Education & Training

Security Awareness

Phishing simulations

Awareness campaigns

Live Phishing Training

Awareness training

The answer to semantic attacks from the web.

 

Security guru Bruce Schneier (2000) distinguishes three waves – or eras – of cyber attacks:

  • Physical
  • Syntactic
  • Semantic

Physical attacks are directed against devices, data transmission media and electronic circuits. Schneier is of the opinion that although the collapse of power supplies, lines and electronics is bad, it is a manageable and solvable problem.

Schneier calls the second wave of attacks “syntactic attacks” – these are attacks on the processing logic of computers and networks. These include vulnerabilities in software products, problems with cryptographic algorithms and protocols, denial-of-service attacks, practically anything that causes technical processes in computer networks to derail. Schneier believes that we are a long way from mastering these attacks. But at least we know what the problem is.

Most dangerous: semantic attacks

Semantic attacks are the third and latest development in security threats. They are aimed directly at us humans. Targeted fraud and deception of people has always existed. However, the Internet and the way we use it has made fraud and deception infinitely easier, faster and more uncontrollable, as the phenomena of phishing, online blackmail and social engineering in general on the Internet show.

Live Phishing Training

Live phishing training with Code and Concept

In 95% of all information security and data protection incidents, employees – and people in general – cause damage through their unsafe actions.

Empowering employees to deal with the uncertainties and dangers of the digitalized world is therefore an important part of information security in practice. The legal requirements of the GDPR therefore also stipulate awareness-raising and training for employees.

Phishing is the most important path through which attackers can gain access to networks and IT infrastructures. In its modern manifestations, such as spear phishing and business email compromise, a phishing attack is difficult to detect – users must therefore be permanently trained. During training, unsafe behaviors are deleted and safe behaviors are learned.

Phishing simulation is a highly effective training method with a good price-performance ratio. In recent years, this method has established itself as the ideal way to train employees in dealing with dangerous e-mails and websites.

Code and Concept therefore recommends the regular implementation of phishing training in the form of phishing simulations, for example in the form of a:

  • Basic training
  • Training to reinforce safe behavior and
  • ad-hoc training when new forms of phishing emerge

Code and Concept prefers to carry out phishing simulations using “on-premise” tools that are installed in the client’s network.

“On prem” means that employee data does not leave the company, and there are many technical, personnel and competitive advantages.
If there is no in-house tool for carrying out phishing simulations, Code and Concept supports the use of several phishing simulators or phishing simulation platforms.

Awareness campaigns

People as the cause of damage

Code and Concept’s training concept follows the standards of the National Institute of Standards and Technology (NIST).

The NIST standards can be found in module ORP.3 (Awareness and Training) of the BSI IT-Grundschutz Compendium and have also been adopted by ENISA and BaköV for the structuring of awareness-raising measures. The training concept recognizes four different learning situations and learning contexts:

  • Sensitization
  • training
  • training
  • education

“Awareness-raising” refers to measures to raise awareness of the topic of information security. This topic should be known to users as an important issue and recognized as significant for their own area of work and activity.
Examples of awareness-raising measures include information events on data protection law or attack scenarios, the distribution of instructions, circulars from the company or office manager or references to press coverage.

“Schooling” is primarily used to impart knowledge in smaller groups. In contrast to a lecture, participants are more actively involved in a training course, there is an opportunity for questions and discussions and cooperation is expected.
Depending on the didactic focus and duration, the term workshop or course is also often used.

“Training” aims to impart relevant skills and abilities, reinforce correct behavior and eradicate incorrect behavior. Training is more time-consuming for trainers and trainees than awareness-raising measures and has a high proportion of exercises that promote the sustainability of the measures.

“Education” refers to the training of people who are committed to information security as a profession – ‘education’ distinguishes specialists. This is about developing the ability to recognize early signs of malicious situations and react proactively with experience, understanding and foresight.

For Code and Concept, sensitization, training and education as a holistic campaign for information security makes sense in that phishing simulations and other training offers create a permanent framework to promote attention and security awareness.

Phishing simulation is a highly effective training method with a good price-performance ratio. In recent years, this method has established itself as the ideal way to train employees in dealing with dangerous e-mails and websites.
Code and Concept therefore recommends the regular implementation of phishing training in the form of phishing simulations, for example in the form of basic training, training to reinforce safe behavior and ad-hoc training when new forms of phishing emerge.

Gamification: training courses to anchor and reinforce

Ad hoc training: Information security problems occur unpredictably in the workflow and need to be solved ad hoc. The quickest and best way to get context-related help “right now” is always to approach the colleague who is most familiar with the solution to a problem and, as an “information security pal”, can resolve the resulting behavioral uncertainty competently and productively.