For several years now, cyber attacks have been one of the biggest business risks for German companies. Above all, the negative effects, such as data loss or long-lasting business interruptions, are causing problems for the companies. For some, a cyber attack can even threaten their existence. Reducing one’s own cyber risk and thus avoiding cyber attacks should be at the top of the priority list for companies, especially small and medium-sized enterprises.

To minimize these risks, organizations need to take a holistic approach. In addition to preventive measures and established emergency management, this also includes risk assessments. With the Security Baseline Check (SBC), Perseus has developed an approach that is primarily geared to the requirements and needs of small and medium-sized enterprises.

In the following interview with Eugen Leikom, Product Manager for Risk Assessment and SBC, you will learn about the functions of the SBC, what specific research is being done, how companies benefit from the use of the SBC and what vision our Product Manager Eugen still has for the SBC.

Eugen, can you give us an overview of what the Security Baseline Check is and how it works fundamentally?

Der Security Baseline Check ist eine Überprüfung grundlegender Sicherheitsstandards in Unternehmen. Er dient dazu, die IT-Infrastruktur von Unternehmen einzusehen und Optimierungspotenziale aufzuzeigen. Es ist der erste Schritt, die Einhaltung grundlegender organisatorischer sowie technischer Sicherheitsmaßnahmen in Unternehmen nachzuvollziehen. The SBC is particularly suitable for companies with up to 100 computer workstations.

The SBC consists of two parts: a questionnaire and a live check. During the live check, selected systems are checked to see whether safety standards are being met. Based on this, recommendations are made for improving and closing potential sources of danger. If necessary, a look at the systems from outside is also taken. In this way, further security gaps can be identified that can be exploited from the point of view of criminal attackers.

What was the reason for the development of the Security Baseline Check? Was there a specific gap in the market that Perseus wanted to fill?

A regular review of the current state of IT security is essential for companies. They want to prove that they are actively taking measures to secure their systems and are continuously improving. However, there is often uncertainty as to whether current safety standards are sufficient. Similar to the TÜV for vehicles, companies want to have an external expert confirm that their IT is still “roadworthy”. Especially in IT security, what was considered secure yesterday may be insufficient tomorrow.

How is the Security Baseline Check different from other cybersecurity assessment tools on the market?

The Security Baseline Check differs from other cybersecurity assessment tools on the market because of its unique approach. While other security checks usually focus on either technical requirements or organizational measures, the SBC offers both. In a personal conversation with the customer, we check the technical requirements and discuss the organizational measures that will be implemented in the company. Our approach is specifically tailored to the needs of small and medium-sized businesses (SMBs) to provide them with comprehensive insights into the state of their IT infrastructure.

What are the unique selling points of the Security Baseline Check that you think will appeal to customers and/or insurance companies?

“The unique selling points of the Security Baseline Check, which will appeal to both customers and insurance companies, are manifold. First, we provide independent security verification that builds trust and transparency. Secondly, our service is specifically tailored to the needs of small and medium-sized businesses (SMEs), which means we have a deep understanding of their specific challenges and requirements. Third, our approach is based on the real causes of security incidents that affect SMBs. This hands-on approach ensures that our recommendations directly target the real threats and vulnerabilities of the companies.”

Can you describe the key benefits a company can expect after using the Security Baseline Check?

Through an independent security review, companies receive an objective assessment of their current security level. This creates trust and transparency, both internally and towards customers and business partners.

After using the Security Baseline Check, companies receive a detailed report that provides an assessment of the extent to which they meet the required minimum standards of IT security. This clear and comprehensible presentation supports companies in improving their security measures in a targeted manner and keeping them up to date.

Regularly reviewing and adjusting security measures promotes continuous improvement and helps organizations better prepare for future threats.

How does the Security Baseline Check fit into a company’s overall cybersecurity strategy?

The Security Baseline Check (SBC) fits seamlessly into an organization’s overall cybersecurity strategy. It is an essential part of the continuous monitoring and review of safety standards. As an integral part of holistic risk management, in which IT security is becoming increasingly important, the SBC helps to continuously improve the company’s security posture.

