The problem with emails is that they are no longer recognizable as a potential cyber attack at first glance. In the past, the texts were usually written in bad German or the sender's address almost screamed "Attention! Attack!". Today, the sender's address contains ordinary and common names, the cover letter suggests a serious application and the disaster has already happened: One click on the attachment, for example, and an encryption software is set in motion, at the end of which is a demand for money.

Andrea Gillhuber, SCOPE editor-in-chief. © Andrea Gillhuber

This scenario shows: Hackers are increasingly targeting the weakest link in the cybersecurity chain - people. In the known cases in which the human vulnerability was used as a gateway into companies, the cyber criminals deliberately relied on the good faith or even ignorance of employees. Who would expect to fall victim to a hacker attack? This is confirmed by studies, including a survey by the management consultancy and auditing firm Deloitte. In their "Cybersecurity Report 2017 - Cyber Risks in Companies", the careless handling of data and security standards by employees is described as by far the greatest source of danger.

The BSI-ZVEI security survey 2018 "Security situation picture of the German electrical industry" also paints this picture: survey participants were asked to use a free-form field to describe one serious incident affecting the office and one affecting the production area. According to the ZVEI, the descriptions indicate that the electrical industry is affected by the same attack trends as other industrial sectors and that no different approaches or types of attack could be identified. What is interesting in this context, however, is that in the office sector, the human factor or human error was cited as the main cause at 57%, whereas in the production environment "only" 22% of incidents were due to human error. According to the ZVEI, one possible explanation for this is the high proportion of skilled workers and specialized IT systems in production, while in the traditional office, IT amateurs operate the systems.

This shows that cybersecurity is not just a technical issue, but also one of employee training. Companies need to train their employees to be more sensitive when dealing with data and IT infrastructure. But even more importantly, the right approach must be practiced - from management level right down to production.