questions

gistfile1.txt

## What are the biggest threats to your business/company?

### Phishing

My biggest concern is phishing, ie being tricked into giving away sensitive
information. As a foreigner, I am an easier target:

- I don't speak German well enough to detect "weird" patterns in the documents
  I read that would normally make me suspicious.
- I don't have a sense of what pieces of information are sensitive, and who I
  can safely share them with. For instance, can I freely share the company VAT
  ID, tax ID or registration number? What could an attacker do with these
  pieces of information?
- I am not familiar with the various administrative procedures a company has to
  go through.

Some factors have nothing to do with being a foreigner:

- There is a wide variety of official (Finanzamt, Amtsgericht, Chamber of
  commerce) and non-official institutions (banks, accountants, insurances) we
  have to interact with , each with their own websites, communication
  channels and security procedures
- There is no straightforward way to identify an "official" email address or
  website. For instance https://www.transparenzregister.de seems to belong to
  the federal government, but the domain name doesn't really reflect that. It
  would be easy enough for an attacker to create a bunch of clones of the
  website under similar looking domain names, eg
  https://www.transparensregister.de

Some ideas to reduce the risks of phishing (disclaimer, I have zero background
in cyber-security so some of them may well be terrible ones):

- Have a reserved domain name for all official institutions. For instance, in
  France most (all?) official websites have the .gouv.fr domain name. This is
  very easy to check for anyone, and cannot easily be spoofed.
- Have a unique authentication scheme for all official procedures. I'm not sure
  how it works for companies, but for individuals, we have France Connect in
  France.
- Favor secure channels that require authentication for communication with
  official institutions rather than relying on mail, or mails. It is too easy
  to forge a letter or an email.


### Lax security measures from private stakeholders

We partnered with a company for payroll, that doesn't provide two-factor
authentication, and doesn't enforce any constraint on its clients passwords.
This shows how little care is given to security.

I wish private companies handling sensitive information were forced to
implement basic security measures such as two-factor authentication.


### Identity theft

We have been victim of several tentative of identity theft. These attempts were
pretty basic and clearly made by amateurs.


## What would you like the government to do more or less in that area? 

Again, I am not a security person. Some of these ideas may be terribe ones, or
may not be legally or technication possible to implement.

- Have a unique domain name for all administrative procedures, whether it is
  for companies or individuals. Communicate a lot about it.
- Implement a unique government-backed authentication procedure for all
  administrative procedures, whether it is for companies or individuals.
- Force private companies handling sensitive information to delegate
  authentication to said government-backed authentication procedure via OAuth.
- Reduce use of mail and emails, favor communication via secure channels.
- Make official website available in other languages.