Human vulnerability in the hacker's sights

Security Spear-Phishing Threatens SAP Security

SAP data is among the most coveted objects of cybercriminals. The theft of sales and personal customer data, intellectual property and financial data, which provide leverage for insider trading, collusion and fraud, appears to be particularly rewarding. No wonder, then, that attackers are coming up with increasingly sophisticated methods to gain access to business-critical SAP systems. In addition to technical security gaps, the human vulnerability is increasingly being targeted. To exploit this, the fraudsters send SAP users deceptively genuine-looking spear phishing emails, ostensibly in the name of superiors, employees or colleagues. They have meticulously researched the necessary company and employee information in social media and other Internet sources beforehand.

In these phishing e-mails, the attackers pack plausible-looking prompts to entice their potential victims to divulge highly sensitive data. To ensure that recipients open the incoming mails without thinking and follow the instructions, the fraudsters rely on tried-and-tested psychological tricks. Among the most common emotional influencers are: Belief in authority (the hackers pose as a member of management and demand that the employee hand over financial data in order to gain an overview of business developments), time pressure, fear and curiosity.

Security Awareness Training

Many companies have now recognized the threat that spear phishing attacks pose to their SAP security. As a result, SAP customers are also showing increased demand for security awareness training to arm employees against phishing attacks. However, the classic offerings are not sufficient for this. Since the training courses focus on imparting theoretical knowledge within the framework of classroom training, e-learning and webinars, only the rational decision-making ability of the participants is improved.

Spear phishing attacks, on the other hand, target the quick, intuitive decisions of email recipients. Therefore, awareness training should be supplemented with spear phishing simulations that use real company and employee information to recreate authentic attacks. But instead of being hooked by the scammers, employees land directly on an interactive explanation page. Here, they are shown step by step how they could have recognized the fake e-mails: for example, by letter rotations in the address line, deviating URLs or subdomains. 

Phishing simulations are particularly effective because they take advantage of an employee's "most teachable moment" and make him aware of his misconduct directly during the attack. This "shock effect" ensures that he will be more careful with incoming emails in the future. To ensure that the learning effect continues, spear phishing simulations should be repeated and updated regularly. To prevent employees from feeling that they are being controlled or even tricked, companies should communicate planned phishing simulations in good time. 

It is also important to align training with the individual learning needs of employees and to document learning progress. The Employee Security Index (ESI) provides a realistic and reproducible method for measuring awareness. The ESI provides tangible and reliable metrics on employee security behavior in phishing simulations of varying difficulty. This enables a company to communicate the learning progress of its workforce and define a common goal for which IT security officers, management and employees are pulling in the same direction.