Dr Nabil Alsabah has always been interested in strategies. In his doctoral thesis he used AI methods to analyse the campaign strategies used by the Greeks in their wars against Persia. Now he deals with strategies to defend against cyber attacks as part of his work for Bitkom, Germany’s digital association. Company employees are the first line of defence when it comes to the strategic planning of security measures. In this interview, Alsabah explains how to prepare employees for these challenges.
- Employees are the first line of defence for IT security.
- To improve employee awareness of the problem, companies must hold regular special awareness training sessions.
- On-line training sessions with an active practical component are an advantage.
- The measures adopted must be tailored to the industry or the company in question.
What part does IT security play at Bitkom?
We have divided our activities into three clusters: generating added value for our member companies, in other words, talking about new developments and establishing familiarity with them; networking our members; and acting as a contact party for policy-makers, or bringing our members’ problems to their attention. Public relations is thus one of our most important activities.
What form do these tasks and activities take with regard to IT security?
We represent the entire digital economy. That means we have to deal with all the challenges arising in the area of IT security.
What do you tell your member companies if they ask you how they can make their employees fit for IT security?
According to security experts, people are the greatest security risk in IT. That raises the question of how we can prepare our employees for the security risks in today’s world. They need to be trained accordingly. The goal of these activities is to raise awareness, which is an aspect I would rate very highly.
What typical errors do employees make if they have not been trained in this area?
They click on dangerous links or choose weak passwords. But employees also forget to lock the computer when they leave their desk. Microsoft Windows has a simple keyboard shortcut to do that: Windows key + L. Untrained employees often don’t install updates, or will leave their passwords in full view on their desks.
Awareness training is available in various forms, such as face-to-face courses or online options. What’s best for whom?
The benefit of online training, as I see it, is the learning effect achieved from direct implementation in the form of exercises and the associated feedback from the online platform. The best options must surely be those that give you direct feedback. I would therefore recommend a combination involving an interactive component.
What are some of the key components of awareness training?
How to handle passwords is fundamental – for example, criteria for choosing strong passwords. That also includes not using the same password for different platforms or services. Dealing with phishing e-mails should also be covered: how can I tell if an e-mail or the sender of an e-mail has been forged? Encryption of important data is another point – in other words, what should be encrypted, how encryption is used, and so on. The use of two-factor authentication should also be explained. Another topic is how data protection and IT security fit together. This includes the question of how to keep important documents confidential, and the function of access rights.
Which criteria are vital when it comes to making a choice, and how does a company find the right provider?
There are a lot of start-ups on the market with innovative products. It’s worthwhile checking reviews in trade journals to make up a list of criteria for evaluating providers. But IT security officers first need to consider what the company’s actual needs are. For example, a hospital and a book shop will have different requirements. You need to check what data is available and which systems are used, to ensure that the training activity covers the operating systems that are currently in place – if mobile devices are used, for example. The experience of other customers can also be drawn on, as appropriate, since one particular provider may be ideally suitable for a hospital, but the learning methods it uses may not make it the right provider for an industrial environment.
Can we measure the success of these training activities?
The results will differ, as they depend on the quality of the content, but in general we can observe very positive outcomes. With interactive content the outcome can be determined relatively easily, since we can check whether the employees can put what they have learned into practice. Being able to make practical use of theoretical knowledge is vital. That’s why some companies follow up by deliberately sending harmless phishing e-mails to check whether employees fall for them. Or they check whether password guidelines are being observed by trying to crack them. This is all done by arrangement with the company, of course. Data protection must always be observed in this connection.
Is a one-off training course enough, or should there be regular follow-ups?
Follow-ups are always better, say twice a year, since it is important to query and review the employees’ level of knowledge at regular intervals. The key security principles are highly theoretical. For example, users must be shown repeatedly that passwords they consider to be secure are really not secure in practice. I consider it a matter of urgency that IT security needs to be made more user-friendly. The fact that we need training activities at all shows that security is a very complex matter, and that it still scores poorly in terms of user-friendliness.
Author: Uwe Sievers
