eco Association: From Risk to Human Safety Factor

  • Corporate culture is fundamental for a holistic IT security approach
  • In so-called “CEO fraud” cyber criminals exploit the helpfulness, curiosity, and anxiety of their victims

In terms of IT security, many medium-sized enterprises still rely too heavily on purely technical solutions. In particular, the human factor is underestimated by many companies when doing risk assessment. Employees frequently facilitate successful cyber attacks by clicking, for instance, on web links or attachments of suspicious e-mails, thus opening doors to harmful malware such as blackmail Trojans. “Notably, smaller enterprises neglect to pursue a comprehensive IT security approach, and to cultivate a corporate culture that sensitizes employees towards the threat situation,” Oliver Dehning, Head of the Competence Group Security at eco – Association of the Internet Industry, says.

Purely technical safety concepts often fail

During a so-called “CEO fraud” attack, for example, cyber criminals take advantage of human characteristics such as helpfulness, curiosity and fear. Forged e-mails and telephone calls try to trick employees into transferring large sums of money abroad. This form of personalized manipulation (Social Engineering) became increasingly popular, and thus it is often used to supplement technical attacks. “Today, cyber criminals combine technical with human attack vectors”,” Dehning says. “Due to the high number of attacks on companies, criminals are becoming increasingly successful.” Some German medium-sized enterprises have already lost up to 40 million Euros through such attacks. “In particular, companies that have not adapted their structures and the security of their digital work flows to current requirements are at risk,” Dehning warns.

Human safety factor

However, if companies would further develop awareness for the new threats, then employees are more likely to turn from a risk factor into IT defenders for their companies: “The decisive factor is the corporate culture in which employees are able to report suspicious incidents and e-mails, and to talk over things,” says Dehning. IT managers can then check the actual e-mail address, and if needed, the S/MIME certificate. Even if a suspicious money transfer has already been carried out, employees should be able to go and voice their concerns to management. The faster a successful scam is uncovered, the more likely the chances of getting the money back are.

Create security awareness

“For employees to internalize new sets of behavior, they should be repeated continuously,” Dehning says. Regular training courses or monthly staff meetings keep the awareness of current threats alive. In addition to raising awareness among their employees, companies should not reveal too much information on their website or on social media channels because it could be instrumentalized for attacks.

Internet Security Days (ISD) 2017

At the Internet Security Days (ISD) from 28 to 29 September in Brühl – the Human Factor will be one of four main topics open for discussion. With the Call for Papers, the organizers are looking for possible speakers until mid-April. Applications can be send to cfpisd@eco.de with the e-mail subject “CFP ISD 2017”. Further information are available be on https://isd.eco.de.