IT SECURITY

13 Efficient Ways
to Boost the IT Security
Understanding
of Your Colleagues and Employees
 IT SECURITY

In most cases, the correct assessment of the importance of IT security in

the company is based on awareness. We show you which methods you
can use to sensitize your employees to IT security. In addition, you will get
an overview of the current technical and organizational measures to meet
the human factor in IT security. Finally, we show you what to do when an
IT security incident has occurred in the company.

Most Important: Create Awareness

Companies must explain the reasons for certain measures to employees, and the conse-
quences of careless use. When they realize that even their own job can be at risk from
a cyber-attack due to high monetary loss, the risk becomes much more meaningful.
Raising employee awareness requires regular re-training. Only in this way can the topic
of IT security be effectively anchored in their thoughts and actions.

Clarified IT Security Guidelines & Transparent Information

To ensure more IT security at the personnel level despite limited financial resources,
companies should create easy-to-understand IT security guidelines for employee orien-
tation and have every new employee sign a confidentiality agreement – and bring more
security to the company through process-integrated control measures. The important
principle here is, “Keep it simple!”

In many cases, policies are written in such a difficult way that they simply cannot be
effectively absorbed by employees. Instead of communicating risks, dangers and good
practices in clear and comprehensive instructions, businesses often give employees multi-
page documents that everyone signs but very few read – and even fewer understand.

The transparent display of the functions of the security software used can also act as a
deterrent: If an employee knows that shadow copies of all outgoing data are stored, a
conscious misuse of data is unlikely.

Careful Use of Social Media

Managing directors and IT managers should call on their employees to share work-
related and professional information only with great restraint, or not at all, on social
media channels. This also includes contact details of colleagues. Cyber criminals use
this knowledge to gain access to the company and its networks. Therefore, the identity
of strangers should always be checked before agreeing to a networking request. This
applies in particular to the group of 45 to 54-year-olds, who usually occupy a higher po-
sition due to their age and are therefore the attackers‘ preferred target: Currently, only 29
percent of these employees check who is behind a contact request via social networks.

Caution with Confidential Information in Public

Employees must be aware that public communication rules are different from those
behind closed doors in their own offices. Train your employees not to disclose internal
information in public. Business phone calls in public places, on trains, or planes should
be limited to the essentials. It is better arrange a callback or clarify urgent topics by email
in this case. Sight-protection foils on notebook displays are a good preventive measure
against curious gazes of seat neighbors.

PAGE 2 OF 6
 IT SECURITY

Regular Trainings
Without thoughtful and vigilant employees, companies cannot realize information secu-
rity. Even a careless click on a mail attachment from an unknown person or a note with
passwords or access data on the desk are still common gateways. An unknown person
in a building can also be a danger if he or she can enter sensitive areas of the company
without being bothered by security checks. Therefore, obligatory and regular awareness
training courses are important for all employees. Assess the individual level of know-
ledge of the employees before the training. If necessary, use external consultants. This
way you can close the knowledge gaps of your employees individually.

IT security awareness can only be permanently raised through regular training and ed-
ucation measures. A once-off IT security briefing only creates short-term awareness.
Employee training with understandable practical relevance and examples from everyday
life are always preferable to theoretical training.

Common Technical Measures

The successful creation of employee awareness is already a major step towards IT
security. Next, there are a few technical measures to support this awareness.

Password Complexity and Two-Factor Authentication

A fundamental requirement for protecting sensitive data is the restriction of access.
The most basic variant is password protection. The more sensitive the resources to be
guarded, the greater the security requirements for passwords must be. To meet higher
security requirements, a password should consist of at least eight characters. The longer
the password, the harder it is to crack. In addition to letters and numbers, the use of spe-
cial characters and upper and lower-case letters is recommended. Avoid using names
or real words because they are too easy to guess and are always tried first in serious
attacks. Even neighboring keys (“qwerty”, “asdfgh”) offer no security.

In addition to using complex passwords, sensitive IT systems should be secured using

two-factor authentication. With two-factor authentication, the process is as follows: You
enter your name and password as usual to log in. An additional characteristic, such as a
token PIN, is requested. It is important that the two authentication features are different
factors. Examples of two-factor authentication components are possession (password,
PIN, TAN), knowledge (key, token, card) or a biometric feature (fingerprint, iris pattern).

The Principle of Least Privileges

When it comes to data access, it is much more secure and reliable to deny all access by
default, allowing it whenever needed on a case-by-case basis. This way all your users will
only have the necessary privileges, allowing them to only access data required for their
work. This will allow you to prevent accidental data leaks and data deletion by employees
who are not supposed to work with this data in the first place.

Multiple Approval Principle

Particularly when accessing very sensitive data, it is important to focus even more on
internal control measures and to integrate them into business processes. In other words,
access to important systems or data should always be approved by at least a second per-
son, and possibly also by the relevant department. For example, a dual control principle
in the program release procedure or in payment transaction management can help to
detect errors in the process at an early stage.

