strategy and planning
The digital world is increasingly becoming the key to the modern communication society. We support with know-how in the technical and organisational arena.
• Information security management, IT risk consulting, evaluation and consulting of new systems, status quo analysis
network and infrastructure
To keep everything running smoothly, a coordinated IT infrastructure is essential. This represents the basic structure of your company and can cause a lot of time and costs in case of unreliable availability.
• Cloud, server & network infrastructure, network security
education and training
Employee training is a valuable investment in your company's future. It increases know-how and pushes your company's safety goals.
• Workshops, trainings, security awareness trainings
All services focus on the security objectives of information security ('CIA triangle').
confidentiality
The security objective 'confidentiality' ensures that only authorised persons can view data. This plays a particularly important role for sensitive or personal data. Here-for, not only the storage and access authorisations have to be ensured, but also the transmission of data (e-mail, etc.).
integrity
Integrity assurance deals with the issue of 'intactness'. This involves ensuring that data has integrity, i.e. that it has not been altered. Unnoticed modification in particular is a major problem.
availability
To ensure that all data is always available when it is needed, this protection objective addresses the prevention of system and data failures.
The following sub-areas of IT security are particularly relevant for OmniCreo's customers:
data security
areas
Strategy & planning, network and infrastructure
description
Data security plays an important role on several levels: On the one hand, we have the storage of data and on the other hand we have its transmission and access.
◦ Storage location (on-premise, cloud, purely local)
◦ Backup strategy
◦ Access permissions
◦ Data classification (public, internal, confidential, ...)
◦ Transmission of data (e-mail, encrypted)
services
Analysis of the current strategy and situation, planning and implementation of measures on the basis of a customer meeting, in which data is classified and access authorizations are elicited, consultation in the event of ambiguities, training of employees in the handling of sensitive/internal data.
use cases
Situation
In a law firm, every employee has full access to all current and closed cases. This is relevant insofar as past work can be referred to when drafting new issues.
Scenario 1
The firm is representing a party in a major corruption scandal. One of the trainees was brought in by the other party to find out the defense strategy. However, this trainee is working on a different case and has nothing to do with the corruption scandal. Now that every employee has access to the archive and the current cases, the trainee can read out the confidential information of the corruption scandal (industrial espionage).
Scenario 2
The employees of the law firm work in their home offices due to COVID-19. Since the law firm only owns stationary computers, the employees use their private laptops for this purpose. One of the employees, without any malicious intentions, catches a virus, which then scans and encrypts the data. The data can no longer be read, and a ransom must be paid to decrypt it ('ransomware').
endpoint security
areas
Strategy & planning, network and infrastructure
description
Endpoint security involves ensuring that employees' laptops and PCs are up to date in terms of security technology and that a security strategy is established and continuously developed.
services
Evaluation of the current state, planning and development of a security strategy, awareness training with employees
use cases
-> Scenario 2 from 'data security' is also applicable here
Scenario
An employee of a large hospital receives an e-mail with a report. In order to file it in the patient's file, he opens the PDF. However, it is infected with malicious code, which installs a trojan on the system. This trojan has keylogging and RAT (Remote Access Tools) functionalities, so that the attacker can log all keyboard entries and take over the computer remotely.
Not only is confidential / personal patient data compromised, but remote access also gives the attacker the ability to issue forged COVID vaccination certificates.
trainings
areas
trainings & education courses
description
90% of data breaches are due to human error, 55% of companies neglect employee training. To counteract this and make employees aware of security issues and attack vector, employee training / awareness training is essential. In such trainings we either address explicit deficits or tailor the workshop to the company in order to strengthen general awareness.
services
IT security workshops and trainings/education courses
use cases
Scenario 1
The accounting department of a company receives regular emails from the management with remittance requests. The accounting department carries these out according to the order of the supervisor. An attacker knows this process in the company, and sends his own payment requests to the accounting department. In the course of this, over 42 million euros are stolen ("CEO fraud").
Scenario 2
An employee receives an email from the IT department asking him to change his password as it is about to expire. The employee clicks on the link and is redirected to Microsoft's login page. However, the email was actually sent by an attacker and the login page was forged, which allowed the attacker to obtain the employee's password (phishing).
.png)
.png){kind=small}