How safely does your organization work? What is the effect of your security awareness program? Does it affect employee behavior, and are your efforts worth it? Roland Anthonijsz, security & data protection officer at the DELA cooperative, asked himself these questions. To gain more insight into the security culture of the organization and the effect of awareness training, DELA used the security awareness scan of Infosequre.
Measuring the effect of an awareness program
"At DELA, we attach great importance to information security. Like all other players in the financial industry, we are increasingly confronted with phishing, malware and ransomware attacks. However, we must also not forget the "insider threat". Improper employee actions can result in a serious data breach”, says Roland.
"Because a mistake was made that way, we wanted to know the effect of our awareness program. Are our people well prepared? Or do we have to repeat certain topics? And what’s general stance in terms of cyber security? The security awareness scan has provided us with answers to these questions. "
Security awareness scan: 3 steps
The security awareness scan starts with an audit. With this we map the maturity level of your organization when it comes to awareness. We take a closer look at policy and the security awareness processes that have been set up.
The audit at DELA showed that the organization is quite mature when it comes to security awareness. That was no surprise to Roland. Before the funeral insurance company, (with branches in the Netherlands, Belgium and Germany), approached Infosequre, it had already done a lot to raise awareness.
"We have launched awareness programs before. We also regularly publish articles internally and we have even developed our own training, "Roland explains. "But it was not an inviting course. The subject was dry because it mainly consisted of text. No videos or images were actually used and there was hardly any interactivity.”
“If you want to achieve your goal, an awareness training must not only be correct in terms of content, but also fun to follow. This was the main reason for further searching. After all, most employees will have to follow the awareness training.”
The audit is followed by a survey that maps out 3 factors:
- the attitude of your employees towards safe working
- the extent to which employees believe that information-safe working is important to the organization
- the extent to which employees feel that they are well equipped to work safely
Together these 3 factors form the starting point for a growth plan. At DELA, the survey was distributed to all 1,800 employees. The results showed that the people in the organization are very involved and want to work safely.
"Our corporate culture exudes our so-called BIO values: commitment, integrity and entrepreneurship," explains Roland. "These core values are prominent in progress discussions between employee and manager and are even part of our assessment cycle. This also includes good housekeeping: responsible handling of data from our customers and members. "
"The culture measurement showed that employees are aware of the risks, but do not always have the right tools to work safely"
Although DELA employees think it is important to handle confidential information carefully, they were found to be missing concrete tips and tricks. Roland explains: "Our employees are intrinsically motivated to handle data with care, but sometimes still miss concrete instructions: How do you send a file securely? How does a password manager work? How does VPN work at DELA? You can see that awareness training encourages you to think about these types of topics. That is what you need to achieve your goal. It shows commitment. "
We conclude the security awareness scan with a workshop in which we discuss outliers in the research. During the workshop, 15 people were given the opportunity to explain their vision of information security at DELA based on the topics in the survey.
In the field of onboarding, it turned out that, apart from freelancers and temporary workers, most employees feel well informed about the applicable security guidelines. The freelancers and temp workers do not follow the same route as DELA’s own employees, so they missed information.
"Are our people well prepared? Or do we need to repeat certain topics? And where do we generally stand in terms of cyber security? The security awareness scan has given us the answers to these questions."
Another point of attention is the findability of the guidelines in the field of information security. Although the majority of employees indicate that they know where to find the guidelines, no one can give the exact location.
The 3 parts of the culture scan complement each other and thus identify the most important challenges.
Roll out awareness training
DELA started the security awareness scan after employees had followed security awareness e-learning for some time. "In retrospect, we would have liked to have done the scan prior to the training as a baseline measurement," says Roland. "When we started, however, the scan was not yet part of the service package."
“The training sessions were very good. We've got a rhythm going. We publish a new training every month. Because the training courses are short, the time investment for our employees is manageable. This is important, because they must follow many other training courses in addition to information security.”
“The programm encourage employees to think. That's what you need to achieve your goal”
"When rolling out the program, we look at what is going on inside and outside DELA. What do employees have difficulty with, and which topics are related to this? What threats do we see in the media?
As far as the content of the training courses is concerned, we have opted for generic content. In retrospect, I would have preferred to do it differently. Sometimes things work differently for us than they are shown in the training. That leads to questions. I prefer to focus some topics on our specific situations next time. It is good to know that this is possible at Infosequre. Overall, we are very satisfied. "
"During the entire process, Infosequre thinks along with you and questions are answered quickly. In addition to the scan and e-learning, we are also considering using the security awareness escape room when the pandemic is over. We also look forward to getting started with the new interactive modules that have been developed. Repetition is necessary. We also get the feedback from employees that they like repetition. "