People are known to be creatures of habit, reluctant to change their behavior. In today’s fast-paced society, where cyber criminals are constantly developing new ways and means to attack businesses and public institutions, this can become a serious problem. Unsensitized employees can trigger security incidents through their misconduct and jeopardize the security of their company or even the public.
The solution to this critical situation is to establish an actively practiced security culture in the company. The goal of such a security culture is to improve an organization’s information security by fundamentally changing the behavior of organizational members. But how can this be achieved?
Issues and solution in the implementation of a security culture
In conventional awareness campaigns, the IT security manager looks for various providers of awareness training such as phishing simulations, e-learning and classroom training. In the next step, he independently tracks the progress or further training needs of the employees. After a certain period of time, the awareness campaign ends and the employees and the IT security manager are left to their own devices again. This approach is not only very tedious and time-consuming on the customer side, but also often ineffective for building a security culture.
In response to this problem, IT-Seal has developed the Awareness Academy, a simple and reliable workflow to establish a sustainable security culture. Unlike traditional awareness campaigns, full-service IT-Seal takes care of achieving the desired target security level with different training methods, while the IT security officer can sit back and relax. With the Awareness Academy, the customer receives a multi-channel strategy that is optimally aligned with the triad of mindset, skillset and toolset.
The mindset is all about creating an understanding of the threat situation among employees so that they take their own responsibility. Through conclusive communication at all levels, the most important stakeholders are first picked up, central managers are trained as role models in the future, and the security culture is defined as a corporate goal.
Skillset means to sustainably deepen what has been learned. This means the skills and knowledge of how to behave securely are trained with the employees as close to practice as possible, so that what is learned is internalized.
For a suitable toolset, technical and organizational measures are used to make it easier for employees to implement the know-how acquired in the awareness training.
Reliable workflow for establishing a sustainable security culture
At the beginning of the Awareness Academy is the security target level defined by the customer, which he should achieve and maintain in the long term. For this purpose, IT-Seal has developed the Employee Security Index, short ESI®, as a standardized, scientific security awareness indicator. The awareness campaign is focused on achieving the target ESI® and employee training is group-specific, needs-based and indicator-based. The IT security manager can use the ESI®at any time to call up the current security level of employee groups and the development and thus check the effectiveness of the awareness measures.
Once the target ESI® has been defined, the innovative Awareness Engine from IT-Seal comes into play. It is at the heart of the Awareness Academy and enables training on autopilot. The Awareness Engine regularly reviews the training needs of employee groups and ensures that each group receives as much training as necessary, but as little as possible. Awareness training for an employee group that has already achieved the target ESI® is paused accordingly, whereas a group with training needs receives further action. The Awareness Engine thus relieves the IT security officer, but at the same time ensures the continuous and sufficient training of all employees.
The awareness training includes a variety of measures such as e-learning, short videos, training courses, awareness materials – and spear phishing simulations. Here, IT-Seal’s patented Spear Phishing Engine is used. The algorithm first collects publicly available information about employees, so-called open source intelligence. On the one hand, this can be used for an OSINT-based attack potential analysis to determine how threatened a company is by publicly available information on social media. Most importantly, the spear phishing engine can create authentic OSINT-based spear phishing emails. Thus, realistic attack scenarios are mapped, effectively preparing employees for actual attacks.
The employee groups are trained by the Spear Phishing Engine according to their needs: By increasing the level of difficulty, moments of frustration due to over- or under-challenging are avoided. Another effective element is education in the Most Teachable Moment. When an employee clicks on a phishing email from IT-Seal, they are taken to an explanation page that interactively shows them how they could have identified the phishing email. If an employee identifies a phishing email, they can use a Reporter Button and report the phishing attack in this way.
With the Awareness Academy to enlightened employees
An actively practiced security culture means enlightened employees who are aware of and independently assume responsibility for their company. By considering and implementing the aspects of mindset, skillset and toolset, the IT security manager can create understanding among all employees and stakeholders, introduce effective and continuous awareness training, and establish tools that simplify the implementation of what has been learned.