How companies protect themselves against cyber attacks

More than half of all IT damage is caused by employees. No matter how sophisticated the IT security system may be, if people don’t play along, the technology remains ineffective. But how do IT managers implement comprehensive IT protection in their companies?

Every day, more than 400,000 new malware programmes come into circulation, meaning that effective protection against viruses and Trojans is only possible with the help of employees. To ensure that IT security is effective in all areas of the company, all security aspects must be taken into account in addition to the IT infrastructure, including document handling, access regulations and data protection. It is not enough for software to be updated automatically; users must also behave responsibly online.

Make security awareness a top priority
Network failures caused by virus attacks incur enormous costs because restoring systems and data takes time, during which employees cannot work. Added to this is damage to the company’s image; IT problems rarely remain hidden from customers. However, the IT department cannot guarantee IT security on its own, nor is it solely responsible for this issue. Without the cooperation of the workforce, it is not possible to effectively prevent viruses and Trojans from infiltrating the company network. Therefore, responsibility for a secure network cannot be delegated to the company’s IT experts or data protection officers. Ultimately, it is people who make technology secure. Employees must not only be aware of guidelines, but also understand why they are important. This means that the right signals must be sent ‘from above’: employees must realise that IT security is a high priority at board level and that they are supported in their efforts to ensure IT security in the workplace.

Success through repetition
Effective awareness-raising is not a question of cost or effort, but the result of an appropriate strategy. Security awareness training should start with a phishing simulation, followed by training modules on current threats such as workplace security, social engineering or password protection. Such interactive phishing simulations make the risks of cybercrime tangible. They can contain emails familiar from everyday life, such as those from parcel delivery companies (‘Your parcel has arrived!’), but also emails supposedly sent on behalf of the management to the workforce, stating that payslips are now available online and asking employees to click on the link to check that the information is correct. Afterwards, the board receives an evaluation of how many employees clicked on the link. The surprise effect: even IT managers find themselves clicking on a fake email in the hustle and bustle of everyday life and realise how good these fakes are nowadays. Reports clearly show how the IT security status of employees improves over the course of the training.

Think holistically
Raising employee awareness of how to use digital media should be firmly anchored in the company. Depending on the size of the company and its IT infrastructure, it is recommended that between 10 and 20 per cent of the total IT budget be spent on IT security. This is usually only possible if the board of directors decides and supports it. However, a small budget is no obstacle to regular awareness training. Materials that raise awareness in the workplace, such as posters, CAM protection, mouse pads or mugs, but also information via the intranet or newsletters, are inexpensive and quick to implement.

A holistic IT security concept includes:
Virus protection concept
Emergency plans
User guidelines (passwords, internet, etc.)
Backup concept
Authorisation concepts
Definition of responsibilities
Security awareness trainings

What to look for when choosing an external service provider?
What experience/references does the provider have in this area? What awareness projects can they point to? A key factor when looking for an external service provider is the cost-benefit ratio. The aim of working with a managed service provider is to make both the IT landscape and your own work more efficient. At the end of the day, it is of course important that the IT staff or the responsible system house can build a healthy relationship of trust with the provider. How are the processes stored at the MSP? Are there certifications such as ISO27001? The goal should be fair, uncomplicated cooperation on an equal footing.

Holistic IT security in 3 steps
1. Identify areas of concern
In which areas is action needed? In general IT security issues such as password security, handling confidential documents, secure administration and virus protection, or the processing of personal data, mobile security in the field and in the home office. To ensure the success of the measures, individuals and groups whose opinions are important to the company should be involved as early as the planning phase. This includes the data protection officer or the communications or press department. This prevents people from feeling overlooked.

2. Define communication channels
Why reinvent the wheel? The company probably already has established communication channels such as the intranet or an email newsletter. Using these increases acceptance among employees and makes the IT security officer’s job easier.

3. Implement IT security measures
Security rules are not particularly popular. Visual presentations reinforce the learning effect here. Online training courses with tests, interactive phishing simulations and posters in the workplace are more memorable for employees than a simple circular. A playful, unconventional approach to knowledge transfer promises greater success than strict, rule-oriented measures.

Your partner for comprehensive IT security. We take care of all aspects of IT security for our system house partners and companies. From UTM firewalls and cyber security awareness training to IT security consulting.