365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
A wrong click can be enough to encrypt all the company's IT systems. Employees must be aware of the dangers, and contemporary awareness campaigns are taking new approaches.
For years, most attacks have been carried out by phishing. Attackers hide malicious links in well-prepared mails that are used to install malware on the PC. If this is successful, it opens a backdoor for the attackers into the company network. To make this work, cyber criminals increasingly rely on captured contact data, contexts and topics of conversation from hacked email accounts.
Companies counter such attacks with prevention through awareness campaigns. Employees are to be sensitised not to click on unknown links. But a sustainable learning success of these campaigns is often not achieved. This raises the question of how an efficient measure should look like.
Simran Mann, security policy officer at the German Information and Telecommunications Industry Association (Bitkom), pleads for creativity in the design of awareness campaigns and emphasises that classical topics can also be part of them:
An efficient security awareness initiative in a company naturally includes things like remembering password guidelines and penetration testing with the help of phishing mails - in other words, the more classic topics. But that alone is not enough; more far-reaching questions need to be answered, including: Who is the target group anyway? What age are my employees? Which applications do they use most often and where are the gateways?
The necessary time to deal with this is well invested, because in an emergency, preparation can secure the existence of a company. There are no limits to creativity, for example, employees can be asked to design their own phishing emails for penetration testing. This can not only provide entertainment, but also draw attention to the details that help you expose phishing emails on a daily basis.
Michael Weirich, Project Manager IT Security at eco, the Association of the Internet Industry, emphasises the importance of a sense of achievement and positive feedback for employees:
The employees of a company are one of the most important lines of defence of a company besides technical measures. To raise their awareness, short, continuous learning contents with which the user can identify are important. Clear examples from everyday working life, presented in an entertaining way, reflect situations that everyone knows and that stick in the memory. The content of the awareness campaign must be adaptable to the respective organisation; corporate branding individualises the campaign so that it is not imposed on the user but perceived as part of the corporate communication. Short tips and examples with current cyber threats or incidents can promote the conscious handling of risks in the long term.
A progress and success overview motivates employees to take on new learning content and can contribute to sustainable learning success. Badges and a final certificate reinforce the sense of achievement. Positive feedback is the magic word here.
The raised forefinger is just as counterproductive in an awareness campaign as boredom or excessive demands. The learning content must be tailored to the target group and the company. The more creative and entertaining the lessons and measures are designed, the more likely they are to be accepted by the staff. Small competitions and involving staff in the design can provide variety and acceptance. The own staff usually knows the company and possible sources of error best.
Author: Uwe Sievers
