In conversation with: Tobias Ludwichowski from Signal Iduna

12 July 2023 · 7 min read

No time to read? Listen instead:

The threat situation is becoming increasingly complex.

In the rapidly evolving world of technology, staying secure in cyberspace has become a concern as crucial as securing our physical surroundings. To explore this complex terrain, we at SoSafe recently had the pleasure of interviewing the Chief Information Security Officer at Signal Iduna, a leading voice in the field of cyber security insurance. 

Signal Iduna has been at the forefront of innovating and adapting insurance solutions to meet the challenges of our digitally interconnected world. They’ve set the standard high by continually ensuring cyber safety without compromising on the digital opportunities that businesses need to thrive. 

In this enlightening interview, we dove into the depths of the current threat landscape, the transformative influence of AI, and the seismic shift to remote work. We also did not miss the opportunity to discuss their specialty: the indispensable role of cyber insurance for companies. Their insights offer a fresh perspective on the ever-evolving cyber risk environment and the role of insurance in mitigating these risks.

Has the perception of information security changed over the years, especially at the top management and advisory board level?  

Regulatory law concerning information security for insurance providers is expanding rapidly, with more laws and regulations being passed over time. The German Federal Financial Supervisory Authority has been taking an active approach to this for some years now. Altogether, there’s a lot of pressure being placed on top management when it comes to this topic, coupled with an increasingly complex threat situation that we’re facing. This is why cyber security awareness at the top management level has become quite high and has risen drastically in recent years. Thankfully, the resources that can be invested here have also become more widely available.  

What’s your view of the current cyberthreat landscape? What trends and developments are you seeing?  

The threat situation is becoming increasingly complex. Supply chain attacks are highly relevant, and our own security is becoming more dependent on that of our service providers. For example, we saw the potential effects of these risks with the SolarWinds incident in 2020 , where a targeted attack had global ramifications. Supply chain attacks are a market-wide threat. They’re usually highly complex and far-reaching, so the consequences are immense. As a result, I predict supply chain attacks will become far more frequent. But I’m still seeing more conventional cyberattacks as well, such as ransomware – chiefly in the financial sector due to the amount of sensitive customer data. I think the risk potential of ransomware attacks is somewhat lower in comparison because the points of entry are easier to monitor.   

How has the war in Ukraine affected our information security?   

So far, the conflict in Ukraine hasn’t had the dramatic effects on our information security we were expecting at first, so that’s positive. However, I think we must prepare for a new wave of attacks. We know that war is being waged in a hybrid manner, and many people have turned to cybercrime to support one side or the other. When the conflict is over, we might see high ‘unemployment’ among these attackers. These ‘cyber-unemployed’ will then be looking for a new challenge, and they will find it.  

What impact do you think artificial intelligence will have on our information security?  

Artificial intelligence and other types of technology are leading to increasingly complex attack vectors in phishing or spear-phishing attacks. We used to be able to identify attempted attacks right away because of frequent typos, among other things. AI tools allow attacks to look much more professional now, and they can’t be identified at first glance anymore. This leads to a scaling of cyberattacks.  

Artificial intelligence is leading to increasingly complex attack vectors in phishing or spear-phishing attacks.

How has the large-scale shift toward new work models, like remote work or working from home, affected information security?  

These new work models absolutely need to be protected by an appropriate security infrastructure. Employees need to be taught how to secure their mobile or stationary offices outside of their employers’ premises. Personal contact is still important and is lacking in remote work settings, and close communication is paramount to security. Let’s say an employee receives a spam email. They can identify the email as spam much more quickly if they can speak with coworkers about it at their desks. On top of that, employees working from home behave far differently than they do at the office, and they might visit different websites if they’re uncertain. At our company, we haven’t seen any notable difference since switching toward a hybrid work model. That being said, human interaction has to be better supported to ensure a strong security culture in hybrid work models.  

Let’s take a closer look at insurance in the cyber world: What market trends can you see in this area as an industry representative?  

We’re seeing a tendency for cyber insurance to be geared toward a few providers who are prepared to expand their coverage for cyber risks. This is because the cyber risk is difficult for a company to gauge and comprehend when we’re also facing a highly dynamic marketplace of threats. It’s extremely difficult to objectively determine how well a company is covered against cyber risks both now and in the future. The insurance also has to be appealing to the customer. For example, it doesn’t do medium-sized companies much good if the coverage is capped at 200,000 euros. We also must ensure that companies continue to actively combat the risk even with cyber insurance coverage and that they don’t become complacent. This makes cyber insurance challenging at this point in time.  

How can information security be made less obscure and turned into a joint project that – ideally – everyone wants to take an active role in?  

You have to take a two-pronged approach: The first is continuous communication and training to make the potential effects of security incidents visible. For example, it helps to actively inform your employees of the threat situation and certain behaviors. This can also impact security outside of work, which makes the topic all the more palpable, letting them know they need to protect their personal accounts as well.  

Secondly, we must ingrain the topics in processes to the extent that employees don’t even necessarily know that they’re helping improve security. Processes have to be configured such that employees are automatically compliant, which feels like less work for the employees in the long run. Sending out guidelines and expecting them to be read, understood, and translated into correct behavior won’t work.  

What advice do you have for other information security officers?  

We live in an age when we’re obsessed with tools, and we must focus more on how employees are trained and how our processes work. The best tools won’t do anything if there aren’t suitable processes and employees cannot recognize the risks. Then there’s the idea of threat intelligence, meaning that it’s other people who are infiltrating our systems. Human behavior is always most easily detected by other people. If you rely 100% on technology and assume that it will catch everything, you’re making a big mistake. It’s important that cyber and information security strategies are always viewed both jointly and from three perspectives: the people, the technology, and the process. 

Main insights and key takeaways from Signal Iduna  

Signal Iduna’s insights serve as an eye-opening perspective into the increasingly sophisticated world of cyber security. An alarming trend driving this sophistication is the surge in supply chain attacks. As noted by Tobias Ludwichowski, this trend underlines the need to select trustworthy service providers to secure systems. The geopolitical instability evident in scenarios like the hybrid war in Ukraine, coupled with cybercriminals harnessing innovative AI tools to amplify the stealth and sophistication of their attacks, adds further to the growing complexity. Such an unpredictable threat environment inevitably presents challenges to cyber insurance companies, including Signal Iduna, as they attempt to quantify cyber risk. 

Given these circumstances, it is clear that companies must embrace a strong stance on security. Ludwichowski emphasizes that the strategy can no longer be exclusively technology-centric. Instead, a multifaceted approach is needed where the human risk factor is thoroughly examined, factored in, and reduced through improved employee awareness and the fostering of a culture of cyber vigilance. It is through this approach that we can truly recognize the vital role humans play in the security infrastructure of a business.  

Human behavior is always most easily detected by other people. If you rely 100% on technology and assume that it will catch everything, you’re making a big mistake.

If you want to discover more insights from other top professionals in the cyber security field on the crucial strategies to mitigate human risk and keep your company safe, look at our latest Human Risk Review report.

Human Risk Review 2023

Read the report

Discover our latest phishing data, expert insights, and strategies for navigating the European cyberthreat landscape.

You might also be interested in:

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual