One of the tasks that I still like to take on myself as Managing Director is security
awareness training. We go to a company or organization and train the employees there on
topics such as secure passwords, Ransomware, browser certificates, email encryption and social engineering. This is always a particular challenge, as these training courses are ultimately as popular as fire safety training, first aid courses or data privacy training.
However, once you get into the subject, the questions arise almost automatically and the training becomes entertaining and instructive. And therefore also effective.
At least that’s the feedback we get: “The day after your training, we received a phishing email and our colleagues all reacted really well!”
That’s nice, of course.
A Study by Bitkom has taken a close look at this and summarized it.¹ The article describes that 8 out of 10 companies in Germany have their employees in IT security training. This training is an important part of preventing attacks such as phishing and malware. Companies are increasingly focusing on raising awareness, as the majority of security incidents are caused by human error. The Bitkom study shows that raising employee awareness is a central pillar of companies’ security concepts. At the same time, it points out that regular training and updates to security standards are necessary.
But what about generative AI? This technology has arrived in companies and become part of everyday working life. For you too. Whether you know it or not. And that’s a problem.
The temptation to make work much easier with ChatGPT or code-generating AI is great and understandable.
Our recommendation: Talk to your employees about AI tools and where they can and cannot be used. In particular, which data should not be entrusted to an AI model under any circumstances. Especially if it is not hosted locally, but with a large provider who may not handle sensitive data with the same care.
In addition, AI systems, just like humans, can of course be manipulated. Social engineering is also a threat to our artificial interlocutors, and they can become malicious if someone infiltrates instructions from outside. We were able to prove this last year² : An attacker can manipulate AI to manipulate your employees. These and other dangers must be clearly communicated.
Perhaps a simpler example at the end: Copilot knows more than we would like. Just enter “api_key” together with the name of a service you want to access. The chances are good that you will get a useful answer.³ That may sound funny at first, but only as long as it’s a key that you don’t pay for yourself.
In short: Please talk to your team about these topics. If you need help, please do not hesitate to contact us.
¹: https://www.bitkom.org/Presse/Presseinformation/IT-Sicherheit-8-von-10-Unternehmen-schulen-Beschaeftigte (German)
²: https://www.zeit.de/digital/2023-03/cyberangriffe-microsoft-bing-chat-piraten/komplettansicht (German)
³: https://www.linkedin.com/posts/julian-white-8038973_ai-activity-7237047235056742401-mZ6-
CHRISTOPH ENDRES
CEO
sequire technology
Other articles that might be interesting for you
