonicwall here.
In our series "IT Review 2021", we look at the most interesting and dangerous IT security vulnerabilities of the past year, today: Zero-Day and Hafnium. 2021 was not a good year for IT security and shows once again that IT security must be seen as a continuous process. Defenses against attackers must be constantly refreshed, otherwise they will rot like an old unmanned castle wall.
The nightmare par excellence: zero-day and IT security
Software manufacturers usually act very quickly against known security vulnerabilities or have already identified the problem. A corresponding patch closes the security gap and the program can continue to be used for the time being. For this very reason, it is important to have and keep modern IT systems up to date. Continuous improvement is the key to stable and secure operation of IT systems.
However, a massive problem arises from a so-called "zero day". This term refers to the fact that the vulnerability exploited here has been known for zero days, at least to the manufacturer and the public. Therefore, there is no patch or workaround to close this gap. It was simply not known. The most sensational case of a zero-day exploit worldwide is certainly Stuxnet. Here, several zero-day vulnerabilities were used to disrupt production systems and execute unexpected commands.
Zero Day and hafnium, what happened?
At the beginning of March, a total of 4 relevant security flaws, i.e. "zero-days", were discovered on Microsoft Exchange servers. These were presumably used by the hacker group Hafnium to systematically scan and infiltrate thousands of Exchange servers. According to research, the aim was to install a "backdoor" in the systems, so it cannot be conclusively determined to what extent this vulnerability will have an impact in the future.
According to some estimates, Microsoft reacted more slowly than desired, but the exploited security gaps have been closed. Several security patches have ensured that the zero-day exploit is no longer usable.
Proper IT security means continuity
Proper, i.e. reliable IT security is a wish and promise of all those entrusted with IT systems. In addition to the standard technology, such as a firewall, there are also a number of conceptual points to consider. The magic triangle of cost, time and quality naturally also applies to this area of professional activity. With regard to the time factor in particular, it is immediately apparent that there can be no absolute state of security in a dynamic system. In the case of a zero-day exploit, the time component is distorted to such an extent that a correct (qualitative) response immediately generates high resource consumption. A good IT security policy therefore relies on continuous improvement and adaptation to a dynamic threat environment. Systems must not be operated unattended. Only taking action when something no longer works inevitably leads to disaster. Effective and efficient action is characterized by continuity. Please also read the statement by Dirk Arendt from Trend Micro.
In Germany, Section 11 of the Federal Data Protection Act and Section 80 of the Tenth Book of the Social Security Act regulate 'commissioned data processing' or 'commissioned data processing (ADV)'. They provide the framework for the 'outsourcing' of data processing contracts to external third parties. Since 2009, the Federal Data Protection Act has referred to a ten-point rule that clarifies issues such as deletion, reporting obligations and control rights in a court of law.
Depending on the type of data collected, each client must first satisfy itself that the contractor is certified for the task in question and that it has also introduced and implemented a security concept. This information is usually provided in writing. Only after this confirmation may the client transmit personal data.
Under liability law, it is not primarily the service provider who is responsible for breaches, but still the client.
The term 'Binding Corporate Rules' (BCR) first appeared in the EU Data Protection Working Party in June 2003. The idea was to create a flexible instrument for data transfer that would also meet the requirements of data protection law. The result was a procedure that allows companies to individually structure data protection when transferring data to third countries, provided that the Binding Corporate Rules applied meet certain minimum standards.
These included, among others:
1. development and implementation of a security concept 2. data protection training for employees 3. mandatory participation in an audit program 4. payment of compensation in the event of violations 5. regulated complaints procedure 6. assurance of transparency 7. definition of the scope of application.
The advantage of the introduction of 'corporate binding rules' seemed to be the possibility of individually structuring data transfers to 'unsafe third countries'. The main disadvantage was the high organizational effort and the lengthy review process. However, as data protection was subsequently not guaranteed even in the 'safe third countries' (see, for example, the Facebook scandal and Cambridge Analytica), a European General Data Protection Regulation (GDPR) has now replaced a European General Data Protection Regulation (GDPR) the BCR. The new regulation provides for unexpectedly high penalties for companies that do not handle data protection responsibly.
A familiar picture: at the end of a customer meeting, the partners exchange their business cards. Both of them later enter the data contained on them into their respective customer databases, but they have already violated the new General Data Protection Regulation (GDPR) several times. At least if you take the wording of the law at its word. This is because the GDPR is primarily intended to create 'more data transparency'. Every partner would therefore have to be informed immediately about which personal business card data is processed and how, and which rights of objection this person has in the course of data processing.
