Information security incidents: Employees as a success factor

Which attacks are the most dangerous?

Phishing attacks are the most dangerous because highly professional cybercriminals specifically target people as the weakest link in information security, thereby circumventing technical protective measures.

Organized cybercrime is now a billion-dollar business, and the individual groups and actors involved are comparable to conventional companies in terms of their tight organization: They act in a highly professional manner and strive for operational efficiency in order to operate as profitably as possible.

Malicious actors usually focus on the weakest link in the chain of a security concept: people. It is therefore crucial that employees understand their importance as a success factor for information security.

Phishing remains one of the most efficient methods of attack because it does not require attackers to deal with the highly complex technical security architecture of companies. Instead, they simply try to manipulate employees into unwittingly letting criminals into the company network.

Information security incidents: Which gateways are the most dangerous?

Publicly accessible information such as company websites and email addresses are particularly critical, as they provide phishing attackers with the personal data they need to effectively manipulate employees.

While a hacker initially acts blindly in a technical attack and has to search for known vulnerabilities on their PC using trial and error or try tens of thousands of passwords using brute force, in phishing they search specifically for information and personal data right from the start. This includes:

• Company email addresses
• Names of IT employees
• Email signatures
• Information about corporate identity (CI)
• Topics that are of interest to employees

The company website is usually their first port of call, as it already provides useful information about CI and topics of interest. Above all, however, hackers are on the lookout for email addresses and IT contacts. This is because the phishing email is to be sent to as many employees as possible later on. However, they do not send it to IT specialists, who are likely to notice a fake email most quickly.

Why are email addresses dangerous for phishing attacks?

Email addresses are so dangerous because attackers can systematically create complete distribution lists, deceptively genuine senders, and perfectly replicated phishing emails, including login pages, from just a few publicly available pieces of information, which they use to trick employees into revealing their access data.

Based on the first email addresses they find, hackers can usually deduce the underlying structure – for example, “[email protected]”. This allows them to deduce the corresponding email address from each employee name.

Social media – especially business portals such as XING or LinkedIn – then offer an excellent opportunity to compile extensive employee lists and use the identified pattern to deduce the corresponding addresses.

At the same time, the attacker also creates a blacklist of all employees who have relevant professional experience or IT interests. These employees will not receive any fake emails.

The Trojan horse is saddled up

Once the hacker has selected their targets, all that remains is a little fine-tuning to send emails that look as authentic as possible. To do this, a hacker can, for example, contact the company directly and through official channels by posing as a customer and requesting a quote. The response—which, in the best case scenario, even includes an attached document with the product portfolio—provides them with a wealth of valuable information, such as:

• What does the email signature look like?
• What fonts are used?
• Where are logos placed in documents?
• What do headings look like?
• What color accents are used?

This information can be used to create a deceptively genuine phishing email. Finally, all that is missing is a suitable, trustworthy sender email address. This can be an address that simply has a different ending, such as “.com” instead of “.de.” Particularly resourceful hackers also resort to letters from different alphabets. For example, the lowercase “L” is practically indistinguishable from the Greek letter “iota” for the recipient. There are no limits to creativity here.

Deception: the fake login page

Once the hacker has created emails that look deceptively genuine and has a sender address that appears trustworthy at first glance, they attempt to obtain the employees' real login details. To do this, they build a fake login page in the company's corporate design and create a simple but realistic scenario to get employees to authenticate themselves there – i.e., enter their company login details. Here are two simple examples:

1. The hacker pretends to be an IT administrator and sends a circular email to the workforce, drawing their attention to a new video portal for remote meetings. All employees are asked to authenticate themselves there to check whether their existing contacts have been transferred.

2. The cybercriminals pose as management assistants and explain that the company has launched a new employee benefits program. To take advantage of the discounts and promotions, employees simply need to authenticate themselves on the linked portal.

As a result, countless usernames and passwords end up in plain text with the attacker, who uses them to gain access to the company network and the data stored there. From escalating access rights to encrypting systems and data records, the attacker can now do everything possible to cause maximum damage or demand a ransom.

Incidentally, the complexity of passwords is irrelevant with this method of attack—and even many two-factor solutions can be “phished” with little extra effort.

What role do employees play in effective information security?

Employees are crucial for effective information security because social engineering attacks target people rather than technology, and only sensitized, trained employees can reliably recognize and ward off phishing and similar attempts at deception.

