IT security – simple concept, massive implications Picture the situation… Not a great start to your day: there is a complete outage at Zurich Stadelhofen, one of the key stations of Zurich’s urban transit system. No fewer than nine train lines are directly affected by this disruption, including the one you use to get to work. The result is a long wait, with you and numerous other stranded commuters having to hang around on the platform. You check your work email account every so often and respond to various emails. Finally, you get to work. You quickly log in and get on with your working day, albeit rather later than usual. But an email from your CEO with unusual content catches your eye immediately – and then the alarm bells start to ring: What a perfectly camouflaged case of CEO fraud! In your haste you very nearly fell for this scam. (CEO fraud: scam designed to get companies to transfer money or information on the basis of false email identities; also known as a “business email compromise”, “fake president fraud”, or “bogus boss email”.) It can happen just like that Marco Müller, Head of IT & Digitization at Maerki Baumann, knows all about risk posed by cleverly falsified emails of this kind: “It is quite understandable that emails from a member of the Executive Board will be paid careful attention by employees, who will then often follow the instructions they contain without scrutiny. This can result in devastating economic or material damage.” Cyber-criminals are very cunning, and are always coming up with new strategies. For this reason, the employees of Maerki Baumann are regularly sensitized to the possibility of fraudulent emails and other cyber-attack scenarios. This may take the form of online courses or on-site training modules given by professional IT security experts. A key aspect of this sensitization process is the need to contact Marco Müller and his team immediately in the event of suspicion: “I would prefer one enquiry too many than the possibility of damaging software being downloaded as a result of an oversight”, is his exhortation to his fellow employees. IT security in a nutshell IT security plays a key role when it comes to protecting systems and data against potential threats and actual attacks. In particular, the aim is to avoid the company suffering any economic, material, or non-material damage. Various attack scenarios can be envisaged in this context, including manipulation of website data, gaining unauthorized access to a system with a view to installing damaging software, or the “instrumentalization” of individuals through social engineering. (Social engineering: attempt to exert influence on an individual with the aim of getting them to behave in a certain way, e.g. divulge confidential information.) Exposed, but well protected Being a bank, with the corresponding access to endless financial flows and sensitive data, Maerki Baumann is particularly exposed to cyber-criminal threats. As the world of information technology is changing at a dramatic pace, new areas of vulnerability are continually appearing – and these need to be addressed swiftly and above all in an enduring way. “In the area of IT security too, Maerki Baumann works with a number of experts. This enables us to ensure that our systems are always at the cutting edge of technology and can respond robustly to any attacks”, confirms Marco Müller. So does he have no fear at all of the bank’s operations being sabotaged? Marco Müller: “Basically no – after all, we are continually working to integrate the best defensive mechanisms based on what is technically possible through multi-layered security procedures and a variety of security systems.” Maerki Baumann also regularly carries out IT security and penetration tests, which are designed to subject the bank’s security systems to the most rigorous review. “That said, as Head of IT & Digitization, I am particularly sensitized to the issue of IT security, as a ‘bolt from the blue’ could come our way at any time”, stresses Marco Müller. We incorporate multi-layered security mechanisms and a number of different security systems so that we can respond to any attacks robustly. Marco Müller, Head of IT & Digitization The most valuable asset – our client data For a trading company that generates the lion’s share of its turnover via the internet and through e-commerce, a DDoS attack would be devastating. At Maerki Baumann, which offers services in the investment advisory and asset management areas, particular importance is attached to personal contact. Unlike an e-commerce supplier, therefore, a DDoS attack on our website would not prevent us from being able to continue to provide our services as normal. (DDoS, “Distributed Denial of Service”: cyber-attack method in which a target system and its internet services are overloaded by a huge number of enquiries, thereby making the targeted resource unusable or heavily restricted for users.) The most serious threat facing Marco Müller and his team (and by extension the Executive Board) would be manipulation of the bank’s e-banking system to the point where the bank’s data is technically compromised. “Sensitive client data can be called up in our systems. In the event of this data falling into the wrong hands, we would suffer huge commercial damage. And I don’t even want to think of how bad the reputational damage would be...” Our clients can rest assured, however: Maerki Baumann invests large sums in IT security to protect its systems against attacks, viruses, worms, Trojan horses and other forms of cyber threat. (Technical compromise: A system is considered to be compromised if its data can be manipulated and the system administrator no longer has control over its proper functioning or the accuracy of its content.) Is your network sufficiently protected? Such an important question! Nowadays – whether in one’s everyday working life or in the private sphere – an ordinary antivirus programme is no longer enough to protect a network against unwanted attacks. Did you know that simply surfing the internet attracts “evil eyes” to you and your network? Were you aware that publishing photos – e.g. on your Facebook page – can also have the effect of sending personal data into the internet? It is important to regularly ask yourself what you could possibly be triggering by spending time on, and interacting with, the internet. “Always be wary of clicking on a suspect-looking link, and scrutinize any request to enter personal data critically”, advises Marco Müller. Cyber-attacks? Password espionage? Your working day – which began later than planned – is about to end. On your way to the station, you ask yourself what could have possibly caused this morning’s total outage of Zurich Stadelhofen station. A cyber-attack? And suddenly you start wondering whether someone might have been surreptitiously looking over your shoulder while you were reading your business emails on the platform. Password espionage? … Marco Müller Marco Müller has been Head of IT & Digitization at Maerki Baumann since September 2017. Among other things, this function involves taking responsibility for operational management of all information systems, as well as development and implementation of the IT and digitization strategy. This also requires him to keep abreast of the regulatory requirements imposed by the Swiss Financial Market Supervisory Authority (FINMA), which Maerki Baumann is obliged to implement as a regulated bank under Swiss law.