17.11.2022

Security awareness is not only a training course

It is time for a change.

Just recently, the IT provider of Mainzer Stadtwerke experienced a massive ransomware attack with malicious software that had impacted the data and consequently the mobility offer in the city. The blackmailers demanded a ransom from victims in order to restore the data. This is just one of the many cases of cyber-attacks that happen frequently and there are for sure more to come.  

According to Forbes, cybercriminals can penetrate 93% of company networks, yet many security executives state that they do not feel prepared for the upcoming challenges that arise due to digitization. However, from our many years of experience we know that even the best security infrastructure cannot ward off attacks. To prevent cyber-attacks and theft of sensitive data, companies have to pay attention to the human factor and the establishment of security awareness among employees.  

 

Why is security awareness so important?

The number of cyber-attacks on companies is growing steadily every year. According to Bitcom e.V. , the German economy recorded a loss of €103 Billion due to cyber-attacks in 2018/2019. For comparison, in 2020/2021, the loss almost doubled and reached €223 Billion. Even though many companies heavily invest in cyber security infrastructure, they often ignore the most crucial part in the security chain – their employees.  

With the digital transformation and new emerging technologies such as Cloud and IoT, the IT landscape has become increasingly complex. In addition, the cyber-attacks are getting more sophisticated through the shift towards identity attacks and the usage of psychological techniques to manipulate employees. In 41% of assessed companies, cybercriminals manipulated the employees to get access to sensitive customer and business data (Bitcom e.V.) Employees often lack the right cyber-security skills and knowledge to recognize different cyber-attack scenarios. Thus, with the rising number of cyber-attacks, well-skilled employees with a common understanding of the importance of security measures and a security mindset will lead to competitive advantage for a company in the future. Therefore, in addition to technical security measures (like Zero Trust, Information Protection), it is also important to invest in the employees to increase their cyber-security awareness and to protect your company in the long term. 

Most companies are using security awareness training in order to increase security awareness among employees. However, such training alone cannot be successful as the target audience will struggle to apply and retain the knowledge. Therefore, a comprehensive cyber security awareness concept is necessary to develop also a security mindset and culture within companies.  

 

How can we establish security awareness?

Based on our experience in both security and change management, we identified three different dimensions that must be addressed to ensure a strong security awareness of all employees in the long-term:  

Security skills:

Employees need to gain cyber security skills to recognize different attack scenarios, learn how to react in different situations and how to use the technical security measures. 

Security mindset:

It is crucial that employees understand what security is and why it is important not only within the working environment but also in their personal lives. Therefore, they gain the awareness of the importance to protect the highly sensitive company and customer data.  

Security culture:

Companies must create a common understanding of the importance of security measures. We recommend that security elements must be anchored in the corporate culture. The establishment of the error culture is the first step. 

 

Campana & Schott developed a comprehensive Security Awareness approach based on these dimensions. In the first step, we assess the current situation in a company to determine the initial security awareness score through quantitative and qualitative measures. After that, we derive tailor-made measures and recommendations and accompany the employees on their journey to improve security behavior. Finally, we ensure a sustainable anchoring of security awareness in the long term.  

Conclusion

With the rising number of cyber-attacks that are getting more sophisticated and unpredictable, companies must act as soon as possible and establish a company-wide security awareness to protect their sensitive data. Security awareness is more than phishing simulation and computer-based training and a comprehensive approach is required. Given the current threats, all doors to corporate data must be consistently closed - and all employees must contribute to this.   

Author

Stefan Haffner

Associate Partner | Cyber Security