Menü
Request Consultation
  • Cyber Security, Management Consulting

No way back from New Work

The world of work has changed forever. Companies that have only just recognised the benefits of online collaboration solutions can usually no longer imagine ever working ‘the way they used to’ again.

Communicating via e-mail and telephone? Decisions only in face-to-face meetings? Not only does this idea smack of the past, it is also no longer a serious option for reasons of efficiency.

The human security gap

But what if this new way of working comes with a risk that many have not (yet) recognised? A risk that, in case of doubt, threatens the very existence of the company? At the Forum International de la Cybersecurity (FIC 2021) in Lille, Manuel Bohé, CEO of the Concepture Group, discussed this topic with Boris Lecoeur (Directe Général Cloudflare France), Sébastien Jeanjean (Co Founder, Tixeo) and Paul Giraudon (CTO, Jamespot) under the moderation of Luména Duluc (Déléguée générale du Clusif).

Everything under control – or not?

We have become so accustomed to cloud-based solutions such as Office 365, G-Workspace, Salesforce, etc. that working without these tools is now almost unthinkable for many. Over the course of the pandemic and with the experience gained from the first few months of working from home, we have embraced virtual whiteboards, task and project management platforms, online chat, enterprise social networks and, of course, video conferencing.

But now the question arises as to which companies we are actually entrusting with core elements of our operational business processes? Companies are de facto transferring processes that they have controlled themselves in the past into the hands of others. The circumstances under which this happens are not always clear.

Permissibility of use – the GDPR dilemma

Following the CJEU’s ‘Schrems II’ judgement, the European Data Protection Board was tasked with developing concrete proposals for implementing the EU-US data transfer. The final version of these proposals has now been available since 18 June 2021. In addition to many other points, they include a clear statement on the storage of personal data in cloud services. As access by US authorities cannot be ruled out …

… storage is only permitted if the data is cryptographically protected
… and the key is held exclusively by the data exporter.

However, there is currently no technical way to fulfil these requirements. At least not if the software is to retain its function. This is because all currently popular providers simply need the ability to process ‘clear text’. This includes providers such as Salesforce, Monday.com, Atlassian, Smartsheet or Wrike, as well as those providers which are often used for collaboration in documents – such as Office 365 or G-Workspace.

At present, there is simply no way of providing cryptographic protection for extensive database content and keeping it accessible for day-to-day work.

‘The ‘Schrems II judgement’ and the resulting abolition of the Privacy Shield has created a massive problem in practice. The new standard contractual clauses can regularly only be applied after an individual risk analysis. The recommendations of the EDPB (European Data Protection Board) require data controllers to carry out risk analyses that are difficult to perform. If the supervisory authorities do not make improvements here and provide companies with binding guidelines that can be implemented in practice and are based on the risk-based approach of the GDPR, this will make it increasingly difficult for companies outside the EU to participate in the market within the EU.’

Under these circumstances, the use of US SaaS providers, among others, remains unauthorised. And even if we have familiarised ourselves with Google, Microsoft and others, the use of their cloud services is associated with a risk. Companies that consciously decide to use them should be aware of the risk of being fined by a data protection supervisory authority.

On the other hand, there are start-ups with limited financial and human resources that often have to rely on small teams or individual developers and therefore sometimes prioritise speed of development over security. And of course, their applications are also not particularly attractive for white hats, because there is no reason to expect a great deal of attention in the scene or even in public for the discovery of a vulnerability and, as a rule, the companies do not pay any or at least no attractive bonus. In principle, small and medium-sized companies are also in a position to develop and operate applications with a high level of security. But only if security is given a correspondingly high priority. And whether this is the case with a provider should be checked thoroughly and expertly. Certification according to ISO/IEC 27001 alone is not meaningful enough.

Manuel Bohe

CEO
Manuel Bohé is your contact for everything to do with information and cyber security and advises our customers online and on site.
More Posts

Jetzt weiterlesen!

Alle anzeigen

Cyber Security, Management Consulting, Security Consulting

Security 2025: The top trends that no company can ignore

The security landscape is changing rapidly. To stay protected in the future, companies must focus on trends like OSINT, robotics, and Zero Trust by 2025. This article outlines the five key developments that you can’t ignore and a groundbreaking technology that could transform security.

Uncategorized

Deepfakes: More Than Just a Digital Facelift – A Cybersecurity Threat

I recently came across an interesting article by BlackBerry titled "Deepfakes and Digital Deception." It painted a vivid picture of the rising threat of deepfakes in the cybersecurity landscape. While deepfakes can be entertaining, their potential for malicious use is what truly caught my attention. The article effectively highlights how deepfakes, fueled by advancements in generative AI, are becoming increasingly sophisticated and accessible. This ease of creation, coupled with the persuasive power of deepfakes, makes them a potent tool for cybercriminals.

Uncategorized

EU Cyber Resilience Act: Everything you need to know

The EU Cyber Resilience Act (CRA) is a pioneering step towards greater cyber security for digital products in the European Union. This regulation defines binding security standards and protects consumers and companies from increasing cyber threats. In this article, you will learn everything you need to know about the CRA, its scope of application, the requirements and how companies can prepare themselves.

Alternativ zum Formular können Sie uns auch eine E-Mail an info@concepture.de senden.

Instead of the form, you can also send us an email to info@concepture.de.