Successfully fending off cyber-attacks with the right awareness strategy

Prevention remains crucial as cyber attacks are on the rise

According to a Bitkom e.V. survey, the economic damage caused by cyber attacks in Germany amounted to €178.6 billion in 2024 – an increase of €30 billion compared to the previous year. There is no end in sight to this trend.

Attack scenarios are diverse, but the greatest damage is regularly caused by ransomware attacks. In these attacks, data is first exfiltrated and then encrypted, and victims are blackmailed into paying a ransom by threats to publish the data and make it virtually impossible to decrypt. However, other cyberattacks, such as phishing followed by business email compromise (also known as CEO fraud), are also becoming more frequent, successful, and devastating (thanks in part to AI).

To effectively prevent cyber attacks, it is crucial to systematically identify and secure the vulnerabilities exploited by attackers. Experience has shown time and again that the biggest vulnerability is and remains the human factor.

The human factor: risk number one!

According to estimates, around 90% of all successful cyber-attacks are the result of human error, particularly in the form of phishing. The methods used by attackers have evolved considerably. Deceptively realistic phishing emails are now commonplace. Additionally, alternative attack methods are becoming more prevalent, such as QR codes (quishing), telephone calls (vishing), and text messages (smishing).

Advances in artificial intelligence have increased the potential for risk in particular. Speech synthesis systems can create realistic imitations based on short voice recordings, which opens up many possibilities for abuse. Even after compromising email accounts, attackers can use AI to simulate convincing conversations.

Human errors can essentially be divided into two categories:

• Concentration-related errors: These are slips or carelessness despite actual knowledge, which are inherent in human nature and cannot be completely avoided, but can be largely prevented through regular training.
• Knowledge-related errors: A lack of knowledge or understanding can be specifically addressed through training.

Training as the core of the awareness strategy

The most effective way to defend against cyber attacks is to implement consistent prevention measures. The focus is on establishing a sustainable security culture. Employees must be able to recognise threats and respond appropriately. The goal is to promote security-conscious digital work routines, reinforced by targeted awareness measures.

Mandatory training on typical threat scenarios, such as phishing, dangerous files, weak passwords, insecure technology (e.g. when working remotely) and the improper handling of sensitive data, is essential.

Annual or one-off general training for all employees is often insufficient. Employees with security-critical roles, such as those with extended access rights, require role-specific training. This increases the relevance and effectiveness of the content taught. Awareness measures should also take various forms to achieve a lasting learning effect.

Cyber-attacks also present a legal problem

Training may be mandatory, but is not optional. For instance, Section 30(2)(7) of the BSIG – planned as part of the implementation of the NIS2 Directive – stipulates training and awareness-raising measures for significant and critical institutions.

Article 32(1) of the GDPR also requires controllers and processors to implement appropriate technical and organisational measures to protect personal data. This includes raising awareness and providing training for employees.

If employees have not been adequately trained and this leads to a successful cyber attack, questions may be asked about organisational negligence in the event of an emergency.

Strengthening the security culture through awareness raising, testing and emergency preparedness

In addition to traditional training courses, such as classroom-based or remote training, realistic simulations, especially those involving social engineering and phishing attacks, can be another key element in strengthening security culture. Regular, unannounced phishing tests carried out by internal or external bodies serve to check and improve employee detection rates and responsiveness.

To avoid habituation effects that would undermine their effectiveness, it is important to ensure variety: the tests should differ in type, structure and frequency.

Such tests must also be carried out in a legally compliant manner. Employees' personal data must not be processed without good reason; it is therefore important to ensure that the awareness concept is legally sound.

Errors in such tests must be dealt with constructively. Sanctions can lead to a culture of silence in the event of real incidents, which can have serious consequences for incident management. Instead, objective follow-up and appreciative communication are required, involving analysis of causes and identification of potential for improvement.

Information campaigns can reinforce safety awareness further, for example through regular newsletters or concise information 'bites'. The aim is to permanently integrate safety-related topics into everyday working life without overloading employees with information, which could cause them to dismiss it without reading it.

It is also essential to provide a clearly structured, easily accessible and understandable guide for action in an emergency. This ensures that employees immediately know what steps to take in a crisis, or at least where to find this information. This promotes a coordinated approach, minimises risks, and significantly contributes to effective damage control.

Conclusion: A sustainable culture of awareness and error management should be established

Past practical experience, simulation results and test phishing campaign results should be systematically evaluated. This involves analysing areas of particular vulnerability, so that future measures can target these weaknesses, and so that training can be refined to address specific issues.

A sustainable awareness culture also requires managers to lead by example. Only when cybersecurity is taken seriously and actively demonstrated at all levels can appropriate awareness be created among employees.

A healthy and sustainable error culture is also essential! Employees will only reliably and promptly report mistakes to the relevant internal departments if they do not fear severe consequences for making them. This allows any damage to be contained or avoided altogether. This requires more than lip service: it requires practical implementation and trust among colleagues.

Experienced specialists who can assess a company's individual threat situation and develop bespoke awareness concepts based on extensive practical experience should develop or supervise the design of sustainable training concepts and training courses.