Interview: Why cybersecurity must always be a management issue
Cyber attacks on the German economy caused 223 billion euros in damage last year alone. For medium-sized companies, the question is no longer whether they will fall victim to cybercrime, but when, according to the industry association Bitkom. KUMAlive spoke to Andreas Pehnelt, Head of IT at KUMAVISION, about Cloud-Myths, IT security and new freedoms for IT managers and their employees.

Where is the journey going with Cloudsolutions?
All notable business software providers have been pursuing software-as-a-service (SaaS) as a strategic goal for several years. Conversely, this also means that further developments of on-premises solutions are declining.
How does the declining support for on-premises solutions by manufacturers manifest itself?
The disadvantages are obvious: a smaller range of functions, longer innovation cycles, less favorable contract and support models or even complete discontinuations. In addition, new innovations are often developed exclusively with a focus on SaaS. For example, AI support with the Microsoft Copilot is currently the only Cloud-Customers only. Modern CRM solutions have long been available only as Cloudoffer is available. This will become even clearer in the next one to two years, so I can already say today: In 2024, no one will be able to afford to rely on on-premises solutions.
Why are innovation cycles so important?
Companies today have to be agile and adaptable. Whether it's innovative business models, new regulatory requirements or a changed market environment - I can't solve the challenges of 2024 with a tool from 2014. And this is exactly the situation we often encounter in practice when companies work with a ten-year-old ERP system. SaaS solutions, on the other hand, are always up-to-date by design. Automatic updates that are carried out regularly in the background are a basic principle of this operator model. At KUMAVISION, we follow the innovation rhythm of our technology partner Microsoft. That means an update every month, with a major update in April and October and smaller updates in the other months.
So the applications are always up to date?
Exactly. On the one hand, this affects security, and on the other hand, the range of functions. For example, Microsoft Copilot receives new features practically every month. Another example is regulatory changes, such as the temporary reduction in VAT during the COVID pandemic. For SaaS customers, this was automatically adjusted in the ERP without the need for a separate project.
Why do companies hesitate to Cloud-Migration?
I see the “German Angst” as the central criterion here, i.e. fear of new things, fear of change. Cloud means disruption in many areas. In addition, there are numerous widespread Cloud-Myths that have absolutely nothing to do with reality. In discussions with other IT managers, I find that when management or IT managers have concerns about this, it applies to all IT areas and not just to the ERP system. In my opinion, the risks of the unknown are overestimated here and the risks and responsibility that come with operating an on-premises solution yourself are overlooked. I have been responsible for IT operations in various industries for many years now and have found that a local installation cannot achieve the level of security and high availability of a SaaS solution. Although I have always had great know-how carriers in my teams, the resources of the major SaaS providers, especially Microsoft, surpass them. In addition, with the first SaaS license, I benefit from comprehensive defense against cyber attacks.
On which Cloud-Myths are you alluding to?
Among the widespread myths about Cloud Computing includes the loss of control over data and infrastructure and the false belief that one can operate the business more securely, reliably and cheaply. The exact opposite is the case. The data centers for our public and privateCloudSolutions offer a level of reliability through redundant operation and redundant data storage that local installations rarely achieve. Infrastructure teams ensure the operation of Business Central and other Microsoft Dynamics 365applications are secure around the clock. Of course, only our customers have access to the data. The reality is also different when it comes to security. Here is a practical example: A study by the BSI (Federal Office for Information Security) assumes that 37 percent of locally operated Exchange servers are highly vulnerable to cyber attacks; realistically, more than half are likely to be affected. In the SaaS world, we have dedicated IT security teams that monitor potential attacks and immediately initiate countermeasures. Local IT cannot do that, as repeated contact with customers whose on-premise systems have become the target of an attack shows. In general, from an IT manager's point of view, I would speak more about gains than losses from the Cloud speak.
Where does this gain show up?
Data management, data protection, compliance issues such as ISO or NIS2, shortage of skilled workers, time and innovation pressure, AI, cyberattacks, IT security... As Head of IT, I am practically constantly under pressure. The SaaS operator model takes a lot of this pressure off my team and me and gives us time and freedom for tasks that move the company forward.
Back to safety: What does the Cloud different?
Let's take ransomware attacks as an example, where local servers and databases are encrypted and high ransoms are demanded for the data. If a company is shut down for six weeks due to such an attack, this can very quickly have existential consequences. SaaS solutions make such attacks more difficult or, depending on the point of attack, make them impossible. This is an issue that definitely affects not only me as an IT manager, but especially the management. If the Cloud offers my company effective protection against many cyberattacks, I have a completely different motivation for a Cloud-Migration.
What security support does Microsoft provide?
With our technology partner Microsoft, we have a level of security in the SaaS world that local installations can practically not achieve. A few basic data from the Microsoft Digital Defense Report 2023 make the drastic difference clear: Microsoft employs over 10.000 IT security experts worldwide who are on duty 24/7. Over 750 billion signals are processed every second using sophisticated data analysis and AI algorithms to understand and protect against digital threats and criminal cyber activities. Over 100.000 websites used for cyber attacks have been deactivated. There is also a very important point: attackers used to hack other people's IT systems, today they log in. With the Zero Trust architecture and the multiple-secure identity and access management Entra ID, Microsoft offers a holistic protection concept that covers the entire Microsoft technology platform.
Where can the Cloud still support?
SaaS makes it possible to combine conflicting requirements under one optimal security concept. On the one hand, we want the highest level of security and protection against constantly changing threats. On the other hand, we want solutions that are as simple as possible to increase employee productivity and a modern, digitalized workplace. A company can increase its attractiveness as an employer with offers such as mobile working, current IT applications, automated process landscapes, innovative AI assistants or "Bring your own device" (BYOD). These are all topics that also affect management. The challenge is to Cloud-Migration to develop a basis for decision-making that presents such benefits for management as business outcomes and does not get lost in technological details.
Your recommendation for the conclusion?
The worst strategy is not to Cloudstrategy. Anyone who wants to introduce a new ERP system or other business software today can no longer afford to decide against a SaaS project. A Cloud-Strategy can also mean, as an interim solution, to switch to a private Cloud like our offer KUMA365 It is crucial to change the Cloud-Strategy must be evaluated regularly, whereby not only IT but also management must be involved. Ultimately, it is not primarily about costs or products, but about added value, security and solutions for the entire company.
Thank you for the interview.