For an efficient operation, organisations increasingly depend on technology. IT also plays a crucial role in running an efficient and effective organisation. At the same time, IT related risks are becoming increasingly relevant. Cyber security is essential to guarantee the confidentiality and integrity of information in organisations and to ensure that systems are available to customers and internal users.
In his Master's thesis at the Antwerp Management School, Tommy Van de Wouwer researched the human factor in cyber security, because it cannot be ignored when it comes to cyber security. ‘Most of all, I wanted to take a broader view of the matter. I noticed that everyone was pretty much copying each other when it comes to research into the human factor in security and that everyone comes to more or less the same conclusions. Of course there are only so many different factors that have an impact on security,' says Van de Wouwer.
Good habits appear crucial
The research confirms what Van de Wouwer, who has filled various IT positions in his career, already suspected: 'All the factors I researched have high scores. The differences between them are fairly small. But you can see that things such as daily practice, respect for policies and lead by example have a greater impact on security’.
Van de Wouwer also determined that the impact of innovation does not score very high in organisations. 'That didn't surprise me. As a customer, I have often found that consultants and vendors talk a lot about innovation because it sounds good. But you have to get the basics right first. Don't innovate if your security foundations are not right. Talking about this is not sexy though and you won't score any points with your customers or with your CEO.
However, the consequences when the basic security is not in order are in the news every week. Remember German Railways, FitBit, the Port of Zeebrugge, etc. Often, these were fairly easily preventable security problems that didn't require innovation. But the reputation damage is huge. Too little account is taken of this,' Van de Wouwer observes.
Food for thought
Kristof Tuyteleers, Security Officer at DNS Belgium, reviewed the Master's thesis and also encouraged people in his network to complete Van de Wouwer's questionnaire. ‘The research is very interesting because not much research has been done into critical success factors,' he says. ‘I interpreted and commented on the answers and that was quite tough, especially when the scores went against my expectations', he says.
For Kristof, the research offers food for thought. ‘When you see how some people high up in the business hierarchy think about security, it doesn't surprise me that organisations still have so many problems managing their cyber security. The research makes it clear how people look at cyber security and it doesn't always make for happy reading'.
‘The good news is that the research can be interesting for companies and help them ask the right questions in the field of security. Companies can learn, for example, which priorities to set, how big the negative impact is if they don't raise awareness among their employees and what the benefits are if they do. Tommy's research clearly shows that not doing something in terms of cyber security does little extra damage - although the GDPR and NIS Act are changing this - but that taking action has many advantages. The Master's thesis is ideal reading material for IT managers', says Kristof.
Lack of awareness and knowledge
‘The research does not show that a lack of knowledge or awareness is at the root of many security problems. In my experience, however, it does feel that way. Knowledge and awareness are extremely important, but then everyone in the organisation, from cleaning lady to CEO, has to be on the same wavelength. When you see something on your computer that doesn't seem okay, you must have the reflex to report it immediately', says Van de Wouwer. ‘People don't report it or they don't get feedback when they do. You have to let people know what you’re going to do with their report, reward and involve them. If you don't, people get the feeