Employee Awareness and Incident Response – Pent-up demand for companies

One of the topics covered in Bosch’s CyberCompare Benchmark Report 01/22 is where small and medium-sized companies (SMEs) need to take action most. These findings are based on a diagnostic we conducted with more than 100 SMEs in the DACH region. Insufficient employee awareness was in the top spot, while second place went to lack of preparation for serious incidents, especially in terms of incident response – meaning the ability, speed, and expertise to act in case of attacks. To shed more light on each of these issues, we spoke with two experienced colleagues: Niklas Hellemann of SoSafe and Fred Tavas of Trustwave

Dr. Niklas Hellemann & Fred Tavas

Dr. Niklas Hellemann is a certified psychologist, expert in social engineering, and co-founder and CEO of SoSafe – a cybersecurity awareness provider. In addition to his background working in business administration and as a management consultant at Boston Consulting Group, he studied psychology, which led to his interest in a human-focused approach within the tech-savvy cybersecurity market. Using behavioral psychology and data analysis as a basis, SoSafe helps companies develop a sustainable security culture – and enables their employees to navigate safely in the digital world.

Fred Tavas is Director Sales Europe at Trustwave – a leading provider of cybersecurity and managed security services that helps organizations fight cybercrime, protect data, and mitigate security risks. His cybersecurity expertise is broad: from hybrid SOC/SIEM to MDR and threat hunting to penetration testing and RedTeaming. As such, he has a strong understanding of cyber and cloud security technologies as well as competitive offerings.

Dr. Niklas Hellemann, Co-Founder and CEO of SoSafe
Fred Tavas, Director Sales Europe at Trustwave

First of all: you talk to clients every day – does your impression of the situation match our findings? Or are they concerned about completely different topics?

Niklas Hellemann, SoSafe: A survey we recently conducted with more than 250 individuals in Europe responsible for IT security shows a similar picture: more than 90 percent of these experts say that awareness in their organizations is very important. However, 40 percent further stated that awareness among employees was still low. And nearly all of those surveyed – 99 percent – said that strengthening their organizations’ own security culture will be a key topic in the coming year. Our client organizations are already a step ahead in this context: they have made the decision to strengthen their security culture and work with us to establish it continuously and sustainably.

What does it really mean to strengthen or develop cybersecurity awareness in a company?

Hellemann: Cybersecurity awareness needs to be something more than just a requirement to check off in the compliance list. Instead, it should be seen as developing a sustainable culture of security within the company and continuously reinforcing it. This requires a re-think: instead of viewing their employees as the “weakest link” in the information security chain, companies should see an opportunity to create an additional strong security barrier, the “human firewall.” Working within a sustainable security culture enables employees to function safely in a digital environment, which actively protects the company. Here, it’s essential that employees can easily integrate cybersecurity into their day-to-day work and that content is communicated in a way that makes it simple to learn and remember. That’s where the principles of behavioral and learning psychology can help. Content should always be oriented to the target audience: material and information must be communicated as simply and intuitively as possible, so that those learning will always have it in mind.

Why do you think that lots of companies have catching up to do when it comes to cybersecurity awareness?

Hellemann: The human factor in cybersecurity has generally been forgotten or even consciously “left out.” Instead, the focus has been almost exclusively on technical barriers. Even today, not everyone has realized that people need to be an active part of the cyber defense effort. But the numbers show that 20 to 30 percent of phishing mails make it past technical filters and barriers. In addition, cyber crime is becoming increasingly more professional. Organizations find themselves facing a dark economy in which cyber-crime-as-a-service is the standard business model. New tactics are created by the minute. The human-machine interface remains the number one access point – more than 85 percent of all attacks start with the human factor. That’s not surprising: even when using the most varied tools, people behind the screens can always fall victim to an attack in the same way – through emotional manipulation. Cyber criminals use behavioral psychology to instrumentalize our human psyche. These complex, constantly changing developments can’t be detected through sporadic compliance training on information security. It takes continuous education and a high level of overall awareness. Organizations need the same kind of professional, dynamic approach on the defense side as the attackers have – and this is not yet a priority at many companies.

Earlier we discussed how employees are often described as the supposed “weak link” in the defense chain. Is a pure phishing KPI really a good way to measure awareness within a company?

Hellemann: As I said, we would like to change exactly this view of employees. Rather than the weakest link, they can become a strong part of the company’s cyber defense. But it’s true that awareness in a company should not just be measured by looking at click and interaction rates with simulated phishing mails. Another, more critical indicator is the reporting rate: it shows when employees ultimately go one step further than just not falling for a phishing mail. Beyond simply not clicking on or interacting with such mails, they report the threat to the company’s IT team – a proactive contribution to improving the company’s cybersecurity efforts.

