Security Awareness

Security awareness is the ability to recognize, understand and avoid threats and risks to information security in the company. Security awareness is not only a technical challenge, but also a cultural and organizational one. After all, the human factor is and remains the greatest risk to information security in a company. To address this problem, we as IT consultants offer you a holistic awareness concept:

  • Training & awareness workshops for end users and specialist staff:
    We train your employees in the basics and best practices of information security, such as password management, data protection, encryption, backup, etc. We sensitize your employees to the most common attack methods and scenarios, such as phishing, vishing, smishing, ransomware, etc. We teach you how you can protect yourself and your data and how you should react in the event of a security incident.
  • Phishing Campaign & Attack Simulation:
    We work with you to conduct realistic and customized phishing campaigns and attack simulations to test your organization's security measures, awareness and response capabilities. We provide you with comprehensive feedback on your strengths and weaknesses, as well as concrete recommendations for improving your IT security.
  • Red Teaming & Social Engineering: We conduct red teaming and social engineering exercises with you to test the security of your critical systems, processes and data. We use various methods and techniques to try to penetrate your network, steal your data or manipulate your systems. We show you where your vulnerabilities lie and how you can fix them.
  • Awareness platforms:
    We design and implement individual awareness platforms for you, which you can use as a central point of contact for all topics relating to information security. For example, you can use these platforms to offer and manage training materials, security tips, quizzes, feedback options, etc.
    Awareness communication:
    We help you to design and implement effective awareness communication measures, such as newsletters, posters, flyers, videos, etc. We ensure that your employees are regularly informed and motivated about the latest security topics in a target group-oriented manner.
  • Management awareness:
    We advise you on the development and implementation of a security awareness strategy that fits your corporate culture and objectives. We support you in the definition and measurement of security awareness goals and key figures, as well as in the involvement and commitment of management. We help you to establish a security awareness culture based on trust, responsibility and appreciation.

Hybrid Social Engineering: (Spear-)Phishing, Smishing und Vishing

Hybrid social engineering is one of the biggest challenges for companies' IT security. Various methods such as phishing, vishing or smishing are used to obtain confidential information or access data from users or employees. The attackers exploit human weakness by triggering trust, curiosity, fear or other emotions in order to manipulate the victims.

To protect yourself from such attacks, it is important to regularly check and improve your own IT security. We offer you a professional service for this: the simulation of hybrid social engineering attacks.

We work with you to carry out realistic and customized hybrid social engineering attacks based on your context and situation. We use them to test your organization's security measures, awareness and ability to respond. We provide you with comprehensive feedback on your strengths and weaknesses, as well as specific recommendations for improving your IT security.

Spear phishing campaign

A phishing attack is used by an attacker to obtain usernames and passwords, which can then be used for further intrusion into the systems. Users and employees are asked by e-mail to click on a link within this e-mail, for example, which then leads to websites where the user is required to log in. If users disclose their login information here, it is immediately forwarded to the hacker. The results of a phishing attack as part of a security assessment indicate both user awareness and technical security measures to make this type of attack more difficult.

The phases of implementation are as follows:

  • Phase 1 - Information gathering
    • E-mail addresses using Open Source Intelligence (OSINT) via Linkedin, XING, etc.
    • Layout/corporate design, current company events, e.g. as a background story
    • Darknet research including information sources that are usually used by attackers
  • Phase 2 - Selection of a suitable phishing scenario
  • Phase 3 - Creating the phishing domains, email recipient list and individual phishing website
  • Phase 4 - Creation of the phishing e-mail
    • Optional: Creation of individual "malware" without actual malicious function
  • Phase 5 - Fine tuning of the emails and email dispatch, bypassing any existing protection mechanisms
  • Phase 6 - Start of the campaign with sending the emails
  • Phase 7 - Anonymized evaluation after agreed time / statistics generation
  • Phase 8 - Creation of results report and provision of a clarification e-mail

Vishing campaign

A vishing attack is used by an attacker to obtain personal or financial information, which can then be used for further intrusion into the systems or for a fraudulent transaction. Users and employees are asked to call a certain number, enter a code, make a payment or disclose sensitive data, for example. If users disclose their information here, it is immediately forwarded to the hacker. The results of a vishing attack as part of a security assessment indicate both user awareness and technical security measures to make this type of attack more difficult.

Smishing campaign

A smishing campaign is used by an attacker to spread malware or to obtain personal or financial information, which can then be used for further intrusion into the systems or for a fraudulent transaction. Users and employees are asked via SMS to click on a link within the message, for example, which then leads to a fake website where they are asked to enter their login details or other sensitive information. The text messages can also contain false offers, competitions, warnings or other incentives to lure victims. The results of a smishing campaign as part of a security assessment indicate both user awareness and technical security measures to make this type of attack more difficult.

scroll to top