Very committed, highly professional, always team-oriented, above-average successful and extremely fast!
Josef Schriek, Wonder Automotive Europe
My TISAX® audit went largely smoothly and was successful right from the start. We can now demonstrate information security and win new automotive customers. Gaps in the preparation or testing were filled promptly and in high quality, or modified accordingly using templates and documents from the Smartkit and from an extensive pool of suitable templates. I can only recommend the team around Klaus Höllerer, Klaus Kilvinger and Thomas Salvador.
Dr. Samir Kadunic, MAASU GmbH
I had the pleasure of working with Opexa Advisory; Thomas Salvador is a very astute and pleasant colleague/advisor. He knows how to break down complex problems in a structured and understandable way. He was also a great help on political and personal issues. 5 stars for outstanding professionalism and integrity.
Roman Dietrich, Bayerische Motoren Werke AG
What our customers say
Emergencies can always occur, there is no such thing as complete security. But are you prepared? Do you have a "Plan B"?
In many other areas of life, preparing for and "practicing" emergencies is a normal part of the work involved in preparing for emergencies. Mountain climbers practice falling in a safe environment, check the knots before climbing, the fire brigade practices the procedures and checks whether the pumps are running, the hoses are leak-proof and whether water is coming out of the hydrant, and companies carry out fire drills. In general, the continuation of business operations despite adverse circumstances should be a matter for top management!
The examples are diverse and in an emergency it doesn't matter whether hackers were targeting the Funke Media Group or the companies Eberspächer and Marc O'Polo were incapacitated by a ransomware attack, or whether an attack hit a large company like Continental AG. The question is always asked what could have been done in preparation to prevent the incident, reduce the effects or what needs to be done differently in the future.
In the event of an emergency, everyone should have the necessary knowledge of what to do in order to be able to act. The creation of emergency plans and real emergency exercises are essential so that problems can be addressed and damage minimized.
emergency management
Frequently asked questions about InfoSec consulting
We want to reduce our risk, but how?
Simply contact us. After an initial discussion about your status, we can give you an initial recommendation for the next steps or valuable advice for the upcoming decision-making processes.
Does our company really have risks?
Every company today has cyber security risks, crime is looking for easy targets, regardless of size. We analyze your risk exposure and specific situation and support you in solving them in a step-by-step and customized approach according to our mantra: Democratizing Information Security!
Do you offer any other services?
We are not limited in the measures we can take, but showing too many options can quickly confuse the interested party. Each measure requires careful testing for efficiency and effectiveness in relation to the problem, your risk and your budget. Talk to us!
Which companies do you support?
Our customers are mainly small and medium-sized companies, we know the needs and limitations of their business model and adapt to their requirements. We are as industry-independent as information security!
Every company should enjoy a minimum level of security! That's why we support our customers of all sizes and across all industries, checking their needs and issues based on internationally proven best practices and always on the basis of norms and standards.
Based on dedicated analyses, we recommend suitable standard hedging measures or develop tailor-made solutions for successful risk minimization.
In doing so, we are pursuing our mission: Democratizing Information Security.
The Digital Operational Resilience Act (DORA) is a regulation currently in the EU legislative process to improve cybersecurity and operational resilience of the EU financial services sector. Once the law comes into force, the rules will apply to traditional financial sector companies, FinTechs and third-party ICT providers of financial institutions.
There are specific requirements for resilience testing, but also for the third-party ICT service providers that are used, be it outsourcing or software or services.
Since critical service providers and their subcontractors must also be recorded for the information register at several levels, the financial sector is facing challenges. And the topic of "testing" is being significantly intensified, and improvements must be made here.
It is important to prepare in time, we will get you to the finish line!
DORA - Consulting: Operational Resilience for the Financial Industry
Es kann ausreichend sein, einmal jährlich mit einem aufwendigen und einmaligen Pentest den Status Quo unter Bezug auf ein konkretes Ziel und eine definierte Umgebung zu erheben. Aber was ist zu tun, wenn der nächste "Patchday" wieder neue Optionen für Eindringlinge beschert? Wiederholt man dann den Pentest?
