Friday afternoon, 5:35 pm. Martin Schmidt is just about to call it a day. Most of his colleagues have already left the office. But then, pling, another e-mail lands in the mailbox of the head of the finance department. At the edge of the subject line, Martin Schmidt sees two red exclamation marks: Highest priority! And the CEO himself has sent the e-mail.
"Dear Mr. Schmidt, I am addressing you with an urgent request," the e-mail reads. The text then goes on to ask the head of finance to make a transfer as quickly as possible; the plant in Greifswald urgently needs 287,000 euros to pay a supplier - otherwise production will have to be stopped on the same day.
Information security: Protecting data from unauthorized access
Martin Schmidt may be a brilliant financial expert. But he has never been enthusiastic about the topic of information security. Only at the beginning of his career did he once have to attend a training course on IT security. Among other things, the seminar was about how to protect data and information from unauthorized access. "That has little to do with my work," he thought.
If Martin Schmidt had paid more attention during the "IT Security" training course back then, he would have known that he is definitely working in an area of critical infrastructure - and that he is a worthwhile target for potential fraudsters. But so he gets to work on this Friday, follows his boss's instructions in the mail and gets the 287,000 euro transfer on its way. He has no idea of the damage he has just done.
IT security is not limited to virus scanners and firewalls
The fictional Martin Schmidt has fallen victim to CEO fraud - and his company along with him. Worldwide, this scam causes total damage of 24 billion euros every year. Criminals forge e-mail messages from high-ranking executives and trick employees into transferring funds. They do this so skillfully that the victims have no doubts about the authenticity of the messages.
Even the most well-planned IT security system has its weak points. Digital data is never 100 percent secure. If online fraudsters really put their minds to it, they will also succeed in gaining access to sensitive data. Be it because they discover vulnerabilities in the technical system - or because they take advantage of people, as in the case of CEO fraud.
Companies should take information security seriously
Companies are well advised to keep information security in mind. The term information security is complex - but the goal is always the same: information security serves to protect against dangers and threats, to avoid economic damage and to reduce risks.
In German-speaking countries, the IT-Grundschutz approach to information security is widespread. This is an approach to IT security developed by the German Federal Office for Information Security (BSI). Basic protection is intended to provide companies with medium, adequate and sufficient protection for their IT systems. Recommended measures cover the areas of infrastructure, organization and personnel.
Paying attention to information security for reasons of self-protection alone
Information security is a challenge for every company, but one that it must inevitably face. To understand why, it is important to remember that information is one of a company's greatest assets. Since information in many cases determines the economic success of a company, data and information are particularly worthy of protection. At the same time, companies are required by law to ensure information security. Data protection, for example, regulates the handling of personal data.
Three so-called protection goals show how well a company is positioned with regard to information security. If they are met, a company is comparatively well protected against attacks. Would you now like to know what specific protection goals information security should achieve? The answer involves three key words: confidentiality, integrity and availability. And now we need to take a closer look at them.
Information security protection goals: confidentiality, integrity, availability
In the context of information security, data confidentiality describes the fact that data and information can only be processed by people who are authorized to do so.
In the context of information security, the protection goal of integrity describes that digital data in the technical system cannot be changed without being detected. However, since it is practically impossible to prevent data changes in everyday business, the main focus is on the traceability of changes.
Availability describes that in the context of information security, access to all IT systems should be guaranteed at all times. Logical, actually - because the opposite of availability is system failure. And this is rightly regarded as a horror scenario because of the economic damage it causes.
Lack of information security leads to major damage for the company
Let us now recall the CFO Martin Schmidt mentioned at the beginning of this article. When he fell for the CEO fraud, his company lost a lot of money. The fact that the fraudsters chose CEO Fraud as their attack method was a coincidence. They could also have targeted Martin Schmidt with a spear phishing email. Or with other methods of so-called social engineering. Or perhaps they would simply have sent well-faked invoices, which Martin Schmidt would have paid without further ado. Neither a firewall nor a virus scanner can help against all these techniques - they rely solely on people making mistakes.
For this reason, it is important to sensitize the people who work in a company to the topic of information security. Anyone who has not yet dealt with the subject, or only superficially, will be amazed at the creativity and precision with which fraudsters go about their work. They often spend months planning their attack down to the last detail. Then they strike - and wreak havoc within a very short time.
Refresh and deepen knowledge of information security through e-learning
Only those who stay up to date with the latest threats and scams can protect themselves and their company. Employees should be fully educated about potential threats. Internal information security policies and procedures must also be established. In Security Island's e-learning, participants learn how this can be done and how CEO fraud can be detected and prevented in good time, using many practical examples.