The human vulnerability – the importance of security awareness for the company

The human vulnerability – the importance of security awareness for the company

IT Security | 27. November 2021 | 9 min |

The user as the biggest risk

In our last blog post, we highlighted the importance of technically securing IT systems in companies. An equally important component that is often underestimated by companies is the human factor. IT security is only as good as the people who operate the systems. Even the best technology is useless if users are not aware of the dangers and act in a security-conscious manner. IBM’s Cyber Security Intelligence Index shows that more than 90% of all security incidents are due to human error. In order to minimize the risk posed by employees, it is important to create security awareness within the company.

What is security awareness?

Security awareness means “security awareness”. This should be brought about with appropriate training measures (security awareness training), which provide information on topics such as data protection and data and information security. This can take the form of “face-to-face teaching” in classrooms or meeting rooms as well as online training. Employees must learn how to deal with the dangers of today’s globally networked world. They are provided with the necessary know-how, which is ideally aligned with the company’s guidelines and processes as well as the requirements of the respective department.

Why is security awareness so important?

The IT world is evolving not only in terms of opportunities, but also in terms of threats to companies. Hackers are developing increasingly difficult-to-detect malware and finding new ways to gain access to company data and blackmail victims. Often it is not malware such as a virus that helps attackers to penetrate the company, but so-called social engineering. A popular form of social engineering is phishing, which attempts to manipulate users by impersonating a superior, a trustworthy tradesman, a bank employee or the fire department via email. The perpetrators try to gain trust and thus obtain sensitive data. While spam filters can filter out some of the emails, they are powerless against targeted threats. It is therefore important to strengthen the company’s “human firewall” as much as possible.

The effort put into social engineering attacks is sometimes enormous. Company structures are spied on, sales are analyzed, etc. Once the blackmail sum has been determined, a targeted, manual attack is usually carried out on a person. In the worst case, this person has a privileged (admin) account and also has access to data backups.

Risk factors emanating from employees

Incorrect handling of fraudulent e-mails

A major risk factor is the incorrect handling of fraudulent emails, which often results from employees’ ignorance or fear of missing something. Spam filters can filter out many, but not all such emails. Users who rely solely on the technical security features inadvertently click on links in seemingly legitimate or well-known emails, opening the door to malware. In the worst case scenario, such emails are then forwarded within the company in order to exchange information. In a large number of cases, a threat occurs simultaneously for several users. This automatically increases the probability that the attacker can hijack an account with elevated rights.

Simple, outdated or unsecured passwords

In fact, passwords, which are supposed to be used for security, are also enormous risk factors. This includes a password that is too simple (e.g. 12345), for which the company should develop password guidelines (minimum number of characters, upper and lower case, special characters, etc.). However, even if the same password is used over a longer period of time or in different places, you still offer cyber criminals points of attack. It can also be said that simple protection is simply not enough for such an important asset as company data. Two-factor authentication is a good way to improve security. Already commonplace in many companies for years and increasingly present on social networks, some companies still do not have such protection. Here, the identity of the user is checked by two different and independent factors when logging in. Similar to action movies (opening a “top secret door” is only possible with a magnetic card, access code, eye and fingerprint scan, etc.), this also works here. When logging in, not only is the user’s password requested, but a unique, dynamically generated password is also sent to a second, independent component (SMS, e-mail, authentication app, etc.). The login is completed when this code is entered on the first component. This is also referred to as multi-factor authentication – namely with the factors knowledge (password) and possession (app on smartphone).

Private end devices in the company network

External end devices brought in by employees can also pose a threat as they fall outside the company’s IT management. For example, the employee’s private device may already be infected with malware and read login information when logging into the company network and then leak, falsify or delete important data, passwords, etc. Outdated operating systems (missed updates or inconsistent system statuses in contrast to the company’s end devices) and apps in use offer further potential for intrusion. The authorizations requested by the apps could, for example, access confidential data (such as contact data or address books). It is therefore also advisable to create security awareness and define a policy for this. The employee’s privacy should of course be protected, but there should also be transparency in order to secure the company. However, these guidelines must not only be recorded and displayed, but also enforced and compliance monitored. A BYOD (bring your own device) strategy that is not fully thought through and structured can weaken the IT security of the entire company.

