In the end, it all comes down to human beings: At the first IT Security Arena, colleagues learned how to build the best-possible line of defense for sensitive information. The format is scheduled to be used group-wide.
Over and over again, the group cast fishing lines from the two mini-poles into the cardboard “in-box” (a simulated e-mail address) and then reeled in one card after the other. The texts on the cards were then read aloud, analyzed and discussed. The messages came from e-mails like those each of us finds in our own in-box every day. Many of them were sent with evil intentions in mind – to steal transaction numbers for online banking or to snare passwords. This is why experts describe such cybercrime as “phishing”: Criminals toss out bait to lure us into sharing confidential information.
One key focus of the first IT Security Arena organized by Volkswagen in Wolfsburg was the way to correctly classify the 27 e-mail texts fished out of the symbolic in-box: A scam or not? The participants intensely discussed the difference between reliable information and criminal intent. Does the sender raise suspicions? Is the text filled with spelling and grammar errors? In the end, the participants had to make a decision.
The six groups consisting of a total of about 50 people were also able to earn points at five other stations – “information classification,” “password hacking,” “cybersecurity,” “social engineering” and “safe surfing.” The same fundamental idea applied each time: Colleagues from the broadest range of Group departments were to learn in a playful manner how to responsibly deal with sensitive information and to protect themselves from scams in the best-possible way. There was also something to be won: The two groups with the most points received a prize – a power charger that comes in an exclusive 4U design.
“Information security is not just an issue for specialists – it is everybody’s business. And that means both at work and at home.”
Every fourth company in Germany has been the target of cyberattacks in the past two years. The annual damage inflicted by these assaults totals about €43 billion, Hofer said. Volkswagen processes a large amount of sensitive personal data. Hackers also are gaining new attack opportunities as vehicles become increasingly connected. “In this area, we want to offer added value, like updates over the air,” Hofer said. “On the other hand, we have to be able to reliably prevent vehicle functions from being manipulated.”
Volkswagen can achieve this only if all of its employees understand the tremendous importance of information security – in areas like the creation of passwords: At one station, the group members were asked to guess five passwords for a fictitious shopping website from the imaginary Facebook profile of “Peter Pan.” The participants were amazed to see just how easy the whole process is: The birthday “12051960” yielded the first hits. The next ones were produced by the first names of wives and daughters.
The fastest group needed just 2.5 minutes to come up with all five passwords. “This is pretty close to real life because many passwords consist of such personal information,” trainer Julian Zeug said. “You should really think closely about the amount of information you want to reveal on social media or at a party.” Zeug recommends that people use a management software like “Keepass” that can be used to safely store passwords for various websites and that can be downloaded in the i.do Store.
The feedback that participants provided about the event has been consistently positive. The playful way that the topic was presented was well-received: “This is a completely new and interesting way to learn,” said Florian Hellfeuer of Group Research. “I was astonished to hear about the tremendous costs that data leaks can cause at companies.” This was the topic covered by the station “cybersecurity”: At this station, the groups had to guess the amount of costs that data theft and blackmail can cause for companies. The range extends all the way up to a nine-figure total per case. “This station was designed to clearly show participants just how much damage hackers can cause,” trainer Patricia Zan said.
Silvia Salis from the HR Department was introduced to the tool ISI catalogue at the “information classification” station. With the help of this tool, people like Salis can classify Volkswagen documents into four categories: public, internal, confidential and secret. “We have to classify our own documents, and we will use the ISI catalogue in the future to do so,” she said. She also plans to encourage her colleagues to take part in the IT Security Arena.
After all, one thing is now clear: Following the successful test, the format is to be used throughout the company. The reason for this is clear as well: No matter what sort of technical safeguards are put into place, information security still boils down to people in the end.