Hier setzen wir an und bieten Ihnen kontinuierlichen und direkten Zugang zu einer weltweiten Community von erfahrenen Sicherheitsexperten und vertrauenswürdigen "Friendly" Hackern. Mit unserer Schwarmintelligenz entdecken wir vorhandene Sicherheitslücken, bevor es Cyberkriminelle tun.
Im Rahmen von organisierten Analysen durch eine Vielzahl von Experten - die alle ihre eigenen Wege und Tools haben - werden die definierten Ziele laufend in vielfältiger Art und Weise auf Schwachstellen überprüft, dauerhaft, professionell und umfassend. Über den Scope, die Dauer und Intensität entscheiden Sie! Unser Bug-Bounty-Programm gewährleistet die sichere und professionelle Abwicklung sowie eine wirtschaftliche Umsetzung.
Die Vielfalt der möglichen Analysen werden Sie überraschen!
Bug Bounty Program
The “human firewall” is crucial to achieving an appropriate level of information security. It is therefore highly recommended to inform employees and thus sensitize them noticeably.
Your advantage: All awareness-raising measures in this area have a good price-performance ratio compared to organizational or technical measures!
We analyze your situation and develop the right concept for you. We focus on pragmatic solutions with reasonable effort. You can choose between different measures that are tailored to the target groups. And during the preparation, you are in direct contact with our experts to find out which of the motivation options will be most useful in your culture.
raising awareness among employees
We think and act from the perspective of a potential attacker and carry out a comprehensive check of the externally accessible infrastructure (web servers, VPN gateways, mail servers, web applications, etc.) for security gaps and possible entry points. We also check whether there are any potentially stolen company records circulating on the darknet. With the help of our scan, you can identify security gaps and attack points and easily improve the security of your IT infrastructure with the right measures.
We carry out the analysis externally in a controlled process and you will receive a comprehensible, clear and targeted recommendation from us for eliminating weak points.
We particularly attach importance to taking the customer's situation into account; a deep and complex penetration test is not necessary everywhere; an automated vulnerability scan is often sufficient as a first step in order to get an overview and to take further measures based on this information.
And depending on the industry, we take into account its specific features, such as DORA in the financial sector. DORA now requires more frequent audits, and service providers in the financial sector are also affected. This must be implemented appropriately.
In short, we offer the right depth of testing for every use case and a transparent presentation of the results.
It couldn’t be easier!
penetration tests
Industrie 4.0 Lösungen basieren auf dem Internet der Dinge (IoT), die dynamisch verbundenen Objekte steigern die Effizienz, Flexibilität und Autonomie der Systeme und können die Produktivität der Produktionsstraßen steigern.
Allerdings führt die breite und umfassende Vernetzung auch dazu, dass die Gefahren für Cyberangriffe steigen.
Allerdings haben wir in der Produktion oft die Sondersituation, daß vielfältige Systeme vorhanden sind, so u.a. auch sehr alte Maschinen mit Steuerungen auf Basis von Windows 2000 oder Windows 96, für die heute keine Aktualisierungen oder Sicherheitspatches mehr zu bekommen sind. Wie lösen wir das?
Mit einer systematischen Umsetzung der relevanten Normenreihen verbessern Sie die Informationssicherheit und weisen zudem Maßnahmen für Cybersecurity in Ihren Systemen nach.
Wir helfen Ihnen bei der systematischen Einführung der IEC62443 unter Berücksichtigung Ihres bestehenden ISMS nach ISO 27001.
Industrial Security
Die KI-Verordnung wurde im Amtsblatt der EU veröffentlich, ist somit jetzt bindend und damit tickt die Uhr! Aber was muss man konkret tun?
