The Background
IT security technology does a lot, but not everything. To counter the increasing threat of phishing attacks, a strong human firewall is needed.
IT security managers at SBK Siemens-Betriebskrankenkasse are well aware of this. With over one million insured, SBK is the largest company health insurance fund in Germany and is one of the ten largest health insurance funds open nationwide.
A high level of IT security awareness is a must, especially for SBK employees, as they handle highly sensitive health data on a daily basis. Any unauthorized access can lead to a loss of trust among the insured. In addition, there are strict legal requirements that oblige a social insurance provider like the SBK to take special technical and organizational data protection measures, first and foremost the EU Data Protection Regulation.
The Challenge
Alarmed by increasing reports of successful phishing and spear phishing attacks, the SBK sought ways to raise the IT security awareness of its employees. The 2021 status report from the German Federal Office for Information Security (BSI), for example, issued an urgent warning to companies about social engineering – and identified an inadequately trained or inattentive workforce as a key problem for the German economy.
„With this, at the latest, it was clear to us that we had to act immediately,“ recalls René Bürger, information security officer at SBK. „Especially since the attacks are increasingly being attributed to highly professional fraud gangs that trick their victims with ever more sophisticated phishing emails.“
With IT-Seal, SBK opted for a provider of security awareness training, which combines content, methods and tools into a convincing overall package. From the beginning, the board of directors, executives, the main staff council and the IT service provider BITMARCK were intensively involved in the awareness campaign. All of SBK‘s approximately 1,800 employees participate in the training sessions.
The Solution
Intensive preparation phase
In phase 1, employees were initially prepared for the topic via the intranet with relevant BSI information, freely accessible training videos and triggered alerts in the event of suspected phishing. The first training sessions were announced four weeks before the start.
For this purpose, each participant received personal access to the Security Hub, IT-Seal‘s learning platform. René Bürger considers the professional project support provided by IT-Seal to be particularly effective: „At the end, every employee was comprehensively informed about the upcoming training sessions.
Spear phishing simulations sharpen the view
IT-Seal‘s security awareness trainings combine entertaining e-learnings as well as online and face-to-face seminars with practical spear phishing simulations. IT-Seal uses real company and employee data to simulate authentic attacks.
If a user falls for it, he or she is taken directly to an interactive explanation page with tips on suspicious features, such as spurious letters in the address line, fake subdomains or dubious links.
At certain intervals, the phishing simulations are repeated and adapted to current phishing methods. „Through this continuous ‚bombardment‘, our employees are trained particularly effectively in attack detection,“ emphasizes René Bürger. „This is reflected in the great learning progress within a short period of time.“
Successful Campaign
Employee Security Index (ESI®) measures security awareness
These developments can be objectively measured with IT-Seal‘s patented Employee Security Index (ESI®). It provides a key figure for determining the security awareness of employees and is based on how they react to phishing simulations of varying degrees of difficulty. Anonymized and broken down to individual departments and teams, the ESI® can be viewed at any time via a management dashboard.
SBK‘s security managers thus receive timely transparency on the course and progress of training. They can identify where deficits and need for action arise and should be reworked. Employees can also view their current ESI® via the Security Hub.
Reporter button reports dubious mails
The SBK was able to erect another protective wall against phishing attacks with the Reporter Button from IT-Seal. Directly integrated into Microsoft Outlook, this button enables the reporting of dubious e-mails. Thus, users can forward a non-IT-Seal test mail that they classify as a threat directly to the „Information Security“ mailbox via the button. There, it is then immediately processed by the information security officer and his team.
They in turn involve the IT service provider BITMARK in the analyses, which immediately blocks the senders of e-mails identified as forged. Based on all messages via the button, René Bürger can get a very good and almost daily updated overview of the threat situation, sources of danger are reduced.
With the change to a current Outlook version, the SBK can also use the button‘s check question function. Then, at the touch of a button, employees receive useful information on whether a mail could be forged.
„Through the continuous ‚bombardment‘ with re-enacted spear phishing emails, our employees are trained particularly effectively in attack detection. This is reflected in thegreat learning progress within a short period of time.“
René Bürger – Information security officer – Siemens-Betriebskrankenkasse
Conclusion
A noticeable increase in security awareness among employees, transparency about acute phishing risks and excellent feedback from the staff and the IT service provider:
With IT-Seal‘s security awareness training, SBK has set an important course in the direction of cybersecurity.
To ensure that this effect is sustained, the training courses are to be continued indefinitely. „This not only allows us to integrate the new employees into IT-Seal‘s training offerings,“ explains René Bürger. „The existing workforce will also benefit extraordinarily from the regular refreshers.“
Additional Information
Security-Awareness-Trainings from IT-Seal:
Benefits at a glance
Click here
Employee Security Index (ESI®) makes Security Awareness measurable
Spear phishing simulations optimize attack detection
entertainingly designed e-learnings, online and face-to-face seminars
Reporter button for identifying and reporting dubious e-mails
Transparency about current phishing risks
Security Hub offers employees individual learning platform
Campaigns always up to date on newest attacker schemes
Full-service offer relieves internal resources
Spear phishing simulations optimize attack detection
entertainingly designed e-learnings, online and face-to-face seminars
Reporter button for identifying and reporting dubious e-mails
Transparency about current phishing risks
Security Hub offers employees individual learning platform
Campaigns always up to date on newest attacker schemes
Full-service offer relieves internal resources
About
SBK - Siemens Betriebskrankenkasse
Click here
SBK - Siemens Betriebskrankenkasse
Die SBK Siemens-Betriebskrankenkasse ist die größte Betriebskrankenkasse Deutschlands und gehört zu den 20 größten gesetzlichen Krankenkassen.
Als geöffnete, bundesweit tätige Krankenkasse versichert sie mehr als eine Million Menschen und betreut über 100.000 Firmenkunden in Deutschland – mit mehr als 1.800 Mitarbeiterinnen und Mitarbeitern in 86 Geschäftsstellen.“
www.sbk.org Als geöffnete, bundesweit tätige Krankenkasse versichert sie mehr als eine Million Menschen und betreut über 100.000 Firmenkunden in Deutschland – mit mehr als 1.800 Mitarbeiterinnen und Mitarbeitern in 86 Geschäftsstellen.“
Begin your Customer Success Story today!
Get to know our Next-Gen Security Awareness Training at Hornetsecurity without obligation. Request your personal demo now for free and learn all about:
- Spear-Phishing-Simulation
- E-Learnings in the Security Hub
- Control Panel
