Reading time: 7 minutes
What is Data Security?
Data Security has become a top priority, since the strict data protection directives have been in force in Europe – all the more so as attacks on IT systems have greatly increased in number and harmfulness. Jan-Oliver Wagner, CEO of Greenbone, talks about the challenges for IT managers and the most efficient data security strategies.
Table of Contents
- What role does Data Security play today, following the introduction of the GDPR?
- What are the most common threats that companies and institutions face today in terms of Data Security?
- How does the threat situation in terms of Data Security differ between companies and government institutions?
- The requirements for Data Security in companies have increased significantly. Which aspects of Data Security should companies tackle first?
- What measures have proven successful in companies to improve Data Security? Are there differences between large and medium-sized companies?
- What are the most common mistakes you see companies making in terms of Data Security and how can they be avoided?
- How would you categorise the importance of vulnerability management tools in a company’s Data Security strategy?
- Why should companies favour open source-based tools when it comes to securing their data?
- Which new trends or technologies do you consider to be forward-looking in the area of Data Security?
- How can companies prepare for future challenges in Data Security?
Dr. Jan-Oliver Wagner
CEO and Co-Founder
of Greenbone
What role does Data Security play today, following the introduction of the GDPR?
We already had a high legal standard in Germany, but harmonisation at European level has given new impetus to the issue. Since the GDPR came into force, the demarcation between the EU and the rest of the world has played a greater role. However, the GDPR is about data protection, not Data Security. Data protection regulates who is allowed to do what with which data. Data security is about how data is protected. Of course, the two are closely linked.
In Europe, data protection is a human right; in the USA, it is a civil right. This creates an unresolved conflict when it comes to the Data Security of European citizens. For practical reasons, the problem is often ignored, even at the highest levels.
The more we talk about data protection, the more we talk about Data Security. Data is more secure when good data protection concepts are used, but above all when the data processing IT is secure. The latter in particular is the central topic at Greenbone, and we are receiving more enquiries as a result of the GDPR, especially as we treat all data in strict compliance with the GDPR ourselves as a German company. In practice, Data Security is often linked to compliance.
What are the most common threats that companies and institutions face today in terms of Data Security?
In terms of quantity, these are attacks that can be automated. In other words, attacks on vulnerabilities in order to subsequently activate ransomware or other malware. There are also DDOS attacks (Distributed Denial of Service), phishing and other forms of social engineering. Attacks on vulnerabilities and social engineering are also often combined. Because the costs of such attacks are extremely low, almost every company and authority is now attacked several times a day.
How does the threat situation in terms of Data Security differ between companies and government institutions?
Basically, there is no difference. Both groups process sensitive personal information of citizens, be it data in the handling of sovereign tasks, such as the creation of identity cards, or be it health data in private clinics. The risk is higher if there is either a particularly large amount of data in one place or if the protective measures are too weak. The greatest risk is when both come together.
Visualization of a computer network – @ your123 – #270047769 – stock.adobe.com
The requirements for Data Security in companies have increased significantly. Which aspects of Data Security should companies tackle first?
There are two lines of action that need to be pursued: organisational and technical measures. In addition to the requirements of the GDPR, the former also include risk assessments, security awareness and compliance.
The technical security measures can usually be established more quickly. From our experience, we know that organisations often have an incomplete picture of their IT infrastructure, and what is not known is not taken into account in security measures. Therefore, the most urgent first measure is to use automated checks to record the IT infrastructure and its security status as completely as possible. Prioritisation can be derived very quickly from this with the right tools. If there are already organisational risk assessments, this also helps.
What measures have proven successful in companies to improve Data Security? Are there differences between large and medium-sized companies?
I have no insight into the measures taken by a sufficiently large number of companies to be able to make a solid statement here. When defining compliance rules, I would definitely recommend making sure that those that can be checked automatically are much better suited to a permanent security process than those that have to be checked manually. This applies in particular to technical specifications for IT systems.
If you look at the three scenarios that can happen to data, i.e. deletion, manipulation and copying, a good backup strategy is of course of great importance for two of them if all other security measures have failed. It is particularly important to identify the time of the attack. For vulnerability scans, for example, this means carrying them out regularly in order to recognise when and for how long an attack was possible. If you know your vulnerabilities, you will be able to act, even if you cannot eliminate all vulnerabilities promptly or at all. Large companies are more likely to be targeted by APTs (Advanced Persistent Threats) than smaller companies. Multi-layered security concepts are important here.
What are the most common mistakes you see companies making in terms of Data Security and how can they be avoided?
By far the most common mistake is that systems with vulnerabilities are not secured in good time, even though the vulnerability is known and a remedy is available, for example in the form of an update.
How would you categorise the importance of vulnerability management tools in a company’s Data Security strategy?
There are so many new vulnerabilities in a company’s IT system every day that it is impossible to eliminate all these points of attack. You are forced to take a certain amount of risk because you can only solve some of the problems. Vulnerability management solves two essential challenges: It allows IT managers to prioritise which vulnerabilities should be addressed with the limited resources available, and it gives them precise knowledge of the remaining risk. This is the only way for a company to remain capable of acting at all times – in day-to-day business or in case of a crisis.
Why should companies favour open source-based tools when it comes to securing their data?
Data security is above all a question of trust. You have to be able to trust your suppliers and the tools when it comes to protecting your data. It is well known that transparency helps to build trust. This is true in society and also in technology. Nevertheless, the open source feature alone is not enough. The manufacturer must of course establish extensive quality assurance measures.
Which new trends or technologies do you consider to be forward-looking in the area of Data Security?
Of course, AI is a forward-looking trend because it is also an attractive technology for attackers. For example, Large Language Models (LLM) can significantly increase the success rate of phishing. On the defence side, LLMs are likely to be increasingly used to predict attacks. Machine learning, on the other hand, will in future help defenders in particular to become faster in the fight against automated attacks.
For me, the trend towards better and more automated processing of vulnerability information is particularly relevant. The more information about vulnerabilities, products and threats is shared and standardised, the better the new technologies will develop. The Common Security Advisory Framework (CSAF) supported by the BSI (German Federal Office for Information Security) is one of these.
How can companies prepare for future challenges in Data Security?
Attackers are diversifying and automating themselves. Companies must do the same. In the face of many problems, companies must always do the most important things first. Only strictly evidence-based action can help here.
About the expert
Dr. Jan-Oliver Wagner, CEO and Co-Founder of Greenbone
- Degree in Applied Systems Science, University of Osnabrück
- Doctorate: Mathematical simulation modelling
- Founder of Intevation GmbH
- Popular keynote speaker and panel discussion participant, e.g. at:
Potsdam Conference for National Cyber Security, Public IT Security (PITS), Bechtle Forum “Security Edition”
