Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
AUG, 20218 IN MYV EWCYBER-AWARENESS IS VITALBY SASCHA MAIER, HEAD OF IT & CYBER RESILIENCE, IWC SCHAFFHAUSENWhat's the point in protecting a corporate network if the attackers work their way past virus scanners and firewalls by not inserting malware to copy passwords ­ but instead using social engineering to trick individual employees into entering their log-in details themselves on phishing sites?It is nothing new to state that attackers favour social engineering. For years, human failings and errors have been the main gateway in for successful digital attacks on companies ­ and the trend is on the rise. According to one recent report (Verizon Data Breach Investigations Report 2020), just over 70 per cent of all successful attacks are attributable to hacking and human error. In the case of hacking, 80 per cent of the successful attacks investigated in the report are phishing attacks which paid off. How do you build a human firewall?In view of this, corporate cyber-security teams should not limit their focus simply to maintaining and expanding the range of technical resources at their disposal. They need to make the whole staff part of their efforts ­ by setting up a cyber-awareness programme. The aim is to make as large a part of the staff as possible familiar with current methods of attack, in order to prevent disastrous click responses. The icing on top would be if employees themselves report suspicious e-mails, calls, websites or people. But reaching that objective requires both work and a budget.Ideally, the IT and HR ­ or Internal Communications ­departments tackle the project together. The IT or IT Security department has eyes on both currently-practised types of attack and also the ways via which attackers attempt to penetrate networks. Conversely, the HR or Communications department has expertise in how best to communicate specialist cyber knowledge. The company management needs to be on-boardBefore engaging with the detailed design of an awareness programme, management first needs to be brought on-board. On the one hand, this is in order to secure the budget needed for the measures. Ultimately, external speakers (live hacking), text and video producers and layout experts cost money. It is fairly rare to find these resources internally, meaning that they need to be bought in. On the other hand, it is to ensure that management gives a commitment that no employee will be punished or even dismissed due to an inadvertently-triggered security issue. Without that in place, a climate of fear envelops cyber-security. And that makes it practically impossible to guarantee the necessary groundwork by staff. The ideal situation is where the management personally approaches the staff to launch the programme, in order to underline the relevance of the issue. If a request is also made at the Sascha Maier
< Page 7 | Page 9 >