PAGE 3 OF 6
 IT SECURITY

Social Engineering
To provide technical measures for social engineering in addition to user awareness,
more complex methods are necessary. One possibility is the digital signature of e-mails.
The sender‘s validity is cryptographically verified. This validation is performed, for exam-
ple, by a special secure mail solution.

In addition, plausibility checks should always be made prior to transmitting sensitive

data to third parties – for example on the telephone. Serious callers can legitimize them-
selves in the case of a payment transaction, for example, by specifying an existing file
number or an invoice number.

Universal Monitoring
Integrated IT protection is rounded off by innovative monitoring and intrusion detection
solutions. In times of authorization-controlled access to IT, the amount of login data is
growing rapidly. On a technical level, Identity and Access Management (IAM) and Secu-
rity Information and Event Management (SIEM) systems support monitoring. They can
be used to control the authorizations of employees and permanently monitor systems.
In addition, irregularities can be identified much faster and alerts automatically raised.

Organizational Methods

Satisfied and Motivated Employees

The established company guidelines and the legal framework are the basic safety net.
A correct understanding of IT security, vividly illustrating the risks in the company and
offering appropriate solutions, combined with a high level of employee satisfaction, is
one of the best methods of preventing problems.

Watch Out for Spies!

Be mindful of industrial spying. What used to be the preserve of a few large companies
is now also a concern for smaller companies in a time of highly successful start-ups.

This method of gaining knowledge unfairly and compromising companies from within is
still used in practice. However, it does not always have to be an employee who has been
infiltrated into a company. It is also easy to convince former employees to disclose trade
secrets to a successor company. The higher the position in the previous company, the
greater the chance that the employee holds sensitive information.

As a company, you can certainly protect yourself against this unwanted flow of infor-
mation. In practice, this is done by longer notice periods in the employment contract
or by agreeing on a post-contractual non-compete clause for a period after leaving the
company.

The disadvantage of both constructions is that they can be undermined: Employees

sometimes try to avoid longer periods of cancellation by simply resigning outside of the
agreed upon notice period, in order to terminate the employment relationship prematu-
rely. The catch to the contractually agreed non-compete obligation is that the employer
must prove the non-compete obligation has been violated, which is something that is
difficult to do in practice.

This shows more clearly how important the integrity of employees is for a company.

PAGE 4 OF 6
 IT SECURITY

Hire a CISO
In addition to the Chief Information Officer (CIO), a separate position for a Chief Informa-
tion Security Officer (CISO) also needs to be created. Due to the complexity of the area
of responsibility, the CIO usually does not have the possibility to meet all requirements
with the appropriate intensity. IT operations are usually given the highest priority, which
is why security issues are often left behind or only advanced very slowly. The CISO is
responsible for the development and definition of security-relevant objects, threats and
risks and the security objectives derived from them. The reporting channel of a CISO
usually takes place directly to the Executive Board (CEO), because he is responsible for
the risk management of all information assets of a company.

In Case It’s Too Late:

Correct Emergency Response

Work with Experts if Necessary!

Despite careful preparation and intensive planning, events will still occur in the career of
every administrator that were not defined and played through in advance. So, if an emer-
gency suddenly occurs, there is one thing above all: keep calm, fall back on emergency
plans and procedures and keep track of the situation.

As in most emergency situations, over-hasty decisions are rather counterproductive.

Also, most administrators in a real emergency are not equipped with deep, detailed
expert knowledge. There are professionals for all situations, including companies and
individuals who explicitly specialize in dealing with IT emergencies. In a worst-case sce-
nario, do not hesitate to call on external experts. Ideally, you should already have some
addresses of IT security companies in your emergency documents that you can contact
quickly and easily in an emergency.

Conclusion
As an IT administrator or IT security manager, you are constantly walking a tightrope. On
the one hand, users are to be given the greatest possible flexibility in their daily business,
but on the other hand, focus must be placed on ideal and comprehensive IT security.
Finding a suitable balance between both factors is and remains the exciting challenge
administrators must face every day.

ABOUT PAESSLER AG

Paessler AG’s award winning PRTG Network Monitor is a powerful, affordable and easy-
to-use Unified Monitoring solution. It is a highly flexible and generic software for moni-
toring IT infrastructure, already in use at enterprises and organizations of all sizes and
industries. Over 200,000 IT administrators in more than 170 countries rely on PRTG
and gain peace of mind, confidence and convenience. Founded in 1997 and based in
Nuremberg, Germany, Paessler AG remains a privately held company that is recognized
as both a member of the Cisco Solution Partner Program and a VMware Technology
Alliance Partner.

Freeware and Free Trial versions of all products can

NOTE: be downloaded from www.paessler.com/prtg/download.
All rights for trademarks and names
are property of their respective owners. Paessler AG · www.paessler.com · info@paessler.com

000335/EN/20180529 PAGE 5 OF 6
Have a Constant
Eye on Your
Network Security
www.paessler.com/
network-security-monitoring