, , ,

The importance of awareness in IT security

Introduction

Phrases such as “it was the stupid user's fault” or “end users are just too stupid” are very common when it comes to IT security. However, this idea is fundamentally wrong. If users don't know things, the fault lies with IT security management.

internet-3484137_640.jpg

Errors in IT security management

A large focus is often placed on technical security solutions. High costs are incurred in order to integrate technically complex software into the company. Then you feel safe, but wake up one morning to find that despite all the technology, you have been compromised.

What has happened?

Despite all the technical measures, the network was compromised. The trigger was a double-click on an ISO file that was sent as an attachment in an email. Windows integrated it and the malware was able to spread.

Old attack methods

The spread of emails containing malware is nothing new. More or less well forged emails arrive in companies from time to time.

New attack methods

In this particular example, an ISO file was included. This is only symbolic for the time being. The real danger lies in the fact that efficient ways of spreading malware are constantly being found. These dangers cannot be foreseen.

The human firewall

At this point, it has not been considered that a security concept must always be multi-layered in order to be effective:

Technology Process People
EDR, Security_Operations_CenterSOC Guidelines, management systems Awareness

In our case, no emphasis was placed on awareness or sensitisation, as users are “stupid”. This is a fatal misconception. “Stupid” and ignorant are fundamentally different things.

If IT security management does not provide training to compensate for this ignorance, the fault lies with IT security management. Well-trained employees are an effective protection for the company.

With targeted awareness training, we build a “human firewall” and thus an additional layer of security, which is extremely important.

However, awareness should also be situation-based. In the event of new threats, for example, rapid communication and education should take place in order to be able to react quickly to dangers.


Grafik by Gerd Altmann