IT security? Don’t we have a Chief Information Security Officer (CISO) for that? But the CISO can still install such a good digital lock, if the staff are careless with the key, the organization is still as leaky as a basket. IT security therefore concerns every employee. But how do you make everyone aware of this?
It is a common complaint from IT decision-makers: many people in the organization think that IT takes care of it. Wrongly: because safety is not just about technology, but also about behavior, says Dr. Henk Jan Jansen is associated with HJ Interim as a security expert. This consultancy regularly maps out for its clients how safe the behavior of employees is and advises on this. Behavior is key, both experts say.
At the same time, behavior is difficult to capture in figures. For many organizations it is complicated to find out how digitally mature their employees are. Dr. Jansen therefore always starts with an investigation, also known as a baseline measurement. In a questionnaire, employees indicate how they respond to everyday safety situations.
Realizing behavioral change
They compare the results with the security policy and additional surprise tests, such as an unexpected phishing email. Dr. Jansen: “We check in which departments the phishing email is clicked and whether employees report the phishing email to the internal reporting center. You should always put a dipstick in the organization. “Dr. Jansen adds that the policy must also “always be compared with how the organization actually acts on the shop floor.“
The goal is to achieve behavioral change in your employees. That’s something to grow, says Dr. Jansen. These are the five points of attention for organizations that are working on a higher safety awareness among employees.
1. Promote the procedures
Even more interesting than who clicks on a sneaky link in an email, is the percentage of employees who report such a suspicious email upon receipt. In the experience of HJ Interim, a third of the participants in the baseline measurements indicate that they are not familiar with their own safety procedures: what they can do and where they can go.
“Employees who are not aware of the internal policy procedures for reporting security incidents; that is a problem for many organizations. Those employees simply throw away such a phishing email. ” Working on the awareness of the reporting procedures is therefore a much-given advice.
2. Make the consequences of the GDPR transparent
Since the introduction of the GDPR or General Data Protection Regulation (GDPR), security has largely been dominated by the accurate handling of personal data. According to Dr. Jansen is also something that concerns all employees in an organization.
“Many employees do not realize how much personal data they process in their daily use. Take, for example, quotations that include names, e-mail addresses and telephone numbers. Not all companies use work telephones, so the private mobile numbers are often listed. The GDPR applies to that. “Many people are not aware of this, Dr. Jansen.
Personal data is also included in the daily work setting. “Suppose you take the minutes of a meeting. Your colleague notices that she is pregnant and will therefore be absent for four months. What do you record then? The fact that someone will be absent is relevant information for the meeting. That the same person is pregnant is personal information. “
“It is usually not clear what you should and should not record. In this example, the personal information may only be included in the minutes with the explicit consent of the relevant colleague. “According to Dr. Jansen would do well to train employees to make conscious decisions about the processing of personal data.
3. Set a good example
Dr. Jansen does not notice any major behavioral differences between the departments in the organizations he visits. It is often noticeable, however, that management participates less enthusiastically in investigations, when these are mainly initiated by the CISO or Security Officer.
“Many people click on links in phishing emails, even when they know a test is coming. Recently, the manager responsible for the test had clicked on the infected link himself with a phishing email. We are no longer surprised by that either. “
If the management does not show safe behavior, this demotivates the rest of the organization, Jansen notes from the figures. “In programs where the management team also actively participates – where the board itself gives the presentation, for example – the results are significantly better. That’s where the subject really comes to life in the organization. “
4. Cultivate alertness to suspicious behavior
Another thing that has often become ingrained: collegial behavior that creates vulnerabilities in security. In large organizations where employees need a pass to enter the department, people often keep the door open for each other. Do you not know the employee personally? Then you shouldn’t do it, says Dr. Jansen.
“For the malicious outsider, rush hour at the entrance gates is the time to break in.” The same applies to lending an access pass to a stranger. “That also happens regularly.”
You can also use an access pass to visibly distinguish who can and cannot enter a secure area. “If all employees have to carry a pass in such a secure area, you can quickly identify unauthorized visitors. And you can follow them once they get in. “
And what if there is a stranger snooping around in the ward who shows strange behavior? Will someone intervene? Dr. Jansen: “In our experience, many people do not notice it. Many organizations require training in alertness. Too often suspicious cases are considered harmless. “
5. Make it fun and challenging
Drawing up a protocol is done quickly. Changing behavior has a different horizon, however, Dr. Jansen: “Information security is not a product, but a process. That takes time and energy. You really have to want to change. “
Speeding up that process is not only done with requirements and control, he believes. You also have to keep it pleasant. If someone does not lock their screen during their absence, at lunch for example, and a colleague sees that, it will cost him a treat. So, make it a competition. This gradually creates a self-monitoring organization. “Dr. Jansen adds: “So also reward the desired behavior. For example, organize a fun outing for the people who have submitted the most relevant security reports. “