Security Month is over,
but the work has just started

Throughout October, companies in both Norway and internationally focused on security. Without follow-up, the effort can be close to wasted. How do you use the momentum to strengthen security culture in practice?

Many companies have used October to focus on security through internal campaigns, seminars and presentations. The topic is very relevant. Digitalization is hitting the entire business, technologies are evolving at a furious pace, and new and old systems are being linked together in ever-longer and less transparent value chains. This makes Norwegian businesses vulnerable. The same technological advances are being used by threat actors to develop sophisticated tools and methods for targeted attacks.

1 in 5 companies have experienced security incidents that have resulted in negative effects for the business, in the form of financial losses or weakened market position (Mørketallsundersøkelsen 2018). Human error and lack of awareness about security are identified as two of the main causes of the incidents, which are often discovered by chance.

Good technical barriers are in place in many companies. Therefore, people are the easiest way in for threat actors. Employees are the weakest link – and at the same time the most important barrier. The well-known Hydro attack in March 2019, in which a ransom virus captured and encrypted all of the company’s data, started with an attachment in an email.

It is crucial that managers and employees have digital expertise, that they know what to pay attention to and how to handle it. This reduces the company’s vulnerability to attacks, and increases the likelihood of success in mitigating the negative consequences of any events that may arise.

In order to strengthen the human barrier, it requires that we not only increase awareness and skills, which are often the focus of internal campaigns, but that we are able to change behaviour. Even with technical solutions that reduce the risk of user error, we need leaders and employees to take the right actions at all times.

Everyone needs to know how to identify a suspicious email and what to do with it. And not least: they have to actually do it. Proper handling of suspicious emails can prevent incidents with potentially significant consequences. For Hydro, the attack resulted in production problems and financial losses estimated at MNOK 650.

Many companies use the main emphasis of resources to come up with strategies, courses and guidelines, and roll out campaigns. Fewer resources are allocated to their actual implementation. At the same time, we see that the picture must in fact be the reverse to create behaviour change. The emphasis should be on implementation: anchoring at the sharp end, mobilizing leaders, involving employees; to take responsibility and build ownership at the local level.

Behaviour change requires more than campaigns and nice words – it requires focus over time. Increased knowledge and awareness may be the starting point, but that is not the goal. Here lies the challenge and here lies the work.