Written security policies or e-learning campaigns are no longer enough to sensitise your employees to IT security issues. Instead, you must creatively and sustainably increase security awareness in your company.

43.4 billion euros – this is the amount of damage caused to German industry in the past two years by sabotage, data theft or espionage. Although companies are investing considerable sums in IT security, seven out of 10 industrial companies have been victims during this period, and one in five companies suspects that it has been.

What should we do? Invest even more in hardware and software to better protect corporate IT from attacks? “Those who continue to focus exclusively on technology neglect the human factor,” says Marcus Beyer, advisory lead for resilient workforce at DXC Technology. Too much reliance on technology, he believes, is the Achilles’ heel of most security efforts. Therefore, chief information security officers (CISOs) in the cloud and mobile age should attach special importance to the sustainable sensitisation of their employees.

“Launched phishing tests don’t help”

To make your workforce more resistant to external attacks, it is important to establish a safety culture within the company, designed with target groups and needs in mind. “The team around the CISO must first figure out what the employees’ attitudes towards safety issues are,” says Beyer. “It is hardly possible to find this out by evaluating answers on knowledge questions in e-learning — a widely used quantitative measurement method. Even launched phishing tests don’t help here.”

With both methods, the CISO rarely learns anything about the employees’ attitude toward safety. Achieving a change in behaviour requires different, more qualitative, analysis methods or a combination of both. This is the only way to experience and improve the safety culture in the company. Through interviews and workshops, or measurements and surveys that focus on the organisation’s culture, the CISO can learn where the gaps in safety awareness are.

IT security: Creativity defeats technology

With new knowledge about existing knowledge deficits, organisational deficiencies and lax security attitudes, an awareness campaign can be designed and offered — in a target group-oriented and demand-oriented way — to initiate a change of consciousness. The measures used depend on the respective enterprise and its own organisational culture. If, for example, the analysis reveals that only a few employees know the name of the safety officer, the latter must be put in the spotlight. This can be done with simple measures, such as a contact page with name and photo on the intranet, or more elaborate edutainment-oriented events where the person presents on a stage.

“It is important that the measures fit in with the existing corporate culture and that they appeal to employees and encourage them to participate,” explains Beyer. “Building a safety culture therefore requires creativity rather than technical knowledge. For example, a gamified campaign can do far more than just educate people about safety risks.”

Ways out of corporate security blindness

To implement such a measure effectively throughout the entire company, knowledge of change management and internal communication methods is required in addition to creativity. “That’s why we bring to the table the stakeholders in the company that the CISO needs right from the start: IT help desk, human resources, legal and compliance, corporate communications and marketing. A multi-disciplinary team makes use of all the expertise available in the company that is needed for such a project. Then later, our external consultants can contribute their knowledge free of corporate blindness,” explains Beyer.

A year or so after the first measurements on safety culture, it is advisable to repeat the quantitative and qualitative analysis to examine the success of the measure and the extent to which employees have changed their behaviour. In addition to measuring success, the CISO also receives new data that can be used to plan a follow-up campaign. DXC expert Beyer makes it clear: “Establishing a safety culture is not a project, but an ongoing process that has to be constantly fired up.”