It is important to understand that, from a purely technical point of view, the attack described does not constitute an attack on a company's IT systems. Instead, the hackers use social engineering—they use publicly available information to persuade employees to unknowingly disclose sensitive data (in this case, their login details). As a result, technical protective measures are ineffective.

The only reliable protection against this type of information security incident is for employees to be able to recognize and prevent such attacks. To achieve this, the team must first be made aware of the issue through systematic security awareness training. The training concept should cover as broad a spectrum of topics as possible – from basic information on information security and the safe handling of IT systems and data to education about dangers and the correct behavior in the event of security-related incidents.

The bottom line is that companies must sensitize their employees to attacks. This will turn them from potential vulnerabilities into the best protection against social engineering and phishing.

Why are employees an important part of Annex A of ISO 27001?

Employee involvement is a central component of the international ISO 27001 standard. The standard requires systematic efforts to raise security awareness in order to minimize human vulnerabilities and effectively prevent social engineering attacks.

Companies should therefore regularly review their security standing and firmly anchor awareness in their security concept. This approach is a core element of the recognized standard for information security management systems (ISMS), in particular via Control 6.3 “Information security awareness, education, and training” from Annex A.

In the current version of the standard, the requirements on the topic of “awareness” can be found in section 7.3.

ISO 27001, for example, requires ensuring awareness and thus sensitization of the weakest link in the chain regarding how to handle your company's information. And that starts with something as simple as an email address.

Other regulatory or legal requirements, such as the GDPR, also aim at a preventive approach to incident avoidance.

H3 Control 6.3: Information security awareness, education, and training

Information security control 6.3, which is explained in more detail in ISO 27002:2022, requires that an organization's personnel and relevant interested parties have an appropriate level of awareness of information security within their area of professional responsibility and must comply with it. The employer must ensure this through appropriate training and education programs, among other measures.

Awareness, education, and training should be provided on a regular basis—for example, after changes to an organization's information security policy, after updates to topic-specific guidelines and procedures, or after changes in employee positions that involve significant changes in security requirements.

In order to make staff aware of their responsibilities, it is important to develop an awareness program that reaches employees via appropriate physical and virtual channels, such as information events, brochures, emails, or e-learning modules. It should cover general aspects such as:

• Management's commitment to information security throughout the organization
• Familiarity with applicable regulations and obligations and compliance with them, taking individual circumstances into account
• Personal responsibility for one's own actions and omissions
• Basic information security procedures (e.g., incident reporting) and basic security measures (e.g., password security)
• Contact points and resources for additional information and recommendations on information security

With regard to training and continuing education, Control 6.3 primarily addresses technical teams whose tasks require special skills and expertise—and requires the development and implementation of a suitable training plan. To this end, companies can consider various forms of knowledge transfer and updating, such as courses, self-study, or participation in conferences or events.

According to ISO 27001, the key point of organizations' awareness efforts is that staff understand the goal of information security and the potential positive and negative effects of their behavior on the organization.

Strengthening the weakest link in the chain

Even though Control 6.3 represents only a small part of the information security measures in the context of a holistic ISMS, it nevertheless represents an important building block for information security against the backdrop of numerous and increasing phishing attacks. As mentioned at the beginning, even the best technical protective measures are of limited help if hackers gain access to the network via the weakest link in the chain.

Raising security awareness among your own staff reduces the risk of social engineering attacks in the long term and makes it easier to follow up on security incidents – for example, because employees recognize potential attacks and report them responsibly. Security awareness therefore strengthens the weakest link in the chain and is thus a cornerstone of a holistic information security strategy.

Conclusion – Information security incidents

ISMS as the key to success

In summary, an information security management system (ISMS) is an indispensable tool for protecting sensitive data in our increasingly connected world. It provides a structured approach to ensuring the confidentiality, integrity, and availability of information and helps companies comply with legal requirements. By implementing an ISMS, organizations can identify, assess, and manage security risks, thereby strengthening the trust of customers, partners, and other stakeholders.

Certification to internationally recognized standards such as ISO 27001 provides clear evidence of a robust management system and offers a significant competitive advantage. For companies of all sizes and industries that work with sensitive information, an ISMS is not only useful, but crucial for sustainable business success and regulatory compliance.