https://www.opexaadvisory.de/
top of page

Very committed, highly professional, always team-oriented, above average successful and extremely fast!

Josef Schriek, Wonder Automotive Europe

My TISAX audit went largely smoothly and was immediately successful, we can now prove information security and win new automotive customers. Gaps in the preparation or examination were delivered promptly and in high quality or appropriately modified by templates and documents from the Smartkit as well as from an extensive pool of suitable templates. I can only recommend the team around Klaus Höllerer, Klaus Kilvinger and Thomas Salvador.

dr Samir Kadunic, MAASU GmbH

I had the pleasure to work with Opexa Advisory; Thomas Salvador is a very sharp minded and pleasant work-mate/consultant. He understands to break down complex problems in a structured and comprehensible way. He also was a great help in political and personal questions. 5 stars for outstanding professionalism and integrity.

Roman Dietrich,  Bavarian Motor Works AG

What our clients have to say

Emergencies can always occur, there is no such thing as complete security. But are you prepared? Do you have a "Plan B"?

In many other areas of life, preparing for and "practicing" emergencies is a normal part of the work involved in preparing for emergencies. Mountain climbers practice falling in a safe environment, check the knots before climbing, the fire brigade practices the procedures and checks whether the pumps are running, the hoses are leak-proof and whether water is coming out of the hydrant, and companies carry out fire drills. In general, the continuation of business operations despite adverse circumstances should be a matter for top management!

The examples are diverse and in an emergency it doesn't matter whether hackers were targeting the Funke Media Group or the companies Eberspächer and Marc O'Polo were incapacitated by a ransomware attack, or whether an attack hit a large company like Continental AG. The question is always asked what could have been done in preparation to prevent the incident, reduce the effects or what needs to be done differently in the future.

In the event of an emergency, everyone should have the necessary knowledge of what to do in order to be able to act. The creation of emergency plans and real emergency exercises are essential so that problems can be addressed and damage minimized.

Emergency Management

​Common Questions around InfoSec  Consulting

We want to reduce our risk, but how?

​Just contact us, after a first talk about your status, we can give you an initial recommendation for the next steps or valuable tips for the upcoming decision-making processes.

Does our company really have any risks?

​Every business today has cyber security risks, crime looks for easy targets no matter the size. We analyze your risk exposure and special situation  and support you in the solution in a step-by-step and customized approach according to our mantra: Democratizing Information Security!

Do you offer any other services?

​ We are not restricted in our measures, but showing too many options can quickly confuse the interested party. Each action requires careful evaluation of efficiency and effectiveness against the problem, your risk and your budget. Contact us!

Which companies do you support?

Our customers are mainly small and medium-sized companies, we know the needs and limitations of their business model and adapt to their needs. We are just as industry-independent as information security!

Every company should enjoy a minimum level of security! Therefore, we support our customers of different sizes and all industries and check their needs and topics against proven best practices and norms.

Based on analyses, we recommend suitable standard security measures or develop tailor-made solutions for successful risk reduction, true to our mantra: Democratizing Information Security.

InfoSec Consulting

On Demand

The Digital Operational Resilience Act (DORA) is a regulation currently in the EU legislative process to improve cybersecurity and operational resilience of the EU financial services sector. Once the law comes into force, the rules will apply to traditional financial sector companies, FinTechs and third-party ICT providers of financial institutions.
 

There are specific requirements for resilience testing, but also for the third-party ICT service providers that are used, be it outsourcing or software or services.
 

Since critical service providers and their subcontractors must also be recorded for the information register at several levels, the financial sector is facing challenges. And the topic of "testing" is being significantly intensified, and improvements must be made here.

It is important to prepare in time, we will get you to the finish line!

DORA - Consulting: Operational Resilience for the Financial Industry

We think and act from the perspective of a potential attacker and carry out a comprehensive review of the externally accessible infrastructure (web servers, VPN gateways, mail servers, web applications, etc.) for security gaps and possible entry points. We also check whether there are any potentially stolen company records circulating on the darknet. With the help of our scan, you can identify security gaps and attack points and easily improve the security of your IT infrastructure with the right measures.

 

We carry out the analysis externally in a controlled process and you will receive a comprehensible, clear and targeted recommendation from us for eliminating weak points.

We particularly attach importance to taking the customer's situation into account; a deep and complex penetration test is not necessary everywhere; an automated vulnerability scan is often sufficient as a first step in order to get an overview and to take further measures based on this information.

