Not all MFA procedures are equally safe. We help you choose the most secure method for multi-factor authentication.
The enormous risk that powerful IT security solutions can pose only became clear to many managers after the BSI warned organizations against using Kaspersky software. But how can companies find reliable security providers now? Here we investigate and give our advice on which products and manufacturers can still be trusted.
The Russia-Ukraine conflict has also caused a lot of upheaval in IT security. Currently, the Federal Office for Information Security (BSI) assumes an increased threat to IT security in Germany. In March this year, the BSI also issued its first clear warning against the use of anti-virus products from the Russian IT security company Kaspersky. The BSI recommends that applications from Kaspersky’s portfolio should be replaced by alternative products. Nothing like this has ever happened before.
Why the BSI sees threats to national security
In June 2022, BSI president Arne Schönbohm reiterated his previous warning: At the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institute, he was quoted by Heise Online as saying: “I am absolutely serious about warning organizations not to use Kaspersky products”. He went on to call continued use of the company’s products “negligent” and a "threat to national security". As a consequence of the Russia-Ukraine conflict, the anti-virus software manufacturer can no longer be trusted. Potential risks include the company being spied on itself or even forced to carry out attacks.
According to the BSI, the problem with the Russian antivirus software is that it “has extensive system permissions” and “has to maintain a permanent, encrypted and uncheckable connection to the manufacturer’s servers (at least for updates).” On the other hand, “trust in the reliability and manufacturer’s own security measures and independence is crucial for the safe use of such systems.” If there are any doubts about the reliability of a manufacturer, virus protection software carries a “serious risk for IT infrastructure”.
How switching manufacturers can avoid backdoors and kill switches
The BSI therefore recommends that “applications from Kaspersky’s anti-virus portfolio should be replaced by alternative products”. The authorities did not want to say which these could be. However, the warnings from the BSI make it clear that the IT security situation has changed this year. Almost any IT security software can contain backdoors or kill switches and may be misused for cyber attacks. Companies in Germany must therefore ask themselves who they can trust and where they want to source their IT security products from.
Given the current situation, the manufacturer’s country of origin is particularly important. But even before that there were increasing trends in the IT sector towards software “Made in Germany”. For many companies, analyst have said the risk of buying a compromised product in Germany than from manufacturers from abroad is considered significantly lower. Unfortunately, there have also been several backdoors reported in American products.
What companies should consider when choosing IT security providers
Fortunately, Germany has produced some security companies with an excellent reputation. German IT security providers such as NCP, the antivirus provider G Data, or the network and security manufacturer Lancom Systems have been attaching great importance to the fact that their products are “Made in Germany” and meet the highest standards for years. For example, NCP guarantees customers the following:
- No backdoors in our software
- Fast and direct support
- Data sovereignty/digital sovereignty (data is not stored or processed abroad)
- VPN products that conform to the highest security standards for different requirements, from entry-level solutions to enterprise and VS-NfD with BSI approval.
G Data also offers a “No Backdoor Guarantee”, “Software & Support from Germany” and “Data processing only in Germany”. In doing so, the company addresses another problem that plays an important role in IT security: the insatiable hunger for data of American corporations and authorities. Here, too, the tide is currently turning.
In mid-2022, the European Court of Justice (ECJ) overturned the Privacy Shield, which regulated the protection of personal data between the European Union and the USA. Judges concluded that the level of data protection in the United States is not sufficient. Personal data of European citizens may therefore no longer be transferred to the US. Ireland’s data protection authority, which has been idle for a long time, has also awakened from its hibernation. It now wants to prevent Facebook’s parent company Meta from transmitting user data overseas.
Companies that rely on European providers with data processing within the EU for their IT security do not have to face these problems. Organizations can find trustworthy providers more easily if manufacturers support initiatives such as the “IT Security Made in Germany” seal of the IT Security Association Germany (Teletrust). Interested providers may use the ITSMIG seal for a set period of time if they meet certain criteria:
- The company's headquarters must be in Germany.
- The company must offer trustworthy IT security solutions.
- The products offered may not contain hidden backdoors.
- The company's IT security research and development must take place in Germany.
- The company must commit to complying with the requirements of German data protection law.
In the event of subsequent non-fulfillment of one or more of these criteria, the use of the seal may be prohibited. This makes the seal a helpful way for companies to identify trustworthy IT security providers. Another “Made in Germany” software seal is offered by Bundesverband IT-Mittelstand.
Let’s sum up:
In the past, many companies have paid little attention to the manufacturer as a potential risk to their IT security. In the meantime, however, concerns are not just being raised by authorities, such as the BSI, on the continued use of hardware and software as well as services from abroad. True IT security no longer depends solely on the products used. Companies also need advanced concepts and best practices to protect their data on a permanent basis and effectively ward off both criminal and government cyber attacks.
That is why our CEO and Managing Director, Patrick Oliver Graf, says: “As a German manufacturer with our development team based in Nuremberg, we stand for ‘Made in Germany’ and offer customers security and independence even in the event of future changes in world affairs.”