The number of phishing attacks risescontinuously every year: Employees are particularly exposed to this security risk when working from home. How can they be made more aware of the issue of IT security, and how can they be encouraged to deal with it consciously? We talk to Marcus Beyer, Security Awareness Officer at Swisscom Switzerland AG. He is responsible for the sensitisation and training activities for safety topics of more than 18,000 employees and is able to convey the topic in playful approaches.
Mr Beyer, why is the topic of awareness for IT and Information Security becoming increasingly important?
Mr Beyer: Employees are the number one target because most IT attacks come in via email. We have to solve this problem in the company and train our colleagues well and make them aware of possible attacks such as phishing. I always say: It is better to report once more than once too little. In addition to phishing training simulations and other measures, we provide at least one online training course for our employees every year. In this year’s e-learning course, we focused on shadow IT and cloud service use – these subjects are particularly topical in the home office and in agile settings in the company. Employees use many different tools for their daily work, but they often are not aware of the risks this can bring.
This year, we addressed exactly this issue and created an interactive and – hopefully – entertaining training on the topic. The feedback, at least, speaks for itself: The e-learning unit was very well received.
How can new approaches such as gamification and nudging increase security awareness in the company?
Mr Beyer: Gamification transports elements of the classic game into practical tasks and daily work. I have been working closely on this with my former colleague Katja Dörlemann. Together, we inform and discuss this topic with guests in our “Security Awareness Insider” podcast. We are trying to emotionalise the topic of IT and Information Security through gamification, among other things. We can reach most people much more easily with good stories – and also generate concern or interest here and there. We have also set out to raise awareness of risks in this way.
Nudging is all about giving employees little nudges: IT and Information Security put into a tangible context, to make it more exciting. Through small tips and hints, the topic is broken down for practical application in everyday life. For instance, if someone reports a phishing email to us internally, we will send back a congratulation email with praise in response, conveying appreciation. Sounds banal, but it is an important element. And there are certainly many more examples of this that we can contribute from our everyday practice. There will also be a presentation on this topic at the Internet Security Days on 17 September, as well as other practical tips for game-changing approaches.
You started a Cyber Security Challenge with your employees. How exactly has this been going and what are the results showing us?
Mr Beyer: We did a scavenger hunt on IT and Information Security. Our pilot group of 280 people solved various tasks via mobile phone in their home office: Multiple choice questions and a quiz encouraged them to take various actions. More than 75 per cent of my colleagues have rated the gamified approach as very positive. I am now convinced that they took away more from the day and the challenge to the team than from simple e-learning. This kind of approach is really to be recommended, because here the employees also take a lot with them in terms of content.
Thank you very much for the interview!