Phrases such as “it was the stupid user's fault” or “end users are just too stupid” are very common when it comes to IT security. However, this idea is fundamentally wrong. If users don't know things, the fault lies with IT security management.
A large focus is often placed on technical security solutions. High costs are incurred in order to integrate technically complex software into the company. Then you feel safe, but wake up one morning to find that despite all the technology, you have been compromised.
Despite all the technical measures, the network was compromised. The trigger was a double-click on an ISO file that was sent as an attachment in an email. Windows integrated it and the malware was able to spread.
The spread of emails containing malware is nothing new. More or less well forged emails arrive in companies from time to time.
In this particular example, an ISO file was included. This is only symbolic for the time being. The real danger lies in the fact that efficient ways of spreading malware are constantly being found. These dangers cannot be foreseen.
At this point, it has not been considered that a security concept must always be multi-layered in order to be effective:
Technology | Process | People |
---|---|---|
EDR, Security_Operations_CenterSOC | Guidelines, management systems | Awareness |
In our case, no emphasis was placed on awareness or sensitisation, as users are “stupid”. This is a fatal misconception. “Stupid” and ignorant are fundamentally different things.
If IT security management does not provide training to compensate for this ignorance, the fault lies with IT security management. Well-trained employees are an effective protection for the company.
With targeted awareness training, we build a “human firewall” and thus an additional layer of security, which is extremely important.
However, awareness should also be situation-based. In the event of new threats, for example, rapid communication and education should take place in order to be able to react quickly to dangers.