What does a 250-year-old educator have to do with modern security awareness programs? Eva Willnecker, Senior Consultant at usd AG, told us.
Eva, what role do you think security awareness plays in information security?
Eva Willnecker: Many businesses have already achieved a lot when it comes to implementing technical security measures. However, there are certain risks that are difficult to minimize or prevent by purely technical measures. If these risks occur, the causes can often be traced back to carelessness, a lack of know-how or a weak risk awareness among employees. No firewall or antivirus software can help. In addition, thought patterns such as “Nothing has ever happened to us before” or “Why would hackers attack me?” prevent employees from realizing how relevant their contribution to “more security” really is. Security awareness is therefore a necessary complement to technical security measures.
What is the initial question when it comes to Security awareness?
EW: Mainly the question of how a sustainable learning effect can be achieved in order to improve an organization’s security in the long term. The human factor itself and the question of how we all learn best should be in the forefront. The educational reformer Johann Heinrich Pestalozzi asked the exact same question 250 years ago and came to the conclusion: “People learn best with their heads, hands and hearts”, i.e. through knowledge, practice and emotional references to the learning content. Applying this approach to security awareness was and still is exciting for me.
What should businesses pay attention to when designing an Awareness Program?
EW: Those in charge of designing an awareness program have to reconcile quite a few requirements: From compliance requirements to stakeholder requirements to employee needs. For a good start, it’s therefore particularly important to analyze exactly what an organization actually needs and how an awareness program fits into the corporate strategy and the entire culture. Without these points of reference, you more or less have to take a stab in the dark and, in the worst case, do more harm than good.
What role do web-based trainings play?
EW: Above all, WBTs are a practical way to train employees without having to spend a lot of time and money. When we designed our usd Security Awareness training platform and its trainings, we also made sure that we would be providing our clients with pragmatic support and helping them satisfy compliance requirements. However, a WBT alone does not make an awareness program. Such trainings should only ever be an addition to other measures.
Another measure of this kind is Phishing simulation. Can you briefly explain how it works and what purpose it serves?
EW: In a phishing simulation, an attack on the employees of a company via email is simulated. Just like in a real attack, the employees are made to click on a link in the email. Unlike a real attack, however, the employee is not directed to a compromised website or tricked into downloading malware, but ends up on a target page where they are informed about the risks associated with phishing. In addition, they receive valuable information on how they could have identified the phishing email and what they can do in the future if they suspect that they have received a real phishing email.
What’s so great about phishing simulations is that you can kill two birds with one stone: For one, you will raise your employees’ awareness of phishing attacks, and secondly, you will have an important indicator of your whole company’s security awareness level by evaluating the total number of employees who clicked on the simulated phishing link.
You said web-based trainings alone don’t make an awareness program. Can you give us an example of what an effective combination of different measures could look like?
EW: When launching an awareness program, I would always start out with a thorough analysis of the current state of the organization: What measures have we tried? What are our problem areas? Have we addressed them with our previous measures? Who are our stakeholders and who are our target groups? To pack my suitcase properly I have to know exactly where I want to go.
Let’s assume that phishing is one of my biggest problems and that there are three departments that – simply because of their field of activity – are particularly often attacked by attackers: HR, Marketing and Sales. As a “Wachrüttler” I would run a phishing simulation with a suitable scenario for each department: an application, an invitation to a trade fair and a customer inquiry. Depending on the outcome, I would follow up with workshops or web-based trainings teaching employees how to identify phishing emails. A live hacking demonstration would be an exciting event to illustrate the dangers of phishing and finally I would repeat the phishing simulation to check the learning success of my measures and push awareness again.