CENTOGENE GmbH

Home   >   References   >   Security Awareness of Employees: Sorry, Are You One of Us?

Security Awareness of Employees: Sorry, Are You One of Us?

CENTOGENE a biotechnology company focused on rare diseases that transforms real-world clinical and genetic data into actionable information for patients, physicians, and pharmaceutical companies. With the help of TÜV TRUST IT, a member of the TÜV AUSTRIA Group, the biotechnology company launched a campaign to identify and ward off potential attacks. In the areas of “unauthorised building access,” “handling compromising e-mails” and “handling third-party / found hardware”, the fake “attackers” of TÜV TRUST IT thoroughly tested the employees’ security awareness and made them further aware of the important role each person plays in upholding information security.

Initial situation

TÜV TRUST IT is fully committed to helping organisations guarantee IT and data security. To help ensure this, the awareness of a company’s employees is essential. CENTOGENE wanted to expand this awareness and has launched a security awareness campaign with the help of TÜV TRUST IT. The aim of this awareness campaign was to raise the awareness of the employees to such an extent that attempted attacks via social engineering

or targeted phishing campaigns could be detected and fended off at an early stage.

A success: The awareness campaign put the effectiveness of the current safety measures and awareness of the employees at CENTOGENE through a rigorous test. As a result, the company will now be able to establish improved targeted measures in order to further increase the security level.

Approach

At the start of the project, TÜV TRUST IT and CENTOGENE jointly defined the appropriate campaign modules based on the various attack scenarios. The focus was on three main areas – unauthorised access to the building, careless use of USB sticks and careless handling of malicious emails.

In order to gain unauthorised access to a building, the consultants at TÜV TRUST IT have used various approaches. Whether disguised as a technician or by inconspicuously accompanying groups of employees after a lunch break, the goal was always to enter the premises unnoticed.

Furthermore, USB sticks that were camouflaged with the company logo were positioned in front of the building. Private and business-like files were stored on the USB sticks, including a PDF file called “Salary List.” Monitoring the unauthorised execution of this file made it possible to register user behaviour and to derive appropriate measures.

The handling of malicious emails was also tested. Different phishing emails were prepared and sent. The phishing campaign was divided into four stages. At each level, the level of individualisation of the email rose further, so that the awareness of the company departments could be precisely evaluated.

Benefits

For Tobias Franz, project manager at TÜV TRUST IT, the project at CENTOGENE is a very good example of how an awareness campaign within an organisation can help to specifically measure employee safety awareness and implement improvements if needed.

“It is not only the IT and IT security officers’ speed of reaction that deserves a positive mentioning, but also that of the employees themselves. They reacted very quickly to the simulated attacks and did not make it easy for us to attack them via phishing emails. Overall, the employees have a very good awareness, which of course should continue to be maintained and expanded by means of awareness trainings,” summarises Franz.

Fortunately, the feedback from the awareness campaign was consistently positive.

Some said they were unaware of their personal importance in relation to information security before the awareness campaign.

The experience gained as part of the campaign now helps them to behave more attentively and underlines the importance of security awareness education.

“I am pleased to see that our training courses and data security measures have enabled our employees to pass the test with flying colours. This result also underlines the necessity and effectiveness of our training measures,” commented Dr. Volkmar Weckesser, CIO of CENTOGENE, on the results of the campaign.