Prof. Dr Andreas Heinemann is the professor for Computer Networks and IT Security as well as the current Dean of Studies at the Department of Computer Science at Darmstadt University of Applied Sciences. He leads the User-centered Security working group.
His primary research interests are usability and security, security for ubiquitous computing, and privacy in opportunistic networks.
He is a contributor to the National Research Center for Applied Cybersecurity – ATHENE and a board member of the Competence Center for Applied Security Technology.
Prof. Dr. Heinmann, how long have you been involved with the topic of security awareness? What fascinates you about it in particular?
In 2014, I founded a working group on usable security at the Department of Computer Science at Darmstadt University of Applied Sciences, and in this context I also dealt with the topic of security awareness. The term “awareness” has a lot to do with perception. And that immediately brings us to questions about communication and interaction between a user and an IT system, i.e., how can I design a user interface in such a way that I support the user as ideally as possible in recognizing a phishing e-mail as such, for example.
How big a threat do you think phishing emails and other fraudulent messages pose to businesses?
The “Phishing Activity Trends Report” of February 9, 2021 by the Anti-phishing Working Group reports that the number of detected phishing attacks doubled in 2020, and it can be assumed that the number of unreported cases is even higher. As a result, the threat to companies is very high – especially since this form of attack is very scalable and cost-effective for an attacker.
What developments do you see in the area of phishing emails over the last few years?
The attacks are getting better and better. A few years ago, users could still be advised to watch out for faulty grammar or impersonal salutations, but today it is the case that the URL alone can be used as a feature. With the success of services like “Let’s Encrypt”, the transport encryption HTTPS is also part of the standard repertoire of a phishing website.
What developments do you expect in the area of phishing emails? Particularly in relation to the global pandemic and the work-related consequences (home office, etc.)?
The COVID-19 pandemic is certainly both a blessing and a curse. By necessity, many companies have had to quickly learn to securely connect their employees to the company via a home office workspace, and in the beginning, this was certainly picked up by phishing attacks. It is a popular and established approach to tie phishing message content to current social events to increase the chances of success. In addition to COVID-19, this includes discount promotions for Black Friday or tax rebates, for example.
After COVID-19, however, many newly acquired ways of working and established remote workplaces will remain, and this will also mean new challenges for securing corporate IT if the home office workplace ultimately represents an entry node in the corporate network. I think more and more companies will continue to evolve their IT towards zero-trust architectures (cf. NIST’s SP 800-207), which can then also be a response to -successfully via phishing attacks- compromised accounts.
How can companies educate their employees about phishing emails and other fraudulent messages?
First of all, the topic of IT security must be focused on by the management. Once this has been achieved, measures must be established that are tailored to the prior knowledge of the target group/employees. These could be training courses, but also campaigns or information days. It is important that the measures and content are selected in accordance with the respective work processes and corporate culture.
What type of training is particularly effective?
The effectiveness of individual training initiatives is the subject of controversial debate in the research community. This goes so far that individual measures – think of simulated phishing attacks via e-mail – could also have a negative impact on the relationship of trust between employees and company management. Therefore, it must be ensured in advance that this basis of trust does not suffer.
In general, it is difficult to make a statement about the effectiveness of a certain type of training. As already mentioned above, a lot depends on the previous knowledge of the employees; but also on the technical possibilities and the work processes. This can only be considered individually per company.
A certain degree of protection is definitely also offered by IT security policies and behaviors that are put into practice, e.g., it should be forbidden to use a private e-mail account for official communication, even if you are the boss of a company. For example, such a policy would make it easier for an employee to recognize a phishing attack and not fall for a CEO fraud attack.
What advice would you give a CISO regarding security awareness and anti-phishing?
When it comes to phishing attacks, all technical security measures should be state of the art. Furthermore, every employee should know what to do if he or she detects a phishing attack, i.e., some form of reporting system must be established and known within the company. If all technical and organizational measures have been exhausted, then training courses and campaigns make sense. In my opinion, it is important to create the right incentives here and to give the topic a positive image. Last but not least, security awareness is a triad of necessary background knowledge, the corresponding competence to act, and the intrinsic motivation of an employee to put his knowledge and competence into practice. A high level of identification of the employee with the company values and its IT security measures is therefore indispensable.