Social engineering on the rise
Since the Covid 19 pandemic at the latest, the danger of social engineering has increased significantly. The CEO of ASTRUM IT, an IT service company, is also aware of this. Gerhard Pölz therefore strives to sensitise and inform employees and to train them at regular intervals. "I think we are challenged to anchor here again and again, to train employees again and again and to familiarise them with new educational material so that awareness always remains at the same high level," says Pölz.
"The biggest factor of insecurity is and remains the human being." Gerhard Pölz
Social engineering specifically exploits human characteristics such as trust, helpfulness and respect for authority in order to obtain data. Therefore, the first security measure is quite simple: remain critical. Gerhard Pölz understands the problem. "We all want to be nice and polite, but here it is appropriate to check this request with a critical eye." He also emphasises the importance of checking emails and other means of communication: "How do I deal with mails that I trust or not? Companies need a trusted point of contact in-house that employees can then turn to."
A large part of cyberattacks happens via mail, SMS or even telephone. Technical equipment can play an important role in increasing security, but even more important is the person in front of the device.
Keyword risk management
Most security management systems already have a strict standard: "If you only read the standard, the measures seem very soft, but in a minor sentence, huge efforts may be hidden", explains IT expert Marcus Heinze. The CIO of ASTRUM knows what to do when the overview is missing. First of all, companies have to assess which measures they absolutely need and which they can do without - keyword risk management. A plumber's business needs different security measures than a media company. "In the end, it is always a balance of the measures I need and those I leave in place so that I am still able to work. The balance is company-specific," emphasises Marcus Heinze.
At this point, it makes sense for many companies to seek professional advice for help. Then, on the one hand, the necessary measures can be defined and, on the other hand, the employees can be taken by the hand with the necessary tact. The measures must be supported by everyone - they should therefore also be comprehensible.
"This costs the companies something at first, but it speeds up the process considerably," emphasises Marcus Heinze. Another advantage of bringing in experts is that they have been through these processes before. This makes problem solving a lot easier.
Awareness training for sensitising employees
To ensure that IT measures are heard by employees, awareness training is indispensable, says CEO Gerhard Pölz. When conducting training, he emphasises the importance of repetition and updating, as attack scenarios are constantly changing. In addition to sensitising employees, it is also important to check the effectiveness of the measures. How this happens varies from company to company. ASTRUM IT does not think much of sending phishing simulations to the mail addresses of its employees:
"This is about trust. Employees should trust the IT team and not be put in extremely unpleasant situations by them," Pölz explains his stance.
Despite increased security precautions, the experts Pölz and Heinze do not advise against home offices. But there are a few things to keep in mind. CIO Marcus Heinze is of the opinion: "With home office, it is important to design guidelines and technical facilities securely, then it is feasible." Among the technical requirements, he counts VPN tunnels, company-owned devices. "Employees must be prepared to give up some of their comfort for the sake of security," Gerhard Pölz emphasises. There also has to be trust in IT that these measures really make sense.
Pölz is therefore very critical of "bring your own device". In the end, it is expensive to equip your employees with additional devices, but this can significantly minimise the risk of a cyber attack. "When it hits you, it really hits you. That can very quickly be dangerous for the company," warns Marcus Heinze.
Change begins in the head
It is precisely this existential danger that must enter the minds of the management level. Marcus Heinze encourages companies to question their own security standards and stresses the importance of bringing experts in-house. "IT security should not come up once a year with employees where they then roll their eyes." Marcus Heinze thinks it is much more important that everyone is sensitised to cyber security, that monthly updates are given on the latest developments and that IT security thus becomes part of the corporate culture. ", also emphasises that IT security should not just be an annual training topic, but part of daily working life to integrate it into the corporate culture. "Everyone thinks in advance about the consequences of clicking on this attachment."