IT security technology does a lot, but not everything. To counter the increasing threat of phishing attacks, a strong human firewall is needed.
IT security managers at SBK Siemens-Betriebskrankenkasse are well aware of this. With over one million insured, SBK is the largest company health insurance fund in Germany and is one of the ten largest health insurance funds open nationwide.
A high level of IT security awareness is a must, especially for SBK employees, as they handle highly sensitive health data on a daily basis. Any unauthorized access can lead to a loss of trust among the insured. In addition, there are strict legal requirements that oblige a social insurance provider like the SBK to take special technical and organizational data protection measures, first and foremost the EU Data Protection Regulation.
Alarmed by increasing reports of successful phishing and spear phishing attacks, the SBK sought ways to raise the IT security awareness of its employees. The 2021 status report from the German Federal Office for Information Security (BSI), for example, issued an urgent warning to companies about social engineering – and identified an inadequately trained or inattentive workforce as a key problem for the German economy.
„With this, at the latest, it was clear to us that we had to act immediately,“ recalls René Bürger, information security officer at SBK. „Especially since the attacks are increasingly being attributed to highly professional fraud gangs that trick their victims with ever more sophisticated phishing emails.“
In phase 1, employees were initially prepared for the topic via the intranet with relevant BSI information, freely accessible training videos and triggered alerts in the event of suspected phishing. The first training sessions were announced four weeks before the start.
For this purpose, each participant received personal access to the Security Hub, IT-Seal‘s learning platform. René Bürger considers the professional project support provided by IT-Seal to be particularly effective: „At the end, every employee was comprehensively informed about the upcoming training sessions.
IT-Seal‘s security awareness trainings combine entertaining e-learnings as well as online and face-to-face seminars with practical spear phishing simulations. IT-Seal uses real company and employee data to simulate authentic attacks.
If a user falls for it, he or she is taken directly to an interactive explanation page with tips on suspicious features, such as spurious letters in the address line, fake subdomains or dubious links.
At certain intervals, the phishing simulations are repeated and adapted to current phishing methods. „Through this continuous ‚bombardment‘, our employees are trained particularly effectively in attack detection,“ emphasizes René Bürger. „This is reflected in the great learning progress within a short period of time.“
These developments can be objectively measured with IT-Seal‘s patented Employee Security Index (ESI®). It provides a key figure for determining the security awareness of employees and is based on how they react to phishing simulations of varying degrees of difficulty. Anonymized and broken down to individual departments and teams, the ESI® can be viewed at any time via a management dashboard.
SBK‘s security managers thus receive timely transparency on the course and progress of training. They can identify where deficits and need for action arise and should be reworked. Employees can also view their current ESI® via the Security Hub.
The SBK was able to erect another protective wall against phishing attacks with the Reporter Button from IT-Seal. Directly integrated into Microsoft Outlook, this button enables the reporting of dubious e-mails. Thus, users can forward a non-IT-Seal test mail that they classify as a threat directly to the „Information Security“ mailbox via the button. There, it is then immediately processed by the information security officer and his team.
They in turn involve the IT service provider BITMARK in the analyses, which immediately blocks the senders of e-mails identified as forged. Based on all messages via the button, René Bürger can get a very good and almost daily updated overview of the threat situation, sources of danger are reduced.
With the change to a current Outlook version, the SBK can also use the button‘s check question function. Then, at the touch of a button, employees receive useful information on whether a mail could be forged.
A noticeable increase in security awareness among employees, transparency about acute phishing risks and excellent feedback from the staff and the IT service provider:
With IT-Seal‘s security awareness training, SBK has set an important course in the direction of cybersecurity.
To ensure that this effect is sustained, the training courses are to be continued indefinitely. „This not only allows us to integrate the new employees into IT-Seal‘s training offerings,“ explains René Bürger. „The existing workforce will also benefit extraordinarily from the regular refreshers.“
Test your Security Awareness and get to know the following modules of the IT-Seal Awareness Academy without obligation:
Step 1: Sign up with your business email address.
Step 2: You will receive a confirmation e-mail confirming your registration.
Step 3: After confirming your registration, you will immediately receive your test access.
At the same time, the phishing simulation starts and you will receive a total of 4 simulated phishing emails within two weeks.
At the end, you will receive your personal evaluation: Which phishing emails did you recognize, and which ones did you fall for?