Therefore, you should establish a positive attitude towards mistakes in your company, promote the importance of risks, and educate about them. Regular practice, such as using phishing campaigns, can help verify if your employees form a "Human Firewall" for your business.
If employees don’t understand the risks, they act based on a false assessment. This doesn’t automatically mean insecure behaviour, but it can lead to actions such as clicking malicious links and downloading harmful software.
Additional Resources
Alliance for Cybersecurity: 3 Tips for Boosting IT Security Awareness
BSI: IT Security Guidelines for the Workplace
Germany Safe Online: Employee Guide
IHKs: IT Security Usage Policy (PDF, 185 KB)
Alliance for Cybersecurity: Social Engineering Poster (only available in German)
If employees underestimate the risks, they may recognise the dangers but think the consequences aren’t severe, like believing the malware won’t cause damage. If employees fear making mistakes, they’re more likely to avoid acting or fail to report unclear, complicated, or threatening situations. Quick, targeted actions against a threatening or active hacker attack then become impossible.
Unprepared and poorly trained employees can indeed be the greatest risk regarding information security. However, turning such risks into a strong line of defence is relatively straightforward. Investments in security awareness campaigns and suitable training are minor compared to technical measures and typically pay off quickly. It’s essential to sustainably maintain employee focus and competence at a high level—consistent communication "from the top" and a positive approach to mistakes are crucial!
The Two Top Tips
- Cross-company processes to document possible attack routes and assess risk
- Threat modeling for one's own products/services (from the perspective of "others")
Contact
Dr. Katrin Sobania
Director Department for Information and Communication Technology | E-Government | Postal Services | IT Security