This is an old revision of the document!
The importance of awareness in IT security
Introduction
Phrases such as “it was the stupid user's fault” or “end users are just too stupid” are very common when it comes to IT security. However, this idea is fundamentally wrong. If users don't know things, the fault lies with IT security management.
Errors in IT security management
A large focus is often placed on technical security solutions. High costs are incurred in order to integrate technically complex software into the company. Then you feel safe, but wake up one morning to find that, despite all the technology, you have been hacked.
What happened?
Despite all the technical measures, the network was compromised. This was triggered by double-clicking on an ISO file that was sent as an attachment in an email. Windows integrated it and the malware was able to spread.
Old attack methods
The spread of emails containing malware is nothing new. More or less well forged emails arrive in companies from time to time.
New attack methods
In this particular example, an ISO file was included. This is only symbolic for the time being. The real danger lies in the fact that efficient ways of spreading malware are constantly being found. These dangers cannot be foreseen.
The human firewall
At this point, it has not been considered that a security concept must always be multi-layered in order to be effective:
Technology | Process | People |
---|---|---|
EDR, SOC | Guidelines, management systems | Awareness |
In our case, no emphasis was placed on awareness or sensitisation, as users are “stupid”. This is a fatal misconception. “Stupid” and ignorant are fundamentally different things.
If IT security management does not provide training to compensate for this ignorance, the fault lies with IT security management. Well-trained employees are an effective protection for the company.
With targeted awareness training, we build a “human firewall” and thus an additional layer of security, which is extremely important.
However, awareness should also be situation-based. In the event of new threats, for example, rapid communication and education should take place in order to be able to react quickly to dangers.