And depending on the industry, we take into account its specific features, such as DORA in the financial sector. DORA now requires more frequent audits, and service providers in the financial sector are also affected. This must be implemented appropriately.

In short, we offer the right depth of testing for every use case and a transparent presentation of the results.

It couldn’t be easier!

Penetration Tests

Industry 4.0 solutions are based on the Internet of Things (IoT); the dynamically connected objects increase the efficiency, flexibility and autonomy of the systems and can increase the productivity of the production lines.

However, broad and comprehensive networking also increases the risk of cyber attacks.

However, in production we often have the special situation that there are a variety of systems, including very old machines with controls based on Windows 2000 or Windows 96, for which updates or security patches are no longer available. How do we solve this?

By systematically implementing the relevant series of standards, you improve information security and also demonstrate cybersecurity measures in your systems.

 

We help you with the systematic introduction of IEC62443, taking into account your existing ISMS according to ISO 27001.

Industrial Security

The AI Regulation has been published in the Official Journal of the EU, is now binding and the clock is ticking! But what exactly do you have to do?

According to the regulation, there are 4 categories of AI that are either prohibited, permitted, permitted with information obligations, or that must be approved as a high-risk application. These categories must therefore first be determined, risks identified, assessed, and assigned in order to take the necessary steps depending on the category and, if necessary, avoid fines.

There is still some time, the implementation can be staggered. However, it must be clarified by February 2nd what type of AI is being used, because then some AI applications will be banned!

 

Overall, there are a number of tasks waiting for companies, as the regulation requires risk management, quality management and other activities from developers and users and also affects the supply chain. We have a solution for this!

Our approach is based on integrated management systems. By integrating the requirements of the AI Regulation 2024/1689 and ISO 42001 into an integrated management system, it is ensured that companies not only meet legal requirements, but also optimize their internal processes and strengthen their competitiveness. This leads to greater efficiency, better compliance with regulations and a culture of continuous improvement. The AI Regulation was also created to promote innovation, and this can be presented positively on the market!

 

We bring the threads together, help you and accompany you in the implementation of needs-based, goal-oriented and economical measures.

AI - EU regulation is binding: What needs to be considered?

The necessary information security measures are particularly complex for small and micro-enterprises (SMEs) with fewer than 50 employees, especially if demanding standards such as ISO/IEC 27001 or TISAX® are to be applied. However, measures to improve security are unfortunately often not taken in such relatively small companies for various reasons (e.g. costs, time, capacity)!

Opexa offers a combination of different services for the target group of SMEs in order to provide quick, economical and pragmatic help. By applying the simplified DIN SPEC 27076:2023-05 to determine the location, a quick, cost-effective and simple diagnosis can be made, especially for these companies!

In addition, a vulnerability scan is carried out. Recommendations are made on the basis of this and the diagnosis in accordance with DIN SPEC. An awareness measure is also integrated. As a result, improved security can be implemented step by step and in a prioritized manner.

We offer the above measures at a fixed price!

Promote security for small businesses!

The Whistleblower Protection Act is here! It is designed to protect people who denounce abuses and, where appropriate, publish secret facts in order to prevent damage to companies or society. For example, violations of criminal law or violations that are subject to a fine or facts can be reported if the protection of life, limb or health or the protection of the rights of employees or their representative bodies are affected.


It applies to all companies with 50 or more employees, but in stages. Organizations with at least 250 employees must implement the requirements of the HinSchG by July 2, 2023 at the latest. Companies with 50-249 employees have a little longer until December 17, 2023. Be careful: larger companies face fines, for example for incidents involving the publication of personal data, as early as July 2!

But what does the law require, what do companies have to implement? What needs to be taken into account when setting up and operating internal reporting channels? What do employees need to know? How can a reporting channel be used for information security? How can the service be provided externally? What are the costs?

There are many questions that need to be answered. We can help you!

Whistleblowing Services

The healthcare industry has some homework to do - and not only thanks to Corona and shortages of medicines and nursing staff. In the area of "medical care", it is important to shape the transformation of digitalization, on the one hand for the purpose of better use of data for research and optimization of administration or simply for tight cost management.

The diverse and historically evolved system landscape and the organizational environment in hospitals - combined with the cost pressure in the healthcare sector - poses a challenge in the implementation of a security standard to ensure data protection, confidentiality, integrity and availability.

The Industry-Specific Security Standard (B3S) for medical care, developed by industry experts on the basis of various standards (e.g. ISO/IEC 27001), provides a remedy. We help you to implement the multitude of requirements efficiently and quickly.

