"Human risk factor" is not the problem, but the solution

Awareness is a fundamental security measure in the day-to-day use of IT systems. Firstly, this means creating an awareness of cyber security issues. Building on this, a change in behaviour towards secure digital handling can be achieved.

Why is this necessary? You don't have to look far to find out - the web is full of reports on current cyber attacks, social engineering hacks and phishing attacks. For example, a recent survey by security solutions provider Arctic Wolf found that almost three quarters (70 per cent) of all companies surveyed globally were the target of attempted BEC (Business Email Compromise) or email account takeover attacks last year. Almost a third (29 per cent) were victims of one or more successful BEC incidents. In the DACH region, the figures were even higher at 82 per cent and 41 per cent respectively. In addition, 61 per cent of companies detected an insider threat last year. In 29 per cent of cases, this led to a security incident, while in a further third (32 per cent) the threat was identified and resolved before it escalated into a security incident. Furthermore, of the 39 per cent of those who have not detected an insider threat within the last year, six per cent admitted that they believe they are at high risk of insider threats - and that's just one study of endless others on the subject.

"Not all insider threats are malicious or deliberate," comments Dr Sebastian Schmerl, Regional Vice President Security Services EMEA at Arctic Wolf. "In many cases, it's a case of unsuspecting users who unknowingly or manipulated by attackers perform actions that then lead to a security incident, such as downloading potential malware through calls and emails from a fake service technician or clicking on phishing links in emails, SMS, WhatsApp, Slack or Teams messages." What can help? Security awareness.

The right perspective

A change of perspective is helpful for successful security awareness. IT security is only as good as the people who operate the systems. For this reason, people should not be seen as a security gap, but as a defence against cyber attacks. The widespread rhetoric about the "human factor" can have a destructive effect. People are not part of the problem, but part of the solution as the "human security factor". The interface between man and machine needs to be better organised.

Problem awareness and safe behaviour

As outlined in the Aberdeen Group report entitled "Security Awareness Training: Small Investment, Large Reduction in Risk", for example, there are also economic arguments in favour of training. The researchers conducted a workshop with company security representatives to find out why they invest in security awareness and training. The results:

• 91 per cent want to reduce the cyber security risk associated with user behaviour.
• 64 percent want to change user behaviour in general.
• 61 per cent conduct training to meet regulatory requirements.
• 55 per cent conduct training to comply with internal policies.

The development of security awareness training

Despite the fact that security awareness training is not new, the topic has only recently become part of the general discussion. The introduction of "National Cyber Security Awareness Month" in the USA in 2004 made a decisive contribution to this. The initiative, launched by the National Cyber Security Alliance and the US Department of Homeland Security, was designed to help people stay safe and protected online by encouraging good practices (such as regularly updating anti-virus software). Since then, the annual Cybersecurity Month has inspired similar events in other countries, expanding its themes and content and generating greater participation from businesses, governments, non-profit organisations and the public. However, the methods, focus and effectiveness of security awareness training have changed in recent years.

The key to effective defence

Knowing the key points of an effective security awareness strategy is not rocket science. Security provider Knowbe4, for example, has compiled some points for promoting an effective defence, whereby a distinction should be made between "human" criteria and technical criteria.

Soft criteria:

• Look out for inconsistencies in communication. These include, for example, atypical language, unusual requests or deviations from usual communication patterns.
• Urgent or unverified requests should be viewed with a certain degree of scepticism, especially when it comes to financial transactions or the disclosure of sensitive information.
• Inconsistent or manipulated audio and video files: When using audiovisual media, particular attention should be paid to synchronisation problems between sound and image, unnatural facial movements or unclear backgrounds, which could indicate tampering.

Technical aspects:

However, technical aspects must also be taken into account in security awareness training. These include, for example (according to Wikipedia)

• Basic information on information and data security
• Safe handling of phishing emails
• Safe handling of QR codes
• Potential threats from malware
• Physical security at the workplace computer
• Dealing with mobile data storage devices
• Risks and dangers when using mobile devices
• Dangers from social networks
• Potential threats from social engineering
• Dangers of internet use
• Danger from phishing and the course of a phishing attack
• Secure passwords and how to use them responsibly
• Secure use of public internet access and hotspots
• The specific security and password guidelines in the company
• Behaviour in the event of security-relevant incidents
• Duty to inform in the event of recognised dangers
•  

Conclusion

Security awareness is more than just sensitising employees to potential dangers and risks. Rather, security awareness has the task of understanding people, reaching them and ultimately convincing them. Perhaps even to sustainably change uninformed behaviour and thus create a security culture. Or as the IT security marketplace puts it as a slogan: Security is everyone's business