IT security: the human factor
“Although they know what they do”: In this interview, Dr. Timo Neumann, IT security expert at the German Federal Office of Printed Matter, addresses the human insecurity factor – and what you can do about it.
In recent years, companies have increasingly become victims of hacker attacks – the ‘Wannacry’ ransomware is just one well-known example of many. The reason for gaps in companies’ IT is often their own employees and the latters’ – albeit usually unintentional – misconduct. Dr. Timo Neumann, IT security expert at the Germain Federal Office of Printed Matter, explains in this interview how it happens and why computer scientists should work more closely with psychologists.
Dr. Neumann, what role does human behaviour play in protecting IT infrastructures from abuse?
From the study “IT security in the context of digitisation”*, which we conducted together with the industry association BITKOM, we know that 100% of the companies surveyed use important technical tools such as firewalls, virus scanners, etc. At the same time, however, around 50 percent of all companies see potential for improvement in their organisation. In other words: in the behaviour of their own employees. Because, from the perspective of IT security, each employee initially represents a weak point in the system. And human vulnerability is exploited the most frequently.
Do employees lack awareness of IT security?
Yes and no. For example, we know from the study that 91 percent of the interviewed employees are aware that passwords should not be used multiple times. 82 percent of respondents also know that they should use a combination of letters, numbers and symbols. However, the majority of respondents do not do this. There is a clear mismatch between what people know and what they implement.
Passwords are an aspect of IT security that is currently being talked about quite differently than just a few years ago. Does the proviso “The longer and more complicated a password, the greater the amount of computation needed to get it out, and the more secure the system” still hold good?
It is true that for a long time the rules “at least eight characters of password length, letters, numbers and special characters” were communicated by US online services and services. But even if you follow that, it does not make life any more difficult for hackers. All it does is make your password harder for you to remember. Whether a password is secure or not depends on the context. If you want to access an online service, the appropriate operator can provide much better security than the simple user. The operator can easily notice and also prevent unauthorised people trying out passwords millions of times, seeking access to accounts. This works better than a single user‘s twenty-seven-digit password. When it comes to offline access to devices and services, such as the password for your own computer, you have to assess safety aspects again in a completely different manner. It can be helpful to store important data in a secure cloud.
What other insecurity factors besides passwords exist in the area of IT security – especially with regard to one‘s own employees in the company?
data and people who deal with less sensitive data. An IT administrator, for example, knows a lot more about his own corporate network and potential security vulnerabilities and also has access to much more data than other employees. So you as an entrepreneur should think about which user groups exist in your company network and to which information and services these groups should have access and to which not. Accordingly, you should also restrict these accesses. Another important topic is that of data theft via fake e-mails, known as phishing. You should regularly educate your staff to pay attention to the senders of e-mails and the type of texts, links, downloads and attachments they contain. Also, think about what happens to the knowledge and information that employees continue to have when they leave the company.
Do you think that companies are have been made sufficiently aware of IT security?
From the study “IT security in the context of digitisation”*, we know that 54 percent of the surveyed companies had a specific IT security incident in the past 24 months. Thus awareness of this topic is inevitable. However, the question is – as with the individual employee – whether this is dealt with according to the security rules. After all, 60 percent of the companies surveyed expect IT security investment to increase over the next few years. Personally, I find it a pity that many companies still view IT security more as an obstacle than as an opportunity for their own businesses. I consider that IT security is a necessary condition to digitise your own company successfully.
What can companies do to enhance their employees’ awareness of this and win them over?
People must be made to realise how closely private and professional data are linked and that an attack on professional data may also entail an attack on corresponding private data. For example, considerably more people open dubious e-mails on the company computer than on their private computer at home, because they think that in the workplace they have their own IT experts and they themselves need not make any contribution to the company’s IT security. That is wrong. You must make it clear to your own employees that everyone shares responsibility for IT security. This could be done by organising workshops in which you show what can occur if there is an attack, what subsequently happens in IT and what effects an attack can have on one’s own colleagues. That works very well.
To what extent are a system and the security of a system controllable?
There will always be gaps. IT security is an area that is constantly on the move. Every day, for example, new software updates appear that need to be imported. You have to invest in good technology and also in training for your employees, and constantly renew and update the knowledge you have acquired. However, entrepreneurs should also realise that absolute security will never exist.
With more than €10 billion in damage per year, no company should neglect investing in cybersecurity. In particular, according to industry experts, SMEs are still insufficiently protected.
* German study