Es gibt laut Verordnung 4 Kategorien von KI, die entweder verboten, zugelassen, mit informationspflichten zugelassen sind oder die man als Hochrisiko-Anwendung genehmigen lassen muss. Diese Kategorien muss man also zunächst bestimmen, Risiken ermitteln, bewerten und zuordnen, um die je nach Kategorie nötigen Schritte zu unternehmen und ggf. Bussgelder zu umgehen.
Es ist noch etwas Zeit, die Umsetzung kann gestaffelt erfolgen. Bis 2. Februar muss jedoch geklärt sein, welche Art KI im Einsatz ist, denn dann sind manche KI-Anwendungen verboten!
Insgesamt warten einige Aufgaben auf die Unternehmen, denn die Verordnung verlangt Risikomanagement, Qualitätsmanagement und weitere Aktivitäten von Entwicklern sowie Anwendern und wirkt auch in der Lieferkette. Dafür haben wir eine Lösung!
Unser Ansatz bezieht sich auf integrierte Managementsysteme. Denn durch die Integration der Anforderungen der KI-Verordnung 2024/1689 und der ISO 42001 in ein Integriertes Managementsystem wird sichergestellt, dass Unternehmen nicht nur die gesetzlichen Vorgaben erfüllen, sondern auch ihre internen Prozesse optimieren und ihre Wettbewerbsfähigkeit stärken. Dies führt zu einer höheren Effizienz, besseren Einhaltung von Vorschriften und einer Kultur der kontinuierlichen Verbesserung. Die KI-Verordnung ist ja auch zur Förderung von Innovation geschaffen worden, dies kann am Markt positiv dargestellt werden!
Wir führen die Fäden zusammen, helfen Ihnen und begleiten Sie bei der Umsetzung von bedarfsgerechten, zielorientierten und wirtschaftlichen Maßnahmen.
AI - EU regulation is binding: What needs to be considered?
The necessary information security measures are particularly complex for small and micro-enterprises (SMEs) with fewer than 50 employees, especially if demanding standards such as ISO/IEC 27001 or TISAX® are to be applied. However, it is precisely in such relatively small companies that measures to improve security are unfortunately often not taken for various reasons (e.g. costs, time, capacity)!
Opexa offers a combination of different services for the target group of SMEs in order to provide quick, economical and pragmatic help. By applying the simplified DIN SPEC 27076:2023-05 to determine the location, a quick, cost-effective and simple diagnosis can be made, especially for these companies!
In addition, a vulnerability scan is carried out. Recommendations are made on the basis of this and the diagnosis in accordance with DIN SPEC. An awareness measure is also integrated. As a result, improved security can be implemented step by step and in a prioritized manner.
We offer the above measures at a fixed price!
Promote security for small businesses!
The Whistleblower Protection Act is here! It is designed to protect people who denounce abuses and, where appropriate, publish secret facts in order to prevent damage to companies or society. For example, violations of criminal law or violations that are subject to a fine or facts can be reported if the protection of life, limb or health or the protection of the rights of employees or their representative bodies are affected.
It applies to all companies with 50 or more employees, but in stages. Organizations with at least 250 employees must implement the requirements of the HinSchG by July 2, 2023 at the latest. Companies with 50-249 employees have a little longer until December 17, 2023. Be careful: larger companies face fines, for example for incidents involving the publication of personal data, as early as July 2!
But what does the law require, what do companies have to implement? What needs to be taken into account when setting up and operating internal reporting channels? What do employees need to know? How can a reporting channel be used for information security? How can the service be provided externally? What are the costs?
There are many questions that need to be answered. We can help you!
Whistleblowing Services
Die Gesundheitsbranche hat – nicht nur dank Corona und Engpässen bei Arzneimitteln und Pflegepersonal – einige Hausaufgaben zu machen. Im Bereich der „Medizinischen Versorgung“ gilt es, den Wandel der Digitalisierung zu gestalten, einerseits zum Zwecke der besseren Nutzung von Daten für die Forschung und Optimierung der Verwaltung oder schlicht für ein straffes Kostenmanagement.
