Security Awareness: Why employees are essential for IT security

Frank Queißer: I worked at a small, mid-sized manufacturer of liquefied gas systems. As Head of IT, you’re responsible for everything - technology, personnel, strategy, budget, projects - but also IT security. What really triggered a shift in my thinking were the increasing number of attack attempts and security incidents. Technology was never the issue; I had a great, highly vigilant team that reacted immediately. But there were also employees who didn’t. That’s what kept me up at night. That’s why I firmly believe that all employees - whether in IT or HR - need to be brought on board.

Frank Queißer: If your CEO says, “We’ve already implemented comprehensive firewall and endpoint protection solutions. Why do we need additional measures?”, my answer is: “Because we’ve failed to sufficiently involve our employees in reducing security risks.” It’s our responsibility to inform employees about threats and provide guidance on how to act. A classic example: you see an unknown person walking around the company—many people ignore it and walk away. The correct behavior would be to approach them, ask for identification, and escort them to reception. Examples like this quickly make a CEO realize: “You’re right, I underestimated this. Let’s evaluate it.”

Frank Queißer: There’s more behind security awareness platforms than people think. I compare it to driving school: you learn the theory, but how do you react when a phishing email lands in your inbox? What do you do with an attachment if the antivirus flags it? That’s the practical side. It’s like someone who owns a Ferrari but only drives it around the block once a week—on the highway, they’d feel unsafe and could cause an accident. Employees need to understand that.

Frank Queißer: Free phishing tests or platform assessments are a great starting point. They provide quick and easy insights into whether training content is actually being understood. At the same time, they help gauge employees’ baseline security awareness and uncover hidden knowledge gaps.

Frank Queißer: It needs to be deliberately designed and continuously reinforced. Nothing is worse than awareness that isn’t sustainable. Anyone who implements awareness measures is already doing better than doing nothing. If the goal is just to tick a box for cyber insurance, automated training may be enough. But if we truly want to build a security culture, we need carefully selected training that engages employees and has a lasting impact.

Frank Queißer: Not everyone learns at the same pace, and there are different reasons why people might not participate—technical barriers, distributed work environments, or unsuitable devices. We need to take that into account and meet employees where they are. At the same time, we see positive effects: some employees even repeat the training—not because of technical issues, but because they want to revisit the material at home. One customer even completed the training together with his wife. That shows the real value of these programs. It’s important to approach all stakeholders with empathy, ensuring everyone reaches the right level of knowledge and minimizing risks for the company.

Frank Queißer: Yes, a real-life case: an employee identified a fraudulent email—a manipulated invoice—using the reporting button. He reported it, we discussed it, and presented it in a company meeting. Employees said they were glad they had completed the training. It shows that combining real-life scenarios with awareness training is highly effective.

Frank Queißer: Awareness will remain essential because hacker groups are becoming increasingly sophisticated. In the past, attacks were easier to detect; today, they are highly organized and use modern tools. We must educate employees: how to recognize threats, how to respond, and what’s currently happening. Compliance requirements such as NIS2 also make awareness mandatory. Many companies and public institutions still have catching up to do. Awareness will remain a long-term priority.

Frank Queißer is Head of Security Awareness & CTO at Cyber Samurai GmbH. He is responsible for the strategic direction and implementation of security measures to strengthen awareness of cyber threats among Cyber Samurai’s clients. Previously, he served as Head of IT, where he managed the company’s entire IT infrastructure and played a key role in digitalization and process optimization. His expertise in IT strategy and implementation helped the company operate more efficiently and securely. Earlier in his career, Frank spent nearly eight years working in sales at an IT system house, gaining valuable experience in customer management and developing tailored IT solutions across various industries.