Geopolitics, hybrid threats and vulnerable supply chains have made corporate security more strategic than ever. In this interview, Björn Hawlitschka of MACONIA GmbH provides insight into current threat scenarios and practical recommendations.

Mr Hawlitschka, to what extent are companies more exposed to geopolitical risks today than they were ten years ago?

Björn Hawlitschka: I studied political science and then worked for a long time at the Federal Academy for Security Policy. Even then, we were working with an expanded concept of security in which networking and strategic thinking played a major role. Today we can clearly see that geopolitical risks have become more complex. In the past, companies could afford the luxury of keeping IT and security strictly separate. Conflicts such as the war in Ukraine, the pandemic and supply chain issues have shown us how vulnerable our systems are. It only takes one freighter stuck in the Suez Canal to bring entire production chains to a standstill.

Why are critical infrastructures and companies increasingly being targeted by states or non-state actors?

Björn Hawlitschka: On the one hand, we see classic, economically motivated cybercrime – such as the Darkside attack on the Colonial Pipeline in 2021. On the other hand, politically motivated sabotage is also on the rise. Both are dangerous. It becomes particularly perfidious when attacks take on hybrid forms, combining physical and digital sabotage. The motives range from economic blackmail to the deliberate destabilisation of entire societies.

Which sectors are particularly at risk, and which threat scenarios do you see as most critical at the moment?

Björn Hawlitschka:Traditional industries such as energy, chemicals and technology are of course in the spotlight. But small and medium-sized enterprises or municipal institutions are also vulnerable, for example to ransomware. It is particularly critical if social services can no longer be paid out in the event of such attacks. This undermines trust in government and can exacerbate social tensions.

Do you see a trend towards targeted hybrid threats, i.e. a combination of physical sabotage and cyberattacks?

Björn Hawlitschka: Absolutely. In Ukraine, we have already seen a combination of cyber attacks and physical sabotage in 2015. This type of threat will increase because it is particularly effective.

What basic security measures should companies take to protect themselves against digital threats?

Björn Hawlitschka:A solid risk analysis that maps all business processes is important. This includes a business impact analysis: Which processes are most critical? How long can they be down? And patch management! This sounds banal, but many vulnerabilities arise because available security updates have not been installed. Employee awareness also plays a major role – after all, people are both the biggest vulnerability and the most important resource.

How can physical security measures be effectively integrated with cyber defence strategies?

Björn Hawlitschka: The zero-trust approach is very helpful here – not only in IT, but also physically: don’t blindly trust anyone, even if they are in the building. Awareness has to be trained in all areas. Many companies protect the outer ring very well – but once someone is inside, they can move around freely. That is a risk.

Are there any best practices or specific examples from the corporate world that can serve as models for security strategies?

Björn Hawlitschka:Microsoft’s Zero Trust model is a good example. Or Toyota, which revised its supply chain strategies after Fukushima and is now planning with more redundancy. It is important not just to react, but to learn from crises.

What measures would you recommend to companies that are at the beginning of a professional security strategy?

Björn Hawlitschka: The first step is to know your own processes. If you don’t know what your “castle” looks like, you can’t protect it. Then comes a business impact analysis. And finally, you should carry out realistic emergency exercises. Red team tests – i.e. external attacks to identify vulnerabilities – are also highly recommended.

How should companies deal with the challenge that security measures are often seen as a cost factor rather than an investment?

Björn Hawlitschka: I recommend two calculation models: Firstly, how much would real damage cost? Second, what business will I miss out on if I don’t have certifications or ISMS/BCM systems in place? More and more customers, especially in the banking sector, are demanding proof of security. If you have nothing to show, you will lose business.

What physical security measures are particularly important for companies with distributed locations or hybrid working models?

Björn Hawlitschka: If there are several sites, it should be clearly defined who is responsible in which situation – especially at what level of severity the “head office” takes over: Already in an emergency or only in a crisis? This requires defined escalation levels. And, of course, regular emergency drills – both local and central. The important thing to remember is that even small incidents can have a big impact. That’s why preparation is everything.

Security begins with the right system. NOX systems stand for flexible and economical solutions – for security infrastructures that grow with your needs. > Learn More