Security Issue Employees – Awareness is a must

Print Friendly, PDF & Email

As shown in the previous blog post already in detail and hopefully haunting, awareness can defend many attacks successfully. To do this, companies need to develop an awareness strategy to successfully motivate employees to recognize and ward off social engineering.

In this context, I recommend anyone who is in IT security, but also the management, Kevin Mitnick’s book – The art of deception – ISBN 0-471-23712-4 – to read. Who has the opportunity to attend one of his lectures, it is worth it.

In 2004 I was fortunate enough to meet Kevin and his family in Athens at the ISMF conference and was allowed to listen to his lecture. A really eye-opening lecture, because he clearly showed that social engineering in connection with “hacking” is many times more effective than technical hacking without social engineering.

Out of this fact, awareness is “only” part of the IT security strategy but in my opinion one of the most important, in addition to APT (Advanced Persistant Threat) defense and endpoint security (a later blog article).

Has it never happened to you, that you have opened an email because suddenly there was an invoice in the inbox, for things you never ordered, or a reminder? It is in our nature that we – startled – open such phishing emails. For me, the principle applies: “What can not be, that must not be!” Therefore, I have made it my policy to first click on the sender to see which real email address is behind it. I.e. I am a customer of Postbank and the sender is Postbank, but behind it is the email address the real sender, I will delete it immediately. People without awareness will – however – open this email without further examination and since these look perfect these days, they open also the attachment and bingo the malware has struck.

In addition to phishing (the widespread sending of mails infected with malware attachments), which mainly hits private users, there is still the much more dangerous spearphishing (targeted sending to specific people). While your company’s security mechanisms are likely to detect phishing mails because the signatures are most often already known (just by the frequency of occurrence over a period of time), spearphishing mails are targeted and it can be assumed that the malware attachment is specific to the target person(s). The mail was specifically designed and did not occur so far. Then your company’s security mechanisms will struggle to identify and eliminate it correctly. This increases the risk that the email gets through and is opened. Here, awareness is the last bastion.

But how do you create awareness in companies? The Awareness Program !

Of course, everything is a question of company size:

  • Small companies will certainly not establish a comprehensive Awareness program, which every employee goes through continuously and also warns the employees about current / new dangers. Here a training of the employees will have to suffice, since already the budget sets limits.
  • Medium-sized companies will use external training service providers, who will come to the company periodically to carry out basic training for all employees, then train on special topics every few months and carry out basic training for new employees.
  • Big companies will set up their own Awareness Program team that will build the Awareness program, keep it up to date and bring it to employees in line with marketing principles.
  • Multinational companies will act just like large companies, but here language and cultural differences must be taken into account.


Basic requirements for an IT security awareness program

• 100% commitment of the CxO level and the management
• Multi-level program to constantly increase the maturity level
• Must be able to respond to current / new dangers in a timely manner
• Promote a point-system and incentives
• Provide a reporting office for security incidents, where it can also be reported anonymously
• Offer security advice – also for the home use

What makes a good awareness program?

In my opinion, there are only 7 steps that characterize a good awareness program. It is very important that the private sector of the employees is also addressed. Why ? Certainly, there will be some employees, to whom the company is far less important than their private protection. In order to capture these employees, it is important to include the private sphere, because the likelihood that what live in security at home will also be lived in the company. Here are the 7 steps in detail:


1. 100% CxO and Management Commitment
Before embarking on anything else, you ask for the strong support of the CxO level, which gives you more freedom, budget, and acceptance of other departments. It’s best to remove any hurdle here with reference to compliance, the new IT security and privacy laws, and the suggestion that an incident – not to mention a loss of reputation – can be far more expensive than the Awareness program.

2. Choose the Awareness program carefully
A rapidly purchased awareness program will seldom meet your needs. A few powerpoints and training videos are not enough to meet your goal. What you really need is:

  • A hotline for IT security messages and advice
  • A training on various topics that are as personal as possible, that is carried out by a speaker and staggered according to complexity.
  • These trainings must also be related to the departmental activities, as the human resources department differs significantly from the field service.
  • Be sure to put together a training program for the CxO level and underlying levels (the ones that travel a lot) as they are possibly compromised when traveling abroad.
  • An Awareness Information System, which informs the employees about the nature of the incident in case of recent incidents and explains protective measures, please also remember to bring in the private sector. But avoid high-tech information, everything must be understandable, because you do not address employees which are computer or IT security geeks.
  • Periodically issue a newsletter, e.g. the latest developments in IT security (in understandable words), previous successes and informed about new courses.
  • Provide an Awareness intranet server where each employee receives all the information he or she has learned, or additional information that complements the information from the Awareness Information System.
  • Design flyers, posters, coffee mugs, mousepads, screensavers or whatever employees see or use on a daily basis.


3. Include all departments, but also the employees

  • With 100% support from the CxO and management level (and that’s why the commitment is so important), you can better enforce and implement the need for the program at the departmental level.
  • Legal, compliance, human resources, marketing, privacy and physical security are all of the utmost importance through your Awareness Program, whose tasks, interests and interests are affected. In other words; Ask these departments to help determine whether the Awareness program is feasible, i. E. compliant with their policies. In any case, avoid it taking too long to get decisions.
  • It makes sense to involve the employees and to ask what they expect from the Awareness program and how they would shape it. Here you will probably experience positive surprises.


4. Test the success of the Awareness program

The awareness program must be measurable. Therefore, you should, for example, Conduct internal (spear) phishing campaigns periodically before a department has completed the training(s) and after. Such tests can be performed on any new topic that a department has gone through in terms of training and give you a measurable amount of success, because you have to be accountable to the budget and the success of the program to the management.


5. Allow and direct instead of prohibition

Certainly there are things in dealing with data and IT, that must be clearly forbidden. But instead of communicating to the employees that they have to keep away from social networks, the acceptance of the awareness program is much higher, if you instruct the staff how to safely (at home and in the office) deal with such information and services.
So do not be the prohibition department but be more the helping hand.

6. Create incentives

A reward (point) system creates incentives for employees. This can e.g. in the context of the internal phishing campaign, in which the people who noticed the Phishing Mail and reported them are mentioned positively in the next newsletter. Award points for any voluntary training or workshop and praise things that are given away to the employee when the points are scored, mention these employees in the newsletter.

7. Use your marketing tools to look into the future

Employees hate nothing more than suddenly faced with perfected facts of IT and IT security (system changes, new applications, new rules etc.). Use your marketing tools to make employees aware of future changes. Of course you need the support of IT and IT security that they disclose their plans to you early enough.

Of course, each of the points listed here can be broken down into numerous sub-points, but this is only an overview of how a successful awareness program could be structured. Just as companies are different, their awareness programs will also be different.

About the Author

Leave a Reply

Your email address will not be published.

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.