It’s fair to say that without digitalisation no business will be successful in future. But digitalisation also means more gateways for cybercriminals and data thieves. So are company managers exposing their organisation to an incalculable risk through digitalisation? Not necessarily. Awareness programmes can turn employees—and managers—into defenders of sensitive data inventories. But how do you get awareness right?
Discussing the relevance of digitalisation is a waste of time; because digitalisation is an absolute given. And it is similarly evident that digital systems will always have vulnerabilities, and that progressive digitalisation will also be making the area of attack wider.
Up to now, IT and company managers have generally tackled possible vulnerabilities this way: they repeatedly buying in new protection technologies. Which is fair enough—even in future, we won’t get by without firewalls, virus scanners, intrusion detection systems, encryption etc. But one crucial factor is missing from this list: the human factor. Where the individual is enabled to handle IT systems competently, he or she changes from being a simple user to a guardian of critical company data.
In this context, “competence” doesn’t mean training in how to handle Microsoft PowerPoint, SAP ERP, Salesforce Sales Cloud etc. Rather, it means training that teaches how cybercriminals go about their business these days. Why social engineering is so important, or what smartly-designed phishing e-mails look like. One thing you can say for certain is that professional phishing messages have as much in common with the laughably error-strewn e-mails from Nigeria as a learner driver has with a Formula 1 driver.
Today, there are already a wealth of providers offering webinars teaching the background information on phishing and malware. And this training is important. But it is not a miracle cure, as Sascha Maier, Chief Information Security Officer (CISO) with the Swiss watch manufacturer IWC knows: “We have also integrated attendance courses into our awareness programme. It’s a more elaborate arrangement, but it pays off because the knowledge is put across more effectively,” says Maier. What’s more, IWC is not only pitching this training at employees as employees, but also as private individuals. “We also offer information on popular cyber-themes such as cryptocurrencies, the dark web or cyber-bullying. After all, employees with all-round competence will also be more careful when handling IT systems in their professional life too,” says the IWC CISO.
The standard repertoire of many awareness measures includes anti-phishing exercises. This is where phishing messages are created and sent to employees, for training purposes. Such training often has only a short-term effect, as studies have shown. But with just a little more effort, the impact of these training units can be exponentially increased. That happens when it is explained to the employee, immediately after the disastrous click on the phishing link, why that action can be dangerous. This sobering explanation should be given by the HR Department, the in-house Call Centre or the IT Department, and supported via suitable script. Conversely, attributing blame or invoking possible consequences under a contract of employment do not achieve the objectives being sought. Doubtless, such training measures cost money. For that reason, the company management absolutely needs to be involved in designing the measures—so they can also decide how the measures are to be funded. Could it be worth postponing the budgeted new firewall purchase, and using the money saved to create a “human firewall” for the company instead?