“A comprehensive IT security strategy consists of four central parts: prevention, risk assessment, emergency response and risk protection. The Security Baseline Check plays a crucial role in risk assessment. By regularly and systematically reviewing IT security measures, the SBC identifies potential vulnerabilities and threats, making it an indispensable element of an effective IT security strategy.”

What kind of companies or industries can benefit most from the Security Baseline Check?

The Security Baseline Check offers significant advantages, especially for small and medium-sized enterprises (SMEs) that do not rely entirely on cloud solutions. Companies where the failure of the systems leads to operational disruptions are particularly beneficial, as the SBC helps to ensure the reliability and security of their IT infrastructure. This affects companies in all industries, as almost every sector depends on a stable and secure IT environment.

For companies that belong to critical infrastructures (KRITIS) or fall under the NIS2 Directive, more in-depth reviews are necessary. However, the SBC provides a solid foundation and can serve as a first step in identifying security vulnerabilities and taking targeted action. In this way, the SBC ensures that companies not only meet their current security standards, but are also prepared for future challenges.

Is there a success story in which the Security Baseline Check has improved a customer’s cybersecurity posture?

A remarkable success story of the Security Baseline Check shows how it has significantly improved a customer’s cybersecurity posture. Often, customers only become aware during the appointment that their business-critical data backups are subject to a high risk. The SBC covers not only vulnerabilities that can be exploited by hackers, but also technical malfunctions.

A particularly impressive example is a case in which we discovered during the live check that the backups had not been carried out for weeks. The customer’s IT service provider had firmly claimed that there would be error messages in the event of unsuccessful backups. This incorrect assessment could have led to a significant loss of data.

Customers who realize through the SBC that they have not considered certain eventualities receive valuable insights. These insights give them something to think about and help them to position themselves more confidently for the future. Such successes show how the Security Baseline Check helps to improve an organization’s security posture and make it better prepared against various threats.

What is the vision for the future of the Security Baseline Check? Are there any new features or enhancements we should be excited about?

The vision for the future of the Security Baseline Check (SBC) is to continuously improve the cybersecurity posture of organizations and adapt to the ever-evolving threats. One of our latest features is the integration of external scans with Enginsight’s Hacktor, which we offer with a full report. This function uncovers publicly visible vulnerabilities that can also be detected by attackers, such as unpatched servers or open maintenance accesses.

In the future, we will focus more on email security. Attacks in which account numbers on digital invoices are forged are increasingly leading to significant financial losses in the five-digit range. These attacks are often due to weak email security standards. There is still a lot of need for understanding and improvement, especially among small and medium-sized enterprises (SMEs).

Our continuous enhancements and new features aim to proactively protect organizations from emerging threats and give them the tools and knowledge to continuously improve their IT security. With these measures, we want to ensure that the SBC remains an indispensable tool for companies’ cybersecurity strategy in the future.

Why should organizations choose the Security Baseline Check over a more in-depth penetration test or other detailed assessments?

The Security Baseline Check offers a cost-efficient and time-saving alternative. Especially for many small companies, this form of regular inspection is already sufficient. An expensive and time-consuming penetration test is often oversized and not necessary for your needs. The SBC provides precise insights into basic security standards and enables organizations to effectively monitor and improve their IT security without breaking the budget or tying up resources unnecessarily.

With regard to our insurance partners: How can you benefit most from the SBC? Which findings are particularly relevant for insurers?

Our insurance partners can particularly benefit from the Security Baseline Check (SBC) by motivating their customers to complete it. The SBC significantly increases the safety of customers, even if it is only a matter of raising awareness of security measures.

Certain findings are also particularly relevant for insurers: If the SBC is linked to benefits in insurance, this further motivates companies to do more for their security. This can be rewarded by lower premiums for insured companies, which can demonstrate a lower risk of security incidents through the SBC. This targeted risk reduction can help insurers lower the overall risk of their portfolio while improving their customers’ security standards.

Thank you very much for the interview, Eugen!

Get more information about the Security Baselie Check, its components and how to perform it here.