"To humans we can't just apply a patch and everything will be fine"

People are not machines, says Marcus Beyer from Swiss telecommunications company Swisscom. He emphasises that awareness measures must be geared towards the lifeworlds of employees.

Technicians are rather unsuitable for awareness jobs, because awareness issues are centred around people, not machines. As Security Awareness Officer at Swisscom, Marcus Beyer, knows this from experience. He has very successfully developed and implemented his own awareness ideas for his employer, which deviate from traditional concepts in many respects. It is important to him to focus on the employees, as they are the ones who ultimately guarantee the security of a company. Beyer studied psychology and has worked in the world of technology for many decades. In this interview, he explains the typical mistakes of common awareness measures and shows how things can be done better.

• Those responsible must first make it clear to employees why they should be interested in security at all.
• Traditional awareness concepts often fail because they are not customised to the people in the target group.
• Successful measures are orientated towards the living environments of employees.
• Learning platforms and AI tools are very helpful and increase efficiency.

You work for the Swiss telecommunications company Swisscom as a Security Awareness Officer. What exactly is meant by this role description?

I am part of the Group Security department, which is also known as corporate security in other companies. This is not IT or information security. We also have responsibility for physical security. We are around 80 employees, and I'm responsible for the whole topic of security awareness and training. Swisscom has around 19,000 employees, plus external staff there are around 23,000. My job consists to a large extent of planning and implementing training for the entire workforce, but also in depth for the cyber professionals in our company. I am also responsible for communication tasks, for example when we introduce something new or changes are pending. Essentially, I try to give our employees a taste for IT security and get them interested in it.

We are not the only ones having this role; other companies are similarly positioned. Companies are increasingly realising that they need specialists for awareness. As a rule, these are not technicians. Technicians look at things from a technical perspective and rarely from the user's point of view. Of course, only large companies can usually afford this; at smaller companies, it is often done by other specialists on the side.

Awareness is no longer a new topic and is now widely practised. How topical is this issue? Is there still a need to sensitise the workforce to cybersecurity or has the whole thing evolved?

We need to talk more and more about risks where people are in the crosshairs. This is also where the topic of awareness is heading. Phishing simulations and subsequent training are no longer enough. Instead, it's about achieving a change in behaviour among employees. To do this, I first have to make people aware of the issue. After all, we can't simply immunise them or install a patch and everything will be fine. Why should an employee concern themselves with security? It's not their business. These people are not going to become security experts. But we have to get them interested in security, then they will be prepared to take appropriate measures.

ISO 27001 only requires training and communication on the subject of IT and information security, it doesn't matter how. But that's not how it works. We need to empower employees to implement the right security precautions so that the company is resilient, so that it doesn't get into a crisis or at least gets out of one quickly.

I just heard a presentation about a company that was attacked. One of the slides said: "The human firewall had four ways of preventing the attack". This depiction reflects the arrogance of IT, which treats employees like machines. In contrast, my triad is always: people, process and technology. Because if processes don't work or are incomprehensible, then you have a problem. Take policies and guidelines, for example, which are often written by the legal department and which nobody understands at all. If you don't understand something, how are you supposed to implement it?

Awareness does not simply consist of technical or organisational measures. Purely disciplinary measures in the event of misconduct are completely the wrong approach. What do we know about why an employee has engaged in misconduct? The measures are intended to protect the workforce, and only then does this provide protection for the company. Traditional IT thinking doesn't work for awareness, it's about cultural change. It is a change process.

One of your guidelines, which you also emphasise in an IT security update on the it-sa 365 digital platform, is to be close to your employees' living environments. How does that work?

I am addressing a problem that sometimes arises when a company sensitises its workforce to phishing, but employees do not realise to what extent this affects them. We have therefore produced a brochure that follows the daily routine of a member of staff and looks at a normal working day through a security lens. It starts with breakfast. The person reads the news on the side and we discuss fake news and disinformation. Then they come into the company and have to wear a company badge. We explain why. This is followed by the first video conference and we shed light on the risks involved. We go through the day and show where the dangers and risks lie in everyday working life. However, we also always try to establish a private connection, for example the relevance of passwords in private life and so on. We show that a password manager is also a good help in private life. If people are sensitised to cybersecurity in their private lives, they will also be more aware of it at work. For example, I should also take care of confidentiality at home: When working from home, you have to be careful what you say on the phone if, for example, family members could be listening in. I don't always want to have to tell my children that they are not allowed to tell others what mum and dad said in a business video call.

Which means and methods do you use and which are particularly important to you?

We don't really leave anything out, we draw on the entire repertoire. For example, we have developed our own game and use it to implement gamification. We've also developed our own card games, which are quite funny. We try to tackle topics with humour and do funny things. It's important to come across as friendly, not as policemen or watchdogs. There is a culture in our company that enables and encourages this - both digitally and offline.

In my opinion, there is no "one size fits all" solution. Every company has to implement the measures and methods that suit the company. There are big differences between corporate cultures.

You have also purchased a training platform. What do you use it for, what is the advantage of such a solution?

We can categorise our colleagues according to target groups, which means that people receive measures tailored to their job. Not everyone needs all the topics, it's about what is relevant to them in their day-to-day work. Technicians who need to know more can also get this via the platform and, for example, take a deep dive into security for cloud or app developers. The learning platform is available to every employee. But the platform allows even more: we can even use the analyses to discover talents who have developed exciting approaches. This form of learning has been well received by the workforce; after a year, around 3,800 people had already worked with it, even outside of working hours.

Many security measures are time-consuming or cumbersome. This is probably the most frequent point of criticism from employees. You are in favour of security measures that enable simple and compliant data processing. How can this be realised?

This is a conflict-laden topic. We had this, for example, when we introduced our password manager. The software solution we chose is considered particularly secure, but unfortunately it's not exactly intuitive to use. But passwords are important, including their length. However, they must be manageable, and a password safe is very helpful.

We often have a conflict between a technically good solution and a simple, easy-to-understand solution. It's important to communicate very well, you have to explain it to people very well and you also have to set an example. It is necessary to find out what the problem is for the employees and then find a solution. This can significantly increase acceptance.

Awareness concepts encounter particular difficulties in certain industries, such as the OT or healthcare sector. In these sectors, work is carried out in shifts and sometimes under great time pressure. How do you deal with this?

My recommendation is to look at people's lives, at their private sphere. Security also affects people in their private lives and often causes them more than enough difficulties. If it is possible to make clear what risks exist there and what opportunities they have at the same time, then this can be transferred to the company. Anyone with children, for example, is confronted with how to protect their children online.

You also have to take a very close look at the everyday lives of nurses or assembly line workers, for example. It often turns out that processes have to be reorganised in order to increase security. It is clear that passwords cannot be entered comprehensively during an emergency operation and so on.  However, there are suitable technical solutions for securing access in these areas, such as RFID wristbands. I simply hold them near the PC and access is possible without entering a password. If I walk away again, access is blocked again.

There are still many areas that are not prepared for the topic, such as schools. Here it will be necessary to communicate the topic itself before I can think about measures.

What do you expect for the future when you think about AI, for example?

I already use AI solutions such as ChatGPT when it comes to developing a quiz on a problem, for example. But also to generate images that I wouldn't have otherwise. AI will make our processes simpler and faster. For example, you can easily create a knowledge database with security expertise. Employees can then query it when they have a specific request, for example to set up an Azure cloud. AI will help us to do our work better.

Author: Uwe Sievers

IT security awareness: because it's the human factor that counts