Untrained employees repeatedly put IT security to the test in German medium-sized companies. A G DATA survey sheds light on the problems and shows how effective security awareness is.
Every second company in German medium-sized companies knows the situation if a cyber attack was successful. Untrained employees often play an important role in this. E-mails are the number one attack route in IT systems because employees can quickly fall for fake invoices or applications. A current survey by G DATA CyberDefense shows which pitfalls lurk when it comes to security awareness.
Employees are not IT security specialists
IT security is not the core business of most employees - especially if they do not come from the IT environment. This has consequences: Half of the medium-sized companies surveyed had a successful cyber attack caused by an employee's mistake. That becomes expensive and can quickly become life-threatening.
“Many employees are unsure how to handle IT and are prone to errors. Cyber criminals take advantage of this and attack via employees, ”explains Nikolas Schran, Product Owner Cyber Defense Academy at G DATA CyberDefense. “Anyone who thinks IT security holistically cannot rely on technical solutions alone, but should make their employees an integral part of their security concept. "
When the budget becomes a problem
There is potential for a significant improvement in IT security. However, many medium-sized companies do not use this opportunity. Smaller companies in particular do not think of comprehensive training over a longer period of time when it comes to security awareness training, but only hold one-off events. Alternatively, e-mails about current threats are sent from time to time or information is made available via the company's intranet. This is neither expedient nor sustainable. Such an approach can save money compared to purchasing an e-learning environment.
Security awareness is more important than ever
However, there is no lasting change in behavior or real sensitization. In order to calculate the opportunity costs of security awareness training, those responsible should compare the costs of a business failure of several days due to a cyber incident with the investments. This is especially true in the current situation, which places special demands on entrepreneurs and employees.
“In the current home office situation in particular, good security awareness is more important than ever. Employees are exposed to particular pressure from the pandemic, homeschooling and isolation. In such situations, they are particularly vulnerable to social engineering. We strengthen the employees so that they can make the right decisions even in stressful situations and thus increase IT security in the company, ”says Nikolas Schran.
78 percent of the companies report positive effects
Nikolas Schran, Product Owner Cyber Defense Academy at G DATA CyberDefense (Image: G Data)
Companies should rely on comprehensive security awareness training courses in order to provide their employees with long-term training in the subject of IT security and to equip them with the knowledge they need to reliably ward off attacks. This measure is very effective and the investment is worthwhile: 78 percent of the medium-sized companies surveyed have increased their IT security as a result and the employees are more careful with their IT systems.
Further results of the study
- Half of the companies train their entire workforce on IT security.
- Half of the companies expect a phishing simulation for e-learning services.
- The aim of security awareness training in companies is to improve IT security and compliance.
- The most important topic for small and medium-sized enterprises in security awareness training is "security incidents" - recognizing attacks and taking correct action in an emergency.
- Almost half of the medium-sized companies that do not conduct security awareness training believe that they are well positioned when it comes to IT security.
For the security awareness training survey, OmniQuest surveyed a total of 2020 medium-sized companies on behalf of G DATA CyberDefense AG in autumn 200. The German companies surveyed had between 50 and 1.000 employees. The industry affiliation and the field of activity played no role. The study is available as a free PDF file "Security Awareness Training in German SMEs - Are employees part of the cyber defense?"
For the study as a PDF at GDATA.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.