Die vielfältige und historische gewachsene Systemlandschaft und das organisatorische Umfeld in den Krankenhäusern stellt - verbunden mit dem Kostendruck im Gesundheitswesen - eine Herausforderung in der Umsetzung eines Sicherheitsstandards dar, um Datenschutz, Vertraulichkeit, Integrität und Verfügbarkeit von Daten zu sichern.
Der nach dieser Maßgabe von Fachleuten der Branche auf Basis verschiedener Standards (z. B. ISO/IEC 27001) erarbeitete Branchenspezifische Sicherheitsstandard (B3S) für die medizinische Versorgung schafft Abhilfe. Wir helfen Ihnen, die Vielzahl von Anforderungen effizient und schnell umzusetzen.
B3S in the health sector
The networking of vehicles in the context of the use of multiple active or new services (navigation, over-the-air updates, remote diagnostics, vehicle functions that can be added online "on demand", etc.) is progressing; in the future, automobile manufacturers and their suppliers will have to approve their vehicles based on the demanding ISO/SAE 21434 (Road Vehicle - Cybersecurity Engineering) standard.
OEMs and suppliers alike face a challenge because the requirements are extensive, both internally and in the context of national and international approval regulations.
It is therefore important to introduce this standard as well and as quickly as possible.
We will help you!
ISO/SAE 21434 – Standard for Automotive Cyber Security
Insurance questions often arise during the life cycle of a contract. It is important to consider what is necessary before taking out cyber insurance. It is also important to clarify what needs to be considered in the event of renewals or extensions. And in the event of a claim, communication with the insurer should be planned with great care. We do not sell insurance and are therefore neutral.
Before taking out an insurance policy, we carry out an analysis of the risk expectations and situation of the values to be insured, clarify the required service components and their relevance, and carry out appropriate market research. On this basis, we select insurance offers as part of a pre-selection and define a decision table for management. In this way, we significantly support risk management and reduce uncertainty in the assessment.
And in the event of damage, we support the client in dealing with the situation, but also provide legal assistance from specialist lawyers from our network.
Analyses and consultations in the course of the above-mentioned activities are carried out on the basis of the ISO/IEC 27001, DIN SPEC 27076 and TISAX standards. In this way, we help management to take measures based on recognized standards, to prove them and to answer questions from D&O insurance companies or to avert personal liability risks for management.
We would be happy to have a free and non-binding initial consultation with you!
Cyber Insurance Diagnostic
Are you planning to use cloud solutions?
We examine your security situation with regard to cloud offerings and advise you on the selection or implementation strategy with regard to information security. In doing so, we use best practices (e.g. data encryption, key management) as well as recognized standards (e.g. NIST or C5 requirements of the BSI).
In addition to questions about organization (who controls the service or how do I organize it internally? Client separation? Backup strategies?), contract reviews play an important role, and data protection must not suffer either.
In addition, we look at holistically relevant questions about the path "back" from the cloud, because your strategy can change, legal issues or crises can quickly force you to rethink.
cloud readiness diagnosis
The individual development of current documentation "from scratch" or updating of outdated documentation can be time-consuming.
We provide templates, samples, forms and guidelines based on our standard-compliant document library (over 130 different documents) and, if necessary, adapt them to your situation in accordance with the standards.
This will save you a lot of time and lengthy discussions.
document library
Our expert will speak at your internal management event, in front of your employees or at customer-oriented events, thereby sending a clear signal internally and externally about the importance of information security!
Our experts bring exciting and informative topics with them, bringing practical examples and many years of experience from numerous projects, national and international congresses, specialist events and seminars.
The lively presentation represents an interesting option for your company to convey the otherwise often dry material to employees in a transparent and personal way and to anchor the risk awareness regarding information security even more firmly.