B3S in the health sector

The networking of vehicles in the context of the use of multiple active or new services (navigation, over-the-air updates, remote diagnostics, vehicle functions that can be added online "on demand", etc.) is progressing; in the future, automobile manufacturers and their suppliers will have to approve their vehicles based on the demanding ISO/SAE 21434 standard (Road Vehicle - Cybersecurity Engineering).

OEMs and suppliers alike face a challenge because the requirements are extensive, both internally and in the context of national and international approval regulations.

 

It is therefore important to introduce this standard as well and as quickly as possible.

 

We will help you!

ISO/SAE 21434 – Standard for Automotive Cyber Security

It may be sufficient to conduct a one-off, complex pentest once a year to determine the status quo with reference to a specific target and a defined environment. But what should you do if the next patch day brings new options for intruders? Do you then repeat the pentest?

This is where we come in and offer you continuous and direct access to a global community of experienced security experts and trustworthy "friendly" hackers. With our swarm intelligence, we discover existing security gaps before cyber criminals do.

As part of organized analyses by a large number of experts - all of whom have their own methods and tools - the defined goals are continuously checked for vulnerabilities in a variety of ways, permanently, professionally and comprehensively. You decide on the scope, duration and intensity! Our bug bounty program guarantees safe and professional processing as well as cost-effective implementation.

The variety of possible analyses will surprise you!

Bug Bounty Program

Insurance questions often arise during the life cycle of a contract. It is important to consider what is necessary before taking out cyber insurance. It is also important to clarify what needs to be considered in the event of renewals or extensions. And in the event of a claim, communication with the insurer should be planned with great care. We do not sell insurance and are therefore neutral.

 

Before taking out an insurance policy, we carry out an analysis of the risk expectations and situation of the assets to be insured, clarify the required service components and their relevance, and carry out appropriate market research. On this basis, we select insurance offers as part of a pre-selection and define a decision table for management. In this way, we significantly support risk management and reduce uncertainty in the assessment.

And in the event of damage, we support the client in dealing with the matter, but also provide legal assistance from specialist lawyers from our network.

Analyses and consultations in the course of the above-mentioned activities are carried out on the basis of the ISO/IEC 27001, DIN SPEC 27076 and TISAX standards. In this way, we help management to take measures based on recognized standards, to prove them and to answer questions from D&O insurance companies or to avert personal liability risks for management.

We would be happy to have a free and non-binding initial consultation with you!

Cyber Insurance Diagnostic

Are you planning to use cloud solutions?

 

We examine your security situation with regard to cloud offerings and advise you on the selection or implementation strategy with regard to information security. In doing so, we use best practices (e.g. data encryption, key management) as well as recognized standards (e.g. NIST or C5 requirements of the BSI).
 

In addition to questions about organization (who controls the service or how do I organize it internally? Client separation? Backup strategies?), contract reviews play an important role, and data protection must not suffer either.
 

In addition, we look at holistically relevant questions about the path "back" from the cloud, because your strategy can change, legal issues or crises can quickly force you to rethink.

Cloud Readiness Diagnosis

The “human firewall” is crucial to achieving an appropriate level of information security. It is therefore highly recommended to inform employees and thus sensitize them noticeably.

Your advantage: All awareness-raising measures in this area have a good price-performance ratio compared to organizational or technical measures!

We analyze your situation and develop the right concept for you. We focus on pragmatic solutions with reasonable effort. You can choose between different measures that are tailored to the target groups. And during the preparation, you are in direct contact with our experts to find out which of the motivation options will be most useful in your culture.

 

Raising awareness among employees

The individual development of current documentation "from scratch" or updating of outdated documentation can be time-consuming.

We provide templates, samples, forms and guidelines based on our standard-compliant document library (over 130 different documents) and, if necessary, adapt them to your situation in accordance with the standards.

 

This will save you a lot of time and lengthy discussions.

Document Library

Our expert will speak at your internal management event, in front of your employees or at customer-oriented events, thereby sending a clear signal internally and externally about the importance of information security!

 

Our experts bring exciting and informative topics with them, bringing practical examples and many years of experience from numerous projects, national and international congresses, specialist events and seminars.

 

The lively presentation represents an interesting option for your company to convey the otherwise often dry material to employees in a transparent and personal way and to anchor the risk awareness regarding information security even more firmly.

Speakers for your events

bottom of page