From unpublished financial figures to customer data and reports broadcast on TV, information and data – “digital assets” – are of essential importance to Bertelsmann. As a media and services company, the Group has access to confidential data on the one hand, and on the other this information represent a great deal of value that needs to be protected against unauthorized access. In the digital age dealing with digital assets in the workplace is associated not only with new opportunities, but also with challenges. You open an apparently unsuspicious email, insert a colleague’s USB stick, or click on a seemingly harmless link – and before you know it, your computer has a virus, which usually goes unnoticed at first. From program errors to extensive spying on confidential data – the effects can have fatal consequences at companies, and the economic damage can be huge. In addition to sophisticated, constantly updated security technology in networks and on the computers, it is necessary that users, i.e. the company’s employees, are aware of the sensitivity of the digital information they handle every day – and of how they are to handle it. For this reason, the Corporate Information Technology department at the Bertelsmann Corporate Center has developed an online-based “Security Awareness Training” program on peoplenet.
Bertelsmann employees will now successively be receiving an email with a link that invites them to participate in training on peoplenet that is relevant to them and their company. Where peoplenet is not yet available, the tutorials will be offered soon after the introduction of the system.
“In addition to the risk arising from the further increase and professionalization of cyber-attacks, it is often the little, involuntary mistakes in handling information and IT systems that result in the loss of confidential information,” explains Mark Kellermeier, Director Corporate IT & IT Governance at Bertelsmann. As part of the Bertelsmann Information Security Management System (ISMS), we regularly record the risks in connection with our digital assets (see BENET report). “Nearly every unit in the Group has identified security awareness as one of the top security issues,” adds Kellermeier. Based on this feedback, the cross-divisional Bertelsmann Information Security Board, the Group’s unit in charge of information security for all the divisions, tackled the topic and adopted a corresponding program, whose first part is computer-based training. “Our aim is to increase the knowledge and awareness of information security among as many employees as possible,” says Kellermeier. “And we can best achieve this with training via peoplenet – like the tutorials which were already successfully run for the Code of Conduct.”
The tutorial, which has already been carried out at some Arvato companies, was created by a cross-divisional project team together with the specialized external service provider Be One Development from the Netherlands. It takes 20 minutes, is available in six languages – German, English, French, Spanish, Portuguese and Chinese (Mandarin) – and is adapted to each division’s corporate design. The training content tells of a typical working day of two fictitious employees to illustrate situations when and how a company’s employees come into contact with the topic of information security. The two employees do a lot of things right in the training course when handling sensitive information, but also do some things wrong. The task for the tutorial participant is to recognize this and correctly answer questions about the video clips. For example, in one exercise you have to find six indicators that point to a phishing email.
“Of course we realize that changes in the daily handling of sensitive information can’t be achieved by a 20-minute tutorial alone, so our Security Awareness Training is only the first step in the right direction,” says Kellermeier. That is why, he says, there will be further specific tutorials for individual target groups that are increasingly becoming a target for cybercriminals and their devious attacks, such as – more technical training – for administrators, and – more application-based training – for accounting staff who are authorized to make payment orders.
“The right tone and presentation format are the key to success in making rather dry content like information security accessible – we hope we’ve succeeded in doing so with this tutorial,” says Kellermeier. He points out that individual training has already been carried out at a series of Bertelsmann companies. For example, RTL Netherlands informed staff about the subject through intranet articles, lectures and posters during a “Security Awareness Week.” (benet)