Human Firewall

According to Bitkom, the annual damage caused by cyber attacks on German companies will amount to €148 billion by 2023. Phishing emails account for a large proportion of this. Cyber security companies such as SoSafe are working to change this by making companies and their employees aware of the digital threat. This also applies to the healthcare sector, as patient data is particularly attractive to cyber criminals.

“The importance of cybersecurity has arrived in the economy,” says Felix Kuhlenkamp, security policy officer at the digital industry association Bitkom. Last year, for the first time, a majority of companies in Germany (52 percent) said that their existence could be threatened by a successful cyber attack. This compares to just nine percent in 2021. Company management is increasingly recognising that sustainable digitalisation can only be successful with professional security management. A view shared by SoSafe. In the latest Human Risk Review conducted by the cyber awareness experts, more than half of those surveyed stated that their budget for cyber security had increased in recent years. “A large proportion of this, 46 percent, is a reaction to the current threat situation, while 40 percent is motivated by a specific security incident or data breach,” explains Simona Dunsche, Corporate Communications Manager at SoSafe.

In addition to providing the necessary resources and an emergency plan in the event of a cyber-attack, one of the three points on the IT security agenda that management must include is employee awareness, explains Bitkom expert Kuhlenkamp: “All employees must be trained in IT security. The people in the company remain one of the most important gateways for attackers - and at the same time they are the first and perhaps best defence against attacks. This training should not be a one-off exercise, but a regular one. This is because attackers' methods and technologies continue to evolve.” Forrester Research predicts that 90 percent of all cyber attacks this year will involve the human factor. This is where SoSafe and its team of more than 500 employees come in: “At the end of the day, it's always about the person who clicks on the link or gives out data over the phone. That's what we focus on in our training. Safe behaviour should become an intuition,” says Simona Dunsche. To achieve this, SoSafe uses a mix of theory and practice that takes behavioural psychology and technology into account: “The focus is on phishing simulations and e-learning. We want to complement technical solutions. Managers often say we have a firewall and email security. But at the end of the day, there is always a person sitting at the PC who has to decide: 'What am I looking at? It is human nature to open a file in an email attachment that suggests important information. We train people not to do that. Instead, we try to meet people where they are and address different levels of knowledge. We work on a behavioural basis in terms of digital self-defence, which empowers people, reduces fear and makes them part of the defence.” The aim is to build a 'human firewall' - also to reduce the burden on those responsible for security in the company.

The healthcare sector is increasingly being targeted by cyber criminals. In 2020, Düsseldorf University Hospital was the victim of a hacker attack with serious consequences: Surgeries could not be carried out for hours and the emergency department had to be closed. The university hospital was apparently a random target. However, this is probably not the case for the majority of attacks on hospitals and practices: “The attackers obtain health insurance details, health data or patient addresses. This is a goldmine of highly sensitive data for them. And if we look at cyber warfare or geopolitical crises, the healthcare sector plays a completely different role,” explains Charline Kappes, healthcare expert at SoSafe. One hospital she spoke to recently said it was under cyber attack 14,000 times a day. A figure that underlines the threat posed by cyber criminals today: “It is not a question of if I will be attacked, but when,” says Kappes. Because anyone in the healthcare sector can be affected, SoSafe works not only with clinics and multinational companies, but also with two-person practices. Many of them don't even know what to expect at first. “Awareness of cybersecurity is increasing in the healthcare sector, but I think there is still a lot to be done. Hopefully not just when something happens,” says Kappes, looking to the future with mixed feelings. •

Words: Dominik Deden
Pictures: kovalto1, E4C NRW/B. Hickmann, 1KOMMA5°, MWIKE NRW/A. Bowinkelmann