Article by Benjamin Bachmann – CYBER WORKSHOP
The importance of cyber security is evident from the increasing coverage in the mainstream media. First, the encryption Trojan “WannaCry” was displayed on all display boards in German railway stations. Numerous media used these images to warn companies of their IT security failures. This trend is continuing: In December 2019, the University of Giessen gained nationwide media attention through the momentous attack by the malware “Emotet” on the university’s IT landscape. Emotet uses phishing e-mails to target the supposedly weakest link in the chain: the human being.
Even if a company’s IT landscape is equipped with modern technologies such as firewalls, Security Information & Event Management and clean vulnerability or patch management, the cyber criminals behind “Emotet” attack the weakest link in the chain: the employee. These attacks often begin with authentic-looking phishing e-mails, which the criminals use to exploit the inattention or lack of technical media competence of their victims and get them to unintentionally install malware. This way, the attackers often manage to access the company network with comparatively little effort and thus bypass most technical security measures.
Technology can be fortified easily; people need to be motivated and trained.
While it is true that computer technology can be armed against many attacks with the support of security software and hardware, this is not so easy for the people who develop, administer or use the application systems. If there is any security training at all, it is often boring compulsory training that is clicked away as quickly as possible because little practical knowledge is imparted. In addition to the lack of media competence, personal motivation is not or only poorly demonstrated. But this is of central importance, because only if employees have a personal interest in the learning content will they deal with it; company data is probably treated just as dispassionately as a rental or company car.
The corporate culture must promote safe development, operation and use
So, if we want to make the IT landscape in a company secure, we have to look beyond technology and create a security-conscious corporate culture that naturally promotes the secure development, safe operation and safe use of IT through communication, cooperation and competition.
The Cyber Workshop is a gamified cultural change
This is exactly the kind of modern safety culture we build together with you. In our “cyber workshop” your employees can work on their cyber skills. Playfully, each employee starts with a poster and a box of postcard-sized task cards. Whenever the learner has time to learn, they can search the cards for an interesting task to work on. Each card explains the personal motives for the learning content. The card also describes a task and gives implementation advice on how to approach the goal.
Finally, the card provides success criteria for the successful completion of the task. At regular intervals, the players meet at the workshop meeting to discuss current safety topics and the progress of the game. At this meeting, players and teammates decide together whether a task is considered completed. If this is the case, the player marks on their poster that they have already completed this task.
Once all tasks of a difficulty level and topic have been solved, the player receives a matching robot sticker, which is stuck to the designated place on the poster. With this upgraded robot, the employee can demonstrate their learning progress, to their boss and colleagues in a prestigious way. Our experience shows that this prestige alone, together with the parlour-like design of the cyber workshop, makes other employees curious to play along and motivates everyone to continue playing and learning.