english deutsch

Dr Walk from Emplawyers on the topic of Human Firewall

published April 2018

Recently I spoke to Kevin Ekeland from PNW Management Consulting on the The Cyber Security Savvy Employee, today I have the great pleasure to talk to Dr. Frank Walk from Emplawyers to discuss how and what this could look like in Germany/Europe.

Dr. Frank Walk

Frank as you know I discussed with Kevin that the normal "code of conduct" in many companies tends to be rather "mundane/boring" for employees, which often fails to get the critical attention from employees, would you agree with this?
For sure, training and an "exam" should be as attractive as possible. What tends to be very effective is live training. EMPLAWYERS not only recommends this to our clients but we do these trainings in house too. If you consider it from a liability point of view, training is only helpful if it communicates the contents effectively.
In principle, of course, it is also a question of culture, how something is practiced in the company. Often Code of Conduct / Code of Conduct or any other training, serves the management only as a “window dressing/fig leaf" and are mainly viewed from the cost side. But that is legally and generally dangerous. On the other hand, one must also say that a“click through" training is still better than no training at all. But it would always be better to have a training that is interactive, as it is much more efficient.


When I look at how critical it is for companies to ensure they limit their cyber risks, I found the idea that ThreatReadyResources offers really unique and different, what is your opinion on this concept?
I find the concept as the right approach, and also very interesting and innovative, I believe that in the present digital age, this concept can be more successful than the usual models / concepts, since a higher learning success would be possible here. Important to remember is only that there is a proof of training at the end.


As we all know Europe and specifically Germany tends to be a bit more complicated with data privacy and data protection, would this type of training be possible here too?
Basically, there are no rules how these trainings must be held or done, however there are two aspects that are important to consider. One is the involvement of the works council (if applicable), as they have a co-determination right for trainings in companies. The other topic that should be taken into account is that the test results of the employees are also documented correctly under data protection aspects.


Besides that the employees would have higher awareness, where else would you see the advantages in this new type of training with the code of conduct?
If the concept does what it promises that employees can remember more, it will also have business benefits, as it truly minimizes risks and effectively avoids company or corporate liability vis-à-vis third parties and even data protection authorities.