Our consultant Philipp Panagiotou has been working at in-factory GmbH for 4 years and has since been employed by one of our major customers in the financial sector.
In today's digital world, IT security is a decisive factor for companies, especially in the financial sector. As a long-standing partner of well-known companies in this area, we have dealt intensively with this topic. In particular, security awareness, i.e. the awareness and behavior of employees with regard to IT security, plays a major role. In the following interview, our consultant Philipp Panagiotou shares his knowledge and provides valuable insights into the challenges and measures of effective information security.
IT security in the financial sector: Our consultant provides insights into the topic of security awareness
Hello Philipp, thank you for sharing your knowledge of IT security and security awareness with us in this interview. Can you give us an insight into how IT security can be improved in companies to prevent data leaks and hacker attacks? What role does investment in technology and employees play in this?
Philipp: The topic of IT security is currently omnipresent in the media. More and more companies are affected by hacker attacks, which can lead to data leaks and other security problems. On the one hand, many companies have not yet found the right strategy to adequately protect themselves against such attacks. Small and medium-sized enterprises (SMEs) in particular are often not yet sufficiently technically equipped to defend themselves against hacker attacks.
On the other hand, many companies are not aware that the human factor is an important and critical factor in IT security. Every chain is only as strong as its weakest link, and this also applies to IT security. If companies invest in technical security measures but ignore the human factor, this leads to a weakness in the overall system. Technical weaknesses can usually be rectified relatively easily, for example through regular updates or the use of new software. The human factor, on the other hand, is always present.
It is therefore important that companies become aware of how important the human factor is in IT security. Only if employees are sensitized to the topic and are aware of the role they play in IT security can companies effectively protect themselves against hacker attacks. For example, companies can invest in training and education for their employees to raise awareness of IT security and thus promote security awareness throughout the organization. At the same time, companies should also invest in technical security measures to protect themselves in the best possible way.
This is an important topic that we at in-factory GmbH also deal with, also in relation to our customer projects. How can we ensure that all employees in the company are aware of IT security?
Philipp: As a company that deals with data integration and data management, you have a great responsibility towards the customer because you are working with sensitive data. Even if there are regulations such as test data anonymization, it is important that all employees are aware of how critical this data is, especially in industries such as automotive or finance. There must be no vulnerabilities that could allow an attacker to gain access to the system via social engineering or similar methods.
The human factor plays a decisive role here. There are many factors that need to interact in order to create security-conscious or security-compliant behavior - i.e. security awareness - among each individual employee. This concerns not only knowledge of security risks and the handling of sensitive data, but also compliance with security guidelines and the responsibility of each individual for the security of the company. Companies can only guarantee a high level of IT security if every employee is aware of this responsibility and proactively contributes to it.
The three factors of effective information security: people, technology, company
What is the aim of security awareness? And what needs to be taken into account?
Philipp: The aim of security awareness is to sensitize employees to the topic of information security in order to minimize security incidents. A data breach poses a major threat to any company, as it both worsens its public image and significantly increases costs. Although security awareness is of great importance, there is still no precise definition as it involves many factors. However, there are already approaches to a better definition based on three factors: Cognition, intention to act and organization. Cognition refers to the fact that employees must have the necessary knowledge and awareness of which IT security measures exist. Intention to act means that employees have an interest in security-compliant behavior. The organization of the company itself also plays an important role by providing the framework for employees to behave in a security-compliant manner in the first place. This can be exemplified through training and a clear structure, for example.
Can you tell us about other measures that are currently being used in companies in your experience? And how can companies measure the success of security awareness measures and ensure that these measures are actually effective?
Philipp: In practice, there are various measures. Training on the risks of cyberattacks and the importance of information security is often held as part of onboarding, or employees are tested to see how they react to false phishing emails. USB dummies are also used, which are distributed in companies to check whether employees are using them. This can be checked through system logs or automated messaging. Another approach is to check the number of incidents related to IT security. Have employees become aware of suspected phishing or social engineering attacks? Password strength is also important - a well-known topic. The bring-your-own-device model can also make it easier to deploy malware. Employees therefore need to be well trained and sensitized to the topic of security awareness.
Phishing, malware, social engineering and ineffective security practices pose major risks in terms of IT security. These attacks often target people rather than the systems themselves. For this reason, security awareness is an extremely important and individual topic for every company. However, despite the importance of security awareness, there is currently no appropriate KPI system that goes beyond the mere number of employees who have clicked on a phishing email, for example. However, such a KPI system is of great importance, also with regard to ISO certifications, where companies have to prove a high security standard. Although key figures are required, there are no specific requirements for this. There is a lack of key figures to measure the success of security awareness measures. As a result, companies often save on these measures as they only see the costs. Action is often only taken when it is already too late and a data breach has already occurred.
Even if official key figures have not yet been defined, do you have any suggestions from your previous experience as to which framework could be used for measurement?
Framework for measuring security awareness (Based on: Kruger et al. 2006) - Kruger, Hennie, Lynette Drevin and Tjaart Steyn (2006). "A Framework for Evaluating ICT Security Awareness". In: Proceedings of the ISSA 2006 from Insight to Foresight Conference. Johannesburg
Philipp: Yes, I have an idea for a framework that can help to measure security awareness in the company. The first approach is to analyze the interests of the stakeholders and derive the areas that are of most interest to the company. This results in system data, such as the number of incidents, which can be used for measurement, as well as the human factor as employees. Surveys, for example, can be carried out to find out their knowledge or behavior and to obtain and evaluate empirical data. System data and data from surveys can then be combined to derive the current security awareness level. This framework can be applied regularly to see whether measures are effective or need to be changed.
People as the most difficult factor: How security awareness influences employee behavior
The human factor is an important part of IT security - how can companies ensure that employees (willingly) behave in a security-compliant manner?
Three factors of effective information security (Based on: Harich 2018, p. 501) - Harich, W. Thomas (2018). IT security management. Practical knowledge for IT security managers. 2nd ed. Frechen: mitp Verlags GmbH & Co. KG
Philipp: Effective information security is based on three factors: the human factor, technology and the company. The human factor is considered to be the most difficult, especially in terms of compliant behavior. Influencing human behavior is an important part of security awareness. Campaigns and measures are designed to encourage a company's employees to behave in a security-compliant manner. In order for them to behave in a security-compliant manner, they must have the knowledge, awareness and ability to do so. The company must therefore support employees so that they can behave in a safety-compliant manner. The most difficult aspect, however, is how to motivate employees to behave in a safety-compliant manner. This depends on various factors such as attitude, motivation and personal reality and is a very complex issue that also extends into social psychology.
Thank you very much for the interesting interview. Do you have any final words you would like to share with us?
Philipp: There is a lot more to consider than you might think at first glance when it comes to security awareness. Many companies are not aware of how important the human factor is. There are already many measures in place, such as false phishing emails, but there is still a lot of room for improvement and more should be invested in security awareness. The problem is that the success of such measures can often only be measured once a data breach has already occurred. Politicians are already trying to raise awareness of this issue with the GDPR and ISO certifications. However, as there is still no standardized system of key figures, this shows how complex the topic is and that it does not yet have the relevance it should have. As IT experts, we are aware of the relevance of security awareness. The topic affects every individual and companies in particular should take it seriously in order to save time, money and effort by preventing data breaches at an early stage. The security of information and data can be ensured through comprehensive training and awareness-raising for employees as well as the implementation of clear guidelines and procedures. Both the technical, organizational and human aspects must be considered when it comes to information security.
