Information Security

Data Protection

Information Security

Data Protection

ISMS/ safe technology | safe Technology | secure Processes | secure Employees/ Awareness Campaigns and Life Phishing Training

ISMS

Awareness Campaigns and

Life Phishing Training

Holistic information security for a sustainable safety culture

Interaction of technology, organization and people

Security comes from the interaction of technology, organization and people. It is no coincidence that an ISMS (Information Security Management System) is at the beginning and in the center of all efforts. We consult you – Contact us!

Information security management is successful when

  • Technologies (secure technology, controlled access to buildings, equipment and services)
  • Processes (Guidelines, Risk Management, Crisis Management, Corporate Communications) and
  • People (awareness, training, safety culture)

coordinated and able to adapt quickly, flexibly, sustainably and permanently to the ever-new threat situations.

Technology

Secure infrastructure for your information

Your information needs a secure IT infrastructure. We support you in securing data storage, data transfer and data processing on your own devices, in the cloud and related devices and networks. This happens among other things by

  • Documentation and evaluation of your current technical safety status
  • Assistance in planning adjustments
  • Help with the configuration of technical components and protocols
  • Consultation on the monitoring of your IT infrastructure with report on deviations

Processes

Security processes and safety culture

Information security is always as good as the security processes and security culture of an organization, be it a business, government or other organization. We support you in the design and implementation of your ISMS (Information Security Management System) and your security strategy. Our premises are “help for self-help” and “viable information security” within the scope of your needs and possibilities. The result complies with current national and international reference standards and the current legal situation and the previous case law.

People

Awareness campaigns and phishing simulations

We help prepare and conduct awareness campaigns, phishing simulations, and the creation and implementation of training concepts to address the human factor in information security. It supports an interdisciplinary team of psychologists, technicians and communication experts in the realization of a holistic concept that sustainably strengthens their “human firewall”, e.g. through awareness campaigns or phishing simulations.

Information about our approach can be found here

ISMS

ISMS: Information-Security-Management-System. We consult you.

The standards for information security and data protection such as BSI basic protection, ISO / IEC 27001, ISIS 12 or VdS 3473 are often not easy to implement for smaller companies and organizations. Practitioners in Schleswig-Holstein have therefore developed a procedure with SiKoSH that also enables organizations with little time and resources to set up a professional ISMS (Information Security Management System), to safeguard the organization and to comply with legal obligations.

The SiKoSH procedure can be certified as BSI basic security and a perfect and low-effort entry into the ISMS topic.

We help you to implement an information security management system and ensure that you can independently continue the ISMS processes in a continuous optimization process.

Live Phishing Training

The response to semantic attacks from the Net.

Security guru Bruce Schneier (2000) distinguishes three waves or epochs of cyberattacks:

  • physically
  • syntactic
  • semantic

Physical attacks target devices, data transfer media, and electronic circuits. Schneier is of the opinion that breakdowns of power supply, lines and electronics are bad, but manageable and solvable problems.

Schneier calls the second wave of attacks “syntactic attacks” – attacks on the processing logic of computers and networks. These include software vulnerabilities, problems with cryptographic algorithms and protocols, denial-of-service attacks, virtually everything that derails technical processes on computer networks. Schneier says that we are far from mastering these attacks. After all, we would know but what problem we have.

Semantic attacks are the third and latest evolution of security threats. They are aimed directly at us humans. Targeted cheating and fooling of persons has always existed. However, through the Internet and the way we use it, cheating and deception have become infinitely simpler, faster, and more uncontrollable, as shown by the phenomena of phishing, online blackmail, and, more generally, social engineering on the Internet.

Live Phishing Training

Live Phishing Training with Code and Concept

In 95% of all information security and privacy incidents, people – people in general – are responsible for the damage caused by their insecure actions. Empowering employees to deal with the uncertainties and dangers of the digital world is an important part of lived information security.

Therefore, the statutory requirements of the GDPR also prescribe awareness and training of employees.

Phishing is the most important path that attackers can use to access networks and IT infrastructures. In its modern manifestations such as Spear Phishing and Business Email Compromise, a phishing attack is difficult to detect and users need to be trained on a permanent basis. In training, unsafe behaviors are erased and safe behaviors learned.

Phishing simulation is a training method with high efficiency and a good price-performance ratio. Over the last few years, this method has established itself as the royal road for training employees in dealing with dangerous e-mails and websites. Code and Concept therefore recommends the regular conduct of phishing training in the form of phishing simulations, such as basic training, safe behavior training and ad-hoc training when new forms of phishing emerge.

Code and Concept prefers phishing simulations to “on-premise” tools that are installed on the client’s network. No employee data leaves the house and there are many technical, personnel and competitive advantages. If no phishing simulation tool is available in-house, Code and Concept supports the use of multiple phishing simulators or phishing simulation platforms.

Awareness Campaings

People as the cause of claims

In 95% of all information security and privacy incidents, people – people in general – are responsible for the damage caused by their insecure actions. Empowering employees to deal with the uncertainties and dangers of the digital world is an important part of lived information security.

Therefore, the statutory requirements of the GDPR also prescribe awareness and training of employees.