Carefree internet use

Insecure or misleading websites, unintentional downloads and many other gateways for Trojans, worms and the like – the internet harbors a number of dangers. And it doesn’t matter whether it’s for business or private use. It is therefore important to sensitize employees to potential risk factors and create security awareness.

Covering up cyber attacks

Companies should teach their employees that fibbing or covering up does not help at all, but actually makes the effects of a cyber incident even worse. It is not uncommon for employees who are at fault for such an incident to try to shift the blame or cover up the dilemma – this is fatal! This only makes things worse, as the malware can spread in the meantime. The sooner the malware can be dealt with, the better – this must be made clear to employees. Because the cyberattack will be noticed anyway.

The security awareness training courses mentioned above cover precisely this topic:
– which people need to be informed,
– which processes need to be set in motion,
– which procedures must be followed,
when incidents occur that are relevant to the organization’s IT security.
The training courses must be refreshed again and again and, in the case of companies with a high fluctuation rate, must be carried out at regular intervals. Ideally, such security awareness training should take place on an ongoing basis via an awareness platform. There are numerous providers (e.g. KnowBe4), that compile training material in different languages and address current threats and behaviors. Employees are usually invited automatically. E-learning courses are then held. The implementation is logged and takes place on an ongoing basis. There are also attack simulations, which can be used to train employees not only in specific situations. It is also possible to use attack simulations to obtain an overview of the users’ level of knowledge and to provide additional training if necessary.

Security awareness in the company: Training for employees

With security awareness training, it is important not to confront employees with any IT gobbledygook. You have to pick them up where they are with their current level of knowledge and explain it to them in an understandable way. Not everyone has the same prior knowledge. Some people deal with IT topics in their free time or are naturally tech-savvy, while others have nothing to do with it at all. This is precisely why it is all the more important not to hold one-size-fits-all “IT lessons” so as not to over- or underchallenge employees. Practical, tangible examples (such as real phishing emails that have arrived at the company) train users to recognize such threats themselves in the future. This gives them an understanding of the threats a company is exposed to and the consequences it could suffer from an attack. Fun elements (such as a quiz) can also be incorporated to spur employees on and lighten things up a little. Additional motivation can be provided by certificates that employees receive when they pass security awareness training. Employees must also be made aware that they can contact experts (IT department or manager, IT service provider) if they receive suspicious emails. Users should not feel left alone, but should know how and to whom they can turn in the event of questionable emails, payment requests, etc. and that this is not an effort, but a relief for the company. To test the employees, phishing simulations can be carried out via the aforementioned awareness platform to inform the employees. If they fall for the simulation, they will be redirected to learning websites when they click on the link. Another measure could be the implementation of a phishing button that employees can use to report suspicious emails.

Employees are not just a danger

In this blog post, we have painted a very bleak picture of what can happen if users do not know how to deal with the dangers and challenges of the digital world, but it also works the other way round. Employees do not always have to be risk factors. Well-informed and trained employees who are aware of the dangers and have skills in this area can make an important contribution to corporate security.

Be at least as well positioned as the attackers

Companies are exposed to a number of threats these days. And as harsh as it may sound, organizations must be at least as well positioned as their attackers and keep pace with their development. This means that all components that can contribute to IT security must be taken into account and continuously optimized. However, it is not enough to focus solely on a stable and secure IT infrastructure. Contrary to what many might think, human know-how in IT security can be at least as valuable as technical capabilities. In specialist circles, this is referred to as the “human firewall”.

About us

We are a powerhouse of IT specialists and support customers with digitalization. Our experts optimize modern workplace, DevOps, security, big data management and cloud solutions as well as end user support. We focus on long-term collaboration and promote the personal development of our employees. Together, we are building a future-proof powerhouse and supporting customers on their path to successful digitalization.

Contact

Do you have a request? Please contact us!

Do you have a request? Please contact us!

As your companion and powerhouse in the IT sector, we offer flexible and high-performance solutions.