DE EN

Die Bedeutung und Durchführung von IT-Security Awareness-Maßnahmen im Unternehmen

07/08/2024

The importance and implementation of IT security awareness measures in the company

Hackers, cybercriminals and fraudsters can attack companies in a variety of ways via the Internet to spy, steal money or cause irreparable damage to the victim system. Employees are the first (and in some cases the last) line of defense against cyber threats. In order to strengthen this defense, colleagues need to be constantly thinking about cybersecurity so that they are not led astray in their day-to-day work. You can find out how this works best in this blog post.

Many roads lead to Rome

Hackers have a variety of methods to penetrate a computer system. Some of these methods require the involuntary assistance of their victims, others merely require negligence on the part of the user. The techniques listed here are among the most common practices used by attackers:

  • Phishing: The classic attack method continues to enjoy great popularity and is regularly ranked number one in the most popular strategies in statistics. The trick is simple: the unsuspecting victim is sent an email with an enticing offer ("Win this iPad Pro now!"), an intriguing message (Word document "Employee payroll" attached) or threats of dire consequences if they fail to act ("Please log in using the following link or your account will be deleted"). The victim clicks on a link to a malicious website, opens a malicious attachment or unknowingly transmits their username and/or password (so-called credentials) to the attackers.
  • Smishing: Phishing's little brother. Do you also receive daily text messages from DHL, DPD, UPS and Hermes in December telling you that your parcel is on its way and that you can track it using the link in the text message? But you haven't ordered any Christmas presents yet? Then this was probably a smishing attempt (SMS phishing). The principle is the same as with phishing, the only difference is the delivery to mobile devices.
  • Vishing: Voice phishing is the third method of the so-called social engineering techniques listed here. For this method, the attacker needs far greater social skills, as he calls the victims directly, tells them a made up story and thus steals their passwords or persuades the unaware users to install malware on their own devices (usually disguised as support software).
  • Credential stuffing and brute force: Do you use the same password for several accounts? Then you run the risk of becoming a victim of credential stuffing. Attackers use credentials that become public in data breaches in an attempt to gain access to other accounts. Slightly less sophisticated are "brute force" attacks. Here, the most common passwords are automatically tested one after the other in the hope that the victim will use an easy-to-guess password.
  • Security vulnerabilities: Attackers can also achieve a lot here. Security gaps that are not closed by updates can, if they are critical enough, allow intrusion into the systems. Especially in situations where the individual users are responsible for installing updates (there may be no centralized patch management), the risk increases, as the principle that every chain is only as strong as its weakest link applies here.

Strengthening your defenses - knowledge is power

The effectiveness of all these attack techniques can be reduced by vigilant and educated users. Regular training and testing keeps awareness of IT security in the company high and can prevent the worst from happening in an emergency. Exercises can be carried out for all phases of an IT security incident, be it prevention, response or post-processing.

In terms of prevention, colleagues should be trained on social engineering attacks in particular. Awareness training, such as workshops and presentations, is a cornerstone of this, but videos and a subsequent quiz or interactive tests can also be used here. Tests should then be carried out a few weeks later. Phishing/smishing messages with different levels of difficulty can be sent to the workforce. This can either be carried out by the in-house IT security department or an external service provider can be commissioned. Especially in the case of vishing, i.e. making telephone calls, an external company should be used to carry out tests in order to avoid the possible detection of voices.

Strict password guidelines and the enforcement of multi-factor authentication help to prevent brute force and credential stuffing. As these measures create thresholds and barriers in users' day-to-day IT operations ("Do I really have to open the Authenticator app every time?"), the measures should be accompanied by communication on the purpose of the steps.

The response to cyberattacks can also be trained. This starts with a solid IT security incident management process that is coordinated with all parties involved (IT security, CIO, legal, press office, etc.). This process should then be run through in various exercises. A simulation game, for example, can be a good way of challenging the stakeholders in their roles.

Learning and training can also take place in the follow-up to an incident. If an emergency occurs and the worst has been prevented, the documentation of the incident can be used to train colleagues involved and third parties in a review in order to react even better to the situation in the next case.

Complion offers support services in the area of IT security awareness training. Have you already taken measures to secure the most important gateway for hackers in your company? We would be happy to support you. Please get in touch with us at mail@complion.de.

 

Author: Tobias Philipsen