The Code and Concept training concept follows the standards of the National Institute of Standards and Technology (NIST). The NIST standards can be found in the module ORP.3 (Sensitization and Training) of the BSI IT-Grundschutz Compendium and have also been adopted by ENISA and BaköV for the structuring of awareness-raising measures.

The training concept recognizes three different learning situations and learning contexts:

  • sensitization
  • training
  • education

Raising awareness refers to measures to increase awareness of information security. Information security should be known to users as an important issue and recognized as a significant topic for their own work and impact area. Examples of awareness-raising activities include privacy policy lectures, events such as “The Hacker Coming In,” How To Distribute Manuals, Company / Director’s Circulars, Press Release Notes.

Training serves primarily to impart knowledge in smaller groups. In contrast to a lecture, the participants are involved more actively in a training, opportunity is offered for questions and discussions, cooperation is expected. Depending on the didactic orientation and duration, the term workshop or course is often used.

Training aims to impart relevant skills and abilities, strengthen proper behavior, eradicate wrong behaviors. Training is more time-consuming for trainers and trainers than awareness-raising to increase information security awareness, and has strong exercise proportions that promote the sustainability of the measures.

“Education” refers to the education of individuals who have committed to information security as a profession. Education distinguishes specialists. with great experience and deep understanding, with vision and the ability to recognize signs of damage and to react proactively.

As data protection and information security topics have been included in the press coverage of the press, a basic awareness of the topic can be expected and used to raise employee awareness. It makes sense to include public reporting in the internal media (such as employee magazine) and to show that what has happened to others can also become a painful reality in one’s own organization.

For Code and Concept, awareness raising, training and education is useful as a holistic information security campaign in which phishing simulations or other training offerings create a lasting framework of attention and security awareness.

Phishing simulation is a training method with high efficiency and a good price-performance ratio. Over the last few years, this method has established itself as the royal road for training employees in dealing with dangerous e-mails and websites. Code and Concept therefore recommends the regular conduct of phishing training in the form of phishing simulations, such as basic training, safe behavior training and ad-hoc training when new forms of phishing emerge.

Training to anchor and deepen safe behaviors is more efficient and motivating when modern didactic formats such as social engineering games or safety courses are used for the seminar design. It is equally important to encourage and encourage colleagues to take on the (informal) role of the opinion leader and knowledge-bearer in information security issues.

Problems of information security occur unpredictably in the workflow and have to be solved on an ad-hoc basis. The quickest and best way to get “contextual” help right now is always to approach your colleague and colleagues who are best at solving a problem and can resolve the resulting behavioral uncertainty competently and productively as “information security pal”.

Social Engineering

The human being as the weakest link in the safety chain

Famous and infamous hacker Kevin Mitnick describes the situation in a hearing of the U.S. Senate with these often quoted sentences:

“It is important to keep the overall situation in mind: people use insecure methods to verify security measures. The general trust in the security of the telephone system is certainly wrong and the example I have just described shows the reason for it. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access to resources. But all the money is wasted, because none of these measures address the weakest link in the safety chain: the people who use, manage, operate and be in charge of computer systems. “

Kevin Mitnick became known as the first “social engineer” in information systems. Social engineering is a collection of methods that exploit innate or habitualized reactions of people to induce them to do things that are not necessarily in their own well-understood interest.

The most important social reactions are

  • reciprocity
  • Commitment & consistency
  • Social proof
  • authority
  • sympathy
  • shortage

Reciprocity refers to the sense of obligation to respond to a gift in return, to reciprocate a friendship offer, to record a warning (“your account has been blocked”) following the proposal (“enter username and password”).

Commitment and consistency refers to the desire of most people to keep their promises and opinions. This heuristic is used in the analogue everyday life of sellers through the “foot in the door” and “low ball” technique, on the Internet at the Nigeria scams: The attacker starts small with the request for mental support and has the prepayment in the end the hand.

Social advocacy stands for the tendency to orient oneself in unclear situations, what others do.

Creating sympathy is one of the most effective ways to influence it. People are more easily influenced by people they like, with whom they share interests that they find attractive. Spear phishing uses these mechanisms and it is becoming increasingly easy to find the information you need on social network sites.

Authority, which emphasizes Kevin Mitnick over and over again, is after sympathy the second most effective means of attack and works especially well there, where structures of over- and subordination regulate the communication. This is especially the case in the banking sector, where the customer traditionally has great confidence in the competence and the care of the provider.

Scarcity plays a role in almost all influencing attempts. If one has the impression that the opportunity has been lost, if one does not react immediately, then the perceived lack of time leads to decisions being made under emotional conditions that, in retrospect, one would never have liked as a “reasonable” person.

The good news is: Perception of social engineering techniques can be trained, one can immunize employees against social engineering attacks.

Code and Concept conducts social engineering assessments with you to determine which business units, resources and employees are at greatest risk. The results are documented and can be used as a benchmark for awareness raising, training and training.

For the hardening of your “human firewall”, we then work with you to develop suitable training formats that raise the safety of the human factor in your company to a new level.

Please contact us if you have any questions about the tools we use in a Phishing Awareness Campaign!

Interested? Call us!