The human factor is a key to cybersecurity strategy

Interview with Olivier Antoine, Head of Information Security Management at POST CyberForce.

Why are humans such an important part of a company's cybersecurity strategy?

Companies need to protect their information, whether physical or digital. Moreover, threats do not come from outside the company alone. Internal threats are all too real, and all too often overlooked.

Human error is said to be at the root of 75% of computer security and cybercrime problems (source: FEDIL). The four human traits identified as possible triggers for security incidents are ignorance, routine, naivety and negligence. It is therefore important to raise awareness among your teams and ensure everyone understands their role, in VSEs, SMEs and large companies.

Hackers are well aware of these flaws and quick to exploit them. In particular, attacks increased during lockdown in March when employees felt safe at home and lowered their guard.

How to effectively create an information security culture in a company

The first step for a company, after drafting its information security policies, is to educate staff. It is clear that a 50-page policy document won’t work. Employees will see it as an extra burden and therefore not read it.

To remedy this, companies can first of all raise awareness among their teams through easy-to-view content (infographics, videos, etc.). Then, more “fun” initiatives can take place to consolidate the culture and ensure everyone feels involved and engaged. The aim is for employees to understand that they have a role to play in security and that security is a matter for everyone in the company.

Can you give us examples of initiatives that have been tested within POST?

POST has introduced several initiatives, particularly with a view to establishing performance indicators allowing us to quantify the impact of our various cybersecurity awareness campaigns.

The first initiative (which we referred to as a “happening”) involved checking whether the company’s various departments were complying with the Clean Desk Policy. After an awareness-raising video was posted on the company's intranet simulating a theft of information by Martians, the ISM team decided to go around the offices at night and place a card with a green alien on the desks that complied with the Clean Desk Policy and a card with a red alien and a reminder of the rules on the desks that did not comply. This initiative certainly made an impression on members of staff, some of whom are still talking about it!
The other thing we do on a regular basis is conduct internal phishing tests, as most incidents are now from data theft via phishing. We recently used our marketing department's e-mail address, with a subtle change of domain name, to run an internal competition to win a prize. Employees were invited to participate by registering via a link and providing personal information. Employees can easily let their guard down in such situations, but those who responded to the competition were reminded of the rules to follow.

What is your most amusing memory in terms of cybersecurity awareness?

The funniest incident I can remember occurred during an awareness campaign for a company in the banking sector in Belgium. In order to raise users’ awareness of physical security, the customer asked me to take a secure wheeled bin out of the building without using the access pass that allowed me to open the doors. Strange as it may seem, no one looked into why a person in a suit was walking around the building with a bin. Worse still, as I didn't have an access pass, the staff kindly opened the various secure doors of the building to make my job easier. Cyber attackers are not always hidden away behind screens, so beware and make your teams aware!

What advice would you give to those who want to go further in setting up a “cyber-secure” environment in their company?

We must remain reasonable and not set overly ambitious targets that cannot be met.

Information security and its management as referred to in the ISO/CEI : 27001 standard must be continuously improved.

Why this standard? The standard provides a framework for the implementation of an information security management system (ISMS). It aims to implement a security management system in the company and to ensure its continuous improvement according to the “Plan – Do – Check – Act” cycle, within a predefined scope.

Measures and the level of security are then chosen according to the risks identified. Risk-based management requires a strong commitment from leaders: not only to validate these risks, but also to provide the resources – financial, human and technical – needed to implement the action plans.

While many businesses around the world are already applying this standard, companies in Europe still seem reluctant to adopt ISO 27001 and are even less willing to extend this approach to certification, which is still too often perceived as a long and expensive process. However, adopting this approach is the best way to set the whole company on the path to greater security awareness.

If you want to create a safety culture within your company, POST can help you build and implement an action plan.