Awareness Services

Raising awareness of IT security: Training employees and preparing them for potential threats

Raising awareness of IT security: Training employees and preparing them for potential threats

With a firewall, companies can protect themselves from attacks and even track individual requests through logging. A lot of money is invested in IT security in order to seal off the company’s own systems as best as possible and protect them from cybercriminals and their attacks. Digitization is also shifting the company’s own data further and further into the cloud, requiring passwords, keys and other measures of identification.

But no matter how secure the IT system in your company may be, there are always people who have access to it. In many areas, people are becoming a weak point and a potential security risk. Especially, of course, if a culture of security has not been established and employees have not been sensitized to attacks.

This is exactly the topic we would like to write about in today’s blog post, because raising awareness among your employees regarding IT security is an important and yet often highly underestimated factor. Now let’s take a look at why that is and how they can do better.

The human being as a security risk in the company

As mentioned at the outset, people remain the greatest security risk in almost all companies. Of course, only if all other IT security measures have been implemented with appropriate care. But in the end, it remains the employees who can always access sensitive areas or initiate actions that may cause problems.

This is in no way about defaming employees or labeling them as culprits. Rather, employees have increasingly become the target of cybercriminals in recent years. So they are deliberately being listened to, watched or attacked, which companies should know, as should employees, in order to be prepared. Knowledge is the only way to prevent a security incident from occurring within your own ranks.

This is precisely why it is so important to sensitize and prepare employees for the fact that they could become the target of an attack at any time. They need to learn to question safety-related tasks more often and make sure who those instructions are actually coming from. But more about that later.

Where Safety Critical Information is Leaked

These days, social media is part of our everyday lives, and of course, so are employees. Potentially dangerous information is continuously being disclosed via social media. Likewise, contacting individuals on social media has become easier than ever before. And believe us when we tell you that cybercriminals have long used this factor to gain access to a vulnerability, in this case, the person in question.

In addition, since Corona, many small and midsize businesses have switched to the home office. What sounds great at first creates room for potential social engineering problems. For example, in the mixing of work and privacy and logging into secure areas that take place via private devices instead of the hardware that is provided and secured.

At the same time, techniques such as CEO fraud and deepfakes have become an issue that cannot be neglected. We had already written detailed articles about both, because the techniques are increasingly used by cybercriminals for attacks.

How a security culture can prevent attacks

A culture of safety and awareness in this area comes into play whenever your employees are alone. In the home office, for example, only an understanding and culture of security can ensure that a correct logout takes place and that software for work is not run on the private computer. Only if this is exemplified and aspired to in the company will everyone in the team internalize these aspects equally, so that we can speak of a safety culture.

If the employees in your company are sensitized to the topic, social engineering becomes much more difficult for attackers. Because everything that is outside the norm and perhaps seems strange is openly questioned. Through the safety culture, you give employees a space to also ask questions or verify sometimes, instead of blindly executing everything the supposed boss tells you to do.

CEO fraud will not succeed if the CEO always has to legitimize himself first and sets a good example by demanding the same from his employees. Deepfakes are easier to see through if every employee learns in advance about the possibility of such fakes and learns to react to corresponding signs. But all this will only happen if the employees in your company live a safety culture because they have been sensitized to exactly this.

Make employees appropriately aware of safety

Towards the end, it is essential to understand that safety is something that must first be learned. The safety culture mentioned several times does not exist overnight. It comes from leading by example, from adherence to safety protocols in all areas, from the need, made clear again and again, for each and every employee to actually live this culture of safety.

With training, seminars and clear rules, it will develop over the years and then automatically transfer to new employees. Because it becomes the norm in your company, the employees exemplify it and internalize it. It is important to create an understanding without unpleasant pressure or punishment. Generate motivation, not coercion.

Through live hacking, phishing simulations and pentesting, we can find out for you where vulnerabilities lie in your company. Let’s find them and present them to your employees together so they can internalize how they need to adjust their behavior in the future to ensure greater safety.

Photo of author

Jan Hörnemann

Ich bin Jan Hörnemann, TeleTrust Information Security Professional (T.I.S.P.) und seit 2016 leidenschaftlich in der Welt der Informationssicherheit unterwegs. Mein Master of Science in Internet-Sicherheit hat mir ein fundiertes Verständnis für verschiedene Aspekte dieser Branche vermittelt, das ich in meiner laufenden Promotion kontinuierlich ausbaue. In der AWARE7 bin ich Chief Operating Officer und Prokurist, gleichzeitig koordiniere ich die Abteilungen "Informationssicherheit" und "Offensive Services" und sorge dafür, dass alle Projekte reibungslos ablaufen.