Thomas Haak has more than 34 years of professional experience in the areas of technology, sales, management and as an investor in companies and startups such as 3Com, Cisco, Compaq, Inktomi, Fortinet, Aruba Networks, Tibco, F5 Networks, Xirrus, Balabit and Cybertrap, specializing in network infrastructure, security and the successful development of sales in EMEA. Together with Bernhard Schildendorfer, he founded the company Lywand Software GmbH in St.Pölten in 2020 and leads the company as CEO.
Hi Tom, we are happy to talk to you about a topic that is as vital for Lywand as it is for ownCloud: Cybersecurity! You yourself have been closely involved with cybersecurity for a long time and founded Lywand almost 2 years ago. What is your mission?
Our slogan is « Security is not a privilege ». In short, our goal was to democratize security audits. For large companies, these have been the basis for developing appropriate security measures for years. We want to make this option affordable for small and medium-sized companies as well and ensure that their IT service providers can offer it as uncomplicatedly as possible.
Our Security Audit Platform makes it easier for IT service providers to measurably increase the security standard of small and medium-sized enterprises. We automate IT security checks, present challenges and recommendations in a comprehensible way, and support the implementation of measures and selection of suitable products.
What is the current cyberthreat situation, especially for small and medium-sized enterprises? Can you identify any recurring patterns in the threats?
In general, the trend over the last few years shows that many attackers and hackers are taking an automated approach and scanning the Internet very broadly for vulnerable systems and possible entry points. The threat situation is massively concentrated in the SME sector – a so-called « sweet spot » for cybercriminals. This is because large companies are now too well protected for such broad-based attack campaigns. While cybercriminals refine and expand their techniques on a daily basis, the security strategy often falls by the wayside for small and medium-sized companies due to a lack of time, and financial or human resources.
How exactly do you support SMEs and how can your software be used? What do you recommend to companies that do not have IT specialists to implement Lywand’s recommendations?
Lywand’s recommendations do not require any expert knowledge to understand them. As mentioned above, we have built a highly-scalable security audit platform and our target group – the IT service providers – can easily and very low-threshold integrate their customers into the multi-tenant interface and let us scan for vulnerabilities in a fully automated way. A big advantage is our subscription license for the service providers and their customers, because with this license the infrastructure of the customer is checked for vulnerabilities every week over a period of 12 or 36 months.
With conventional checks, which are often carried out at irregular, very long intervals, you only ever get a snapshot of the current security situation. The problem, however, is that the security situation can change from week to week, whether due to new vulnerabilities emerging every day or changes in the infrastructure.
After the scan, we harmonize, prioritize and categorize the vulnerabilities found and automatically suggest measures for improvement – divided into technical, organizational and product recommendations. Our partners have the option to click on the recommendations on several levels to view the explanations from non-technical to technical and then implement them. The implementation can be easily done via a renovation plan including a task list. During the next scan, we check whether the measures have taken effect and the security situation has been improved.
In general, we recommend that SMEs conclude a service contract with a service provider, or as in your case, also with the manufacturer – who then helps with the clean implementation.
Obviously many of the companies you analyzed use ownCloud. Be honest: Have you also discovered security vulnerabilities in ownCloud software?
We have been on the market for a year and have already scanned a not inconsiderable number of SMEs that also use ownCloud. To date, we have not found a security vulnerability in the ownCloud software. However, in many cases, we have found that the ownCloud software has not been configured properly and is therefore a potential target for many attackers.
Here, the responsibility lies with the user of the software to position the ownCloud correctly in terms of network technology and to set the security settings correctly according to the requirements and recommendations. We pointed this out in our 2021 Annual Report published a month ago, as this issue of « incorrect configuration of ownCloud » was among our top 5 vulnerabilities found.
If you are using the ownCloud Community version without support from ownCloud and would like to perform a check for security-related configurations and possible errors, you can contact us at any time at .