What’s your thought on the idea that it makes more sense to invest in technology, such as mail security, to filter out phishing mails even more thoroughly – or increase use of the cloud or concepts such as thin clients – than to continually invest in training that still leaves a high residual risk?

Hellemann: This isn’t an either/or discussion. Cybersecurity evolution and innovation has always been much more about adding new “layers” of protection. For holistic, sustainable protection against cyber attacks, organizations need both a strong technical defense and a high level of awareness. There’s no technology-based setup that cyber criminals can’t get around – there are too many points of attack and, as previously mentioned, professionalized criminals are constantly developing new ones. Spear Phishing, Voice Phishing and CEO Fraud are just some of the areas to take a closer look at for this. Therefore, we believe that investments should always be made in both defense mechanisms: technology and people.

Employees in areas like service or production don’t sit in front of a computer all day, so they’re not an ideal target audience for web trainings. What can be offered to these important groups?

Hellemann: Our content focuses primarily on employees who typically work in offices with an Internet connection, as they are most likely to be the targets of cyber attacks.  However, since our content can be extensively tailored, we can reach all employees. In particular, we get positive feedback from manufacturing companies and hospitals on our micro-modules and phishing simulations, which can also be used in mobile situations. In the end, all employees should be integrated into the awareness training in order to instill a sustainable security culture.

A last question for you: do you see new trends in learning and awareness that companies should know about?

Hellemann: In terms of content that should be communicated and explained to employees, the rule is that you never really stop learning. Remember, due to constant professionalization, attack strategies are created all the time. We saw this especially at the beginning of the pandemic or start of the war in Ukraine: emerging information was instrumentalized for new cyber attacks. So content needs to be adapted and disseminated continuously. In addition, information should always be conveyed in a way that focuses on learners. Gamification is an example of a trend that pays off: the learner activation rate, for instance, is 53 percent higher when e-learning gamification is used – or, in our case, “deep gamification.” This approach involves more than just “casual games” unrelated to the content. It’s comprehensive gamification of the entire learning experience, including game-based communication.  

Mr. Tavas, let’s talk about incident response: incident response retainers are probably hot sellers and it seems very unlikely that IR analysts have time to be bored. As a client, what guarantees do I have if I purchased SLAs but my provider’s incident response capacity is fully booked out? 

Fred Tavas, Trustwave: Professional global DFIR (digital forensics and incident response) providers make sure they have enough responders on staff to respond according to their SLAs in more than 99 percent of cases. Of course, the responder may sometimes be located in a different region than the client. This approach enables us to guarantee that a responder will be available immediately in urgent cases – usually within 15-30 minutes after the client contacts us.

In your view, how important is on-site support? How much can be handled remotely today? 

Tavas: With the technology available today, technicians have nearly the same possibilities remotely as they do on site. And they can certainly respond and act very quickly. If the diagnostics show that work on site is necessary, it can be arranged.

Many cyber insurance policies come with an emergency number and access to an IR team. What are the arguments for having a team on a separate retainer?

Tavas: Calling one of these emergency numbers is like calling your car insurer’s roadside assistance number: only after the first breakdown you will find out whether the service is enough – or it would have been better to have the dedicated support of a specialist. Since you can’t directly interact with the provider beforehand, you may be in for a surprise. The difference can be especially apparent if your DFIR partner supports you beyond the response itself with advice on technical and organizational measures you can take before an incident happens.

IT at a medium-sized company is always very complex due to the range of systems used, different network topologies and different locations, non-standardized processes, and more. How do you address this complexity during onboarding? What steps do you take to ensure that IR analysts can actually be effective quickly when they are needed? 

Tavas: It’s important that the client be well prepared and have up-to-date documentation available. Each case is different, so responders always start with the information they have – another reason why it’s important to talk to the provider IN ADVANCE.

Our favorite question to both of you: imagine that you‘re starting your job as CISO tomorrow. What would be the first topic you address (beyond awareness and IR ;-))?

Tavas: 80 percent of all attacks target end points, so a good approach to managed detection and response (MDR) is important. The number one attack vector is email. To counter this threat effectively, email security should be combined with a modern SOAR solution that enables automated countermeasures.

Hellemann: In addition to a high level of awareness, each company should establish a security operations center with a very strong setup. That’s what I would push for first – and ensure that it happens.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.