Human beings: the chink in the armor

Hackers know one thing for sure: Very often, the weakest link in any company’s cybersecurity setup is its employees. This installment of our series on cybersecurity will introduce you to the tricks that attackers employ and measures that companies can take to prevent their employees from making the wrong click.

What should you do if Excel crashes on the job once again? You simply look online for some tips and soon the table calculation program is running smoothly once again. But, sometimes, the program cannot be revived at all. It was something that happened to the last employer of Michael Rempfer, a southern German mechanical engineering company. A colleague there set off on a search for help with Excel and clicked a file that turned out to be teeming with malware. Thirty minutes later, the shortcuts on the monitor stopped working. The reason soon became apparent: A virus was clandestinely encrypting the hard drives of the entire company. “We quickly spotted the problem and shut down all the servers,” Rempfer says. Fortunately, the company had an up-to-date backup copy, and the nightmare was over the next day.

Today, Rempfer is the Technical Director at Kallfass, a manufacturer of packaging machines. But the engineer has not forgotten that anxiety-filled day of the past and now does everything he can to prevent a similar attack from befalling his new employer. A firewall repels everything that comes its way. Employees are prevented from accessing suspicious pages, and they are unable to install any software at all. “Employees have no admin rights whatsoever,” he says.

The caution is justified. Nearly 40 percent of European companies were the victim of cyberattacks in the past five years, according to a study conducted by the auditing and tax-consulting firm RSM in 2019. And those are just the companies that spotted them. Sixty-four percent of the 597 surveyed decision makers from 33 European countries stated that they may have been hacked unwittingly. 

Nearly half of successful attacks were aimed at inadequately sensitized employees, the study found. Kaspersky, a provider of security software, says the rate is probably much higher: More than 80 percent of security incidents are the result of human error. Hackers set their sights  on one particular group: small and medium-sized enterprises that think that they would not be a very inviting target. As a result, they mistakenly assume that they have nothing to worry about and fail to inform employees about the issue.

Cheap tricks to success 

“Money is always a trap,” says Markus Schließ, a Stuttgart-based lawyer who specializes in IT law. An employee at one of his clients was lured into playing a contest worth an apparent €5 million. In doing so, she unwittingly passed on data to hackers. It is alarming to see that some companies do not even bother to introduce the simplest security measures. At another client, an IT company, the thieves simply walked up to an insecure door and gathered up information with an USB flash drive – “it is the cheapest trick. It should never happen.” 

 

Both incidents did not ultimately have any serious consequences because the lawyer could show that the employees did not act intentionally. But Schließ warns: “Government officials are now looking very closely to determine whether privacy regulations are being observed.” His law firm rather frequently handles cases in which unsatisfied (former) employees want to harm their employer by stealing information. In such cases, the target of the attack must prove that it had previously taken appropriate technical steps to reduce the risk.

Regular training courses about Cybersecurity are so important.

Pacesetter: The Charter of Trust

To prevent such problems from arising in the first place, Markus Schließ urges companies to provide their employees with a code of conduct and to undertake regular training courses. Such an approach is also recommended by the Charter of Trust Initiative that Siemens launched in 2018 with IBM, Airbus, TÜV Süd, Allianz and other companies and research partners. Members team up in several task forces to study individual aspects of the issue. One of these task forces is exploring types of training and education that prevent employees from becoming easy prey for cybercriminals. The rules are well-known, but somehow get lost in the hustle and bustle of everyday business life: Do not open attachments sent from unknown e-mail accounts, use secure passwords and be on your toes when unknown individuals turn up in the office.

This is why regular training courses are so important. Siemens is a role model in this regard. It introduced a web-based training course years ago that all employees who work on PCs must attend once a year. The course not only explores classic cybersecurity questions – like the dangers of phishing e-mails and public Wi-Fi hotspots – but also tackles new subjects like information theft in social networks and requirements for secure products and services from Siemens or its partners and suppliers. There is also a dedicated training curriculum enabling employees to dive deeper into the topic of cybersecurity – be it “classical” IT cybersecurity or cybersecurity in factory and product development environments.

 

Nevertheless, people make mistakes. So Siemens also protects its IT infrastructure by using things like phishing protection for e-mails and website filters. And it urges its partners to do the same.

Successful training

Markus Schließ has also noticed that small and medium-sized enterprises are increasingly addressing the issue of cybersecurity as well. The lawyer offers training courses about the issues, and demand for these courses is rising. The feedback he receives from his clients demonstrates that the courses are paying off: “They have significantly fewer security incidents afterward.” 

Click here if you would like to know more about the cyber risks that small and medium-sized enterprises face and learn what you can do to tackle them — including with assistance from Siemens.

Our series of five articles explains what small and medium-sized enterprises can do to protect themselves against cyber risks. This is the third article in the series. You will find the first and second stories here. The series examines why smaller companies are more frequently impacted by attacks and what role employees play. The articles also provide tips on how companies can protect themselves against attacks at reasonable expense and leverage this as part of their business strategy — for example with concrete assistance from Siemens. As soon as a new article appears, it will be linked here:

Part 1: Room for improvement

Part 2: Far too low-hanging fruit

Part 3: Human beings: the chink in the armor

Bernd Müller

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.