How these information obligations are to be fulfilled is described in particular in Articles 13 and 14 of the GDPR. It also states that this information must be provided immediately. So if two people hand over their business cards to each other, for example at a trade fair, then both would have to inform each other about the reciprocal handling of the data in accordance with Art. 13 GDPR. However, a short sentence is by no means sufficient for this; the required data protection information would barely fit on an A4 page. In reality, compliance with the GDPR would therefore be more like a slapstick act, with both parties 'texting' each other for pages on end. It would also be far removed from reality to hand the other person a piece of paper with data protection information when handing over business cards. Combined with the request to confirm this in writing. Especially as this would pose a problem in terms of subsequent verifiability.
In view of the impracticability of the GDPR, politicians are already fiddling around, and not just on this point. A spokesperson for the Berlin supervisory authority said that the mere "receipt of the business card does not in itself trigger an obligation to provide information". This 'duty to inform' would only arise in cases where the data contained on the card is stored. Although this would make things easier, it would still contradict the intention of why business cards are exchanged in the first place. Companies store the data from business cards handed over in their customer data management program so that they can expand their own partner network in the business interests of both sides. Quite apart from this, the supervisory authority also fails to state the legal basis on which it arrived at its unusual opinion. This is because the statement by the above-mentioned employee contradicts the wording of the regulation. In other words, the GDPR is still in conflict with reality in many respects.
Bitkom Managing Director Dehmel recommends informing every person who has handed over a business card promptly afterwards about the mandatory information in accordance with Art. 13 GDPR in order to offer them the opportunity to object to the data processing at a later date. Such a solution would still contradict the direct wording of the law, but at least it seems more 'practicable'. What the GDPR lacks above all, however, are concrete and legally certain statements and assistance from the supervisory authorities. The GDPR urgently needs practical 'implementing provisions'.
The main reason for the infringement is the technical process used by Facebook subsidiary WhatsApp Inc. in California. A user registers there with their mobile phone number and the messenger service then reads the address book of users on their smartphones unnoticed. Ostensibly to locate other WhatsApp users. This comparison is repeated at regular intervals.
Despite all the data collection mania, the company is trying to keep a 'lean foot' on its own shoulders: Users alone are responsible for the legality of data transmission. In the event of a case, the criminal provisions of the GDPR would then also apply to the users alone. According to its 'Privacy Policy', WhatsApp also uses the data obtained for its own purposes: The company reserves the right to make extensive use of the information collected, for example for "measurement, analysis and other company services". In addition, WhatsApp generally shares information with other Facebook companies.
The conclusion of the German data protection experts: "The transmission of contact data from the address book to WhatsApp is regularly inadmissible." To make matters worse, possible sanctions under the GDPR would only affect the company that allowed the use of WhatsApp in its area of responsibility.
The advice to companies and organizations can therefore only be this: Ban the use of WhatsApp at all operational levels.
Compared to the German Federal Data Protection Act (BDSG), the GDPR brings little that is new in terms of 'data subject rights' - with the exception of the right to data portability. However, it often specifies the vague requirements of the BDSG considerably. The new data subject rights in detail:
1. The obligation to provide information (Art. 13 and 14 GDPR): This already exists in principle in the BDSG. However, it is no longer sufficient to simply state the identity of a data controller. In future, it will also be mandatory to provide contact details for both the processor and the responsible data protection officer. The legal basis on which data is collected and the intended duration of storage must also be stated. The biggest innovation is probably the fact that information must be provided unsolicited about every data transfer to a third country or an international organization. It must also be possible to withdraw consent at any time.
2. The right of access (Art. 15 GDPR):Every data provider has the right to know whether their personal data is being processed and to whom it is being forwarded. This corresponds roughly to Section 34 BDSG. However, the GDPR extends the scope of information. In principle, the duration of storage, the purpose of use and the origin of the data must be stated. The person whose data has been collected has the right to rectification, erasure and complaint. All information must be provided free of charge (Art. 12 para. 5 GDPR).
3. The 'right to be forgotten' (Art. 17 para. 2 GDPR): Individuals whose data has been collected can request the erasure of their data, unless statutory retention periods apply (e.g. in criminal records). It is not yet clear whether data collectors must also enforce erasure with the subsequent institutions to which data has been forwarded - or whether there is only an obligation to inform them of the request.
4. The right to data portability (Art. 20 GDPR): This is a provision that the BDSG was previously unaware of. Data collectors must make their collected data available to the data subject on request in a 'structured, commonly used and machine-readable format'. This paragraph is primarily aimed at 'social networks'. Anyone who wants to switch from Facebook to another provider, for example, must receive their collected 'data treasure trove' (photos, texts, etc.) in a readable form that is compatible with the technical conditions on the new platform. The popular excuse of 'technical hurdles' therefore no longer applies. How this will work in practice is still unclear.
5. The right to object (Art. 21 GDPR): Any person who provides their data must be able to object to any form of further processing, for example for advertising purposes. However, this provision can already be found in the BDSG (Section 28 (4)).
You are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
