Florian Hansemann started out as a gamer, later wanted to become a submarine commander, joined the German army and then studied aerospace engineering. But when love and later family planning intervened, the captain at sea turned to a job on land in security management. It was here that Hansemann rediscovered his passion for IT and started live hacking on the side. He made a name for himself with consistent social media work and the publication of more than 30 zero-day vulnerabilities.
Today, with 75,000 followers on X and other platforms, Hansemann is one of the best-known German-speaking cybersecurity experts and has been listed as one of the Top 21 global red team and security sources worldwide in 2018 and 2019 by Techbeacon and SentinelOne. With his company, he looks after customers ranging from Swiss cheese dairies to defense companies.
Hansemann spoke at a DACH CompTIA Community meeting in Munich, where he shared his views on IT security as well as problems with NIS2 and the like—and of course didn't leave without giving a few security tips.
How do you see the current IT security situation in Germany?
I see two major problems in security. First, many managing directors have not yet understood the importance of IT security. They see it merely as a transitory cost center in accounting. Investments in security or IT in general are more of a nuisance for them. They don't understand that IT has long since formed the basis of their business. And that's a bit schizophrenic, because they have saved a lot of money in recent years.
By managing directors, do you mainly mean SMEs?
No. That applies to everyone. Sure, international corporations are more likely to have it on their radar. But very few really see IT as an asset that delivers added value. Everyone has saved a lot of money in the last 10 years through rationalization and automation or through sales automation. They have generated a lot more turnover, but in return have invested nothing in optimizing IT security.
I always say, "You have been able to increase your turnover by a double-digit or even triple-digit percentage over the last 10 years. So why have you reinvested so little in security?
What is the second major problem?
It's much worse: People are getting lost in complexity, allowing themselves to be blinded by the marketing of companies that talk about next generation AI, blockchain and similar buzzwords—and offer solutions that are bursting with cyberbull bingo terms.
In reality, 80% of companies have problems here in Germany. We rarely hear about them, usually only when a major security breach makes it into the evening news. In most cases, there is a lack of such fundamental things as functioning patch and asset management. Even these rather boring topics are not under control.
I always like to compare this to building a house. You shouldn't lay the roof tiles first. The foundation must be laid first. Translated into security measures: Patch and asset management should work first, before thinking about modern buzzwords such as AI, SIEM (security information and event management) or even ZOC (zero eyes operations center). Unfortunately, most start at the top and have no foundation.
There is a lack of knowledge about what the right solution is and who the right service provider is. Instead, businesses get lost in trivialities. Added to this are such banal topics as data backup. By now, you would think that everyone has a backup. Far from it! No matter how big the company is. And not all backups are the same. My message is clear: do your homework before you get involved with trendy security topics. Documentation, processes, all boring, but necessary.
Can AI help with these boring tasks?
I always find it difficult to use tools if I don't know what I want to achieve with them. AI doesn't solve problems that you haven't solved for years because you haven't dealt with them. "A fool with a tool is still a fool."
AI can provide very good support, but only if I know why and with what goal in mind. Otherwise, I think it's rather dangerous to rely on AI now.
So start with the basics, define goals and look at who is responsible, who has which security tools, who has which access rights, what is the internal structure?
Exactly. You should build up a network of trustworthy service providers if you don't already have one—and exchange ideas with others, like here in the CompTIA Community. The topics have long since become so complex and specialized that you really need specialists everywhere.
What do you think of the much-discussed NIS2 directive, will it contribute to greater security?
I find it very double-edged and just as difficult as data protection, keyword GDPR. The liability issue is a central problem with NIS2. There is a real possibility that managing directors could be held personally liable without the usual limitations of liability of a GmbH taking effect. In the event of non-compliance with the regulations or serious breaches, this can lead to an entrepreneur who has employed thousands of employees for decades and paid high taxes being forced into personal insolvency, as they must pay up to 3% of their annual turnover.
In addition, there are currently no clear guidelines for the implementation of NIS2. The directive is very vague and leaves room for interpretation. One example of this is the elastic term "cyber hygiene". If you read the directive carefully, it becomes clear that everyone needs security and incident response management (SIRM) and must carry out penetration tests.
Politicians should listen more to the experts instead of relying exclusively on large and expensive consulting firms. It would make sense to involve experts who work in this area daily and can contribute their knowledge and experience. Cooperation between politicians and experts could be an effective way of developing sensible legislation.
What could these measures contribute to?
That politicians are better informed and can make well-founded decisions. It is important that politicians listen to the expertise of those who are intensively involved in the topic. This is the only way to develop sensible and effective laws.
There should be an exchange. Companies should not only have to draw up final reports after security incidents, but in return should be given access to a knowledge database in order to find out about tried and tested solutions.
Of course, security precautions must be taken to ensure anonymity. However, it would make sense for companies to receive and share information about successful measures against threats such as Lockbit. This creates added value for both sides.
Additional Security Tips for MSPs
Meanwhile, Hansemann also recommends that small, medium-sized and large companies look at important measures that can be implemented relatively quickly:
Review macros in Microsoft Office and other productivity tools or seek advice or search online for solutions to fix the problem. It's a serious issue.
Review local admin passwords in Windows domains, regardless of company size. Most of the time, all local admins have the same password. Free tools, including one from Microsoft called Labs, take as little as 30 minutes to implement and solves the problem.
Email security settings in the DNS server such as SPF, DCAM and DMARC. They are very easy to implement and prevent attackers from sending fake emails on behalf of customers, suppliers or even yourself.
Be aware. It is crucial to permanently sensitize employees through awareness campaigns and phishing tests. You can carry out such tests yourself or use service providers. The main thing is that something is done in this direction.
It is also important to appoint a security officer in every company.
And finally: Practice. You can have lots of emergency plans and invent lots of things to make you feel secure. But why not do a pen test or a simulation game for a cyber emergency? Then you can see if everything you've thought up works. Practice so that you won't be confronted with it for the first time in an emergency.
Want More Cybersecurity Information?
Download the DACH research brief for the CompTIA State of Cybersecurity 2024 report.