In an interview, Karsten Tellmann, Manager Custom Solutions at G DATA CyberDefense, explains how a phishing simulation makes IT security measurable.
What is the current state of threat to companies?
In the first six months of this year, the number of attempted attacks has risen sharply. This is certainly also connected with the Corona pandemic. At the beginning of the crisis, cyber criminals took advantage of the uncertainty of the people and sent masses of mails with a reference to COVID-19, but attached files with malicious software or the link included led to a prepared website in order to access login data. At the same time, the attackers also benefited from the fact that many employees worked in the home office. Many companies were unable to provide their home office employees with a sufficiently secure infrastructure under the pressure of time: the complexity of the networks has increased, but IT security has not grown to the same extent.
Why are protection technologies on their own not enough?
Of course, technical security solutions detect the majority of attempted attacks and prevent external access by attackers. However, criminal hackers today are economically oriented and want to make a maximum profit with little effort, so they always seek the path of least resistance. These are technical security gaps such as software updates that are not installed. In the reality, unfortunately, the employee is often the weakest link in the chain. A wrong click in an e-mail on an attachment or a link is enough for attackers to gain access to the network. It is then only a matter of time before they take control and copy or encrypt data to extort ransom money.
Why are people vulnerable to phishing campaigns?
Cybercriminals have a goal in phishing. They entice their victims to reveal confidential information such as login data or open mail attachments. In this way the attackers gain access to the network or can infect the systems with malware. In doing so, they consistently exploit human behaviour. Helpfulness, curiosity or greed play into their cards. In the corporate environment, dealing with applications for advertised jobs or invoices is part of the daily routine. Attackers take advantage of the usual handling of these mails, as employees are more likely to be inattentive during routine work.
How can companies help their employees not to click on phishing emails?
Companies must take a holistic view of IT security. In addition to technical security activities, employees should become an integral part of the defence strategy. A training video on cyber threats is not enough here. Even classroom training is not enough. Raising awareness of IT security risks is a long-term process. This is only possible with the help of comprehensive Security Awareness Trainings. If employees are aware of the risk, they act more cautiously and are more sensitive to e-mails.
What part do phishing simulations play in security awareness training?
Phishing simulations allow employees to gain experience with dangerous emails in a hands-on way. It enables them to deal with phishing more routinely. Companies can use a simulation to measure the status of their IT security. A report informs the person in charge whether and how many employees have opened a dangerous mail and clicked on the link included. This makes it clear how big the need for action is. Next, companies should carry out Security Awareness Trainings in order to sharpen the awareness of employees for cyber threats in the long term and build up knowledge. Companies who then run another phishing simulation can see how the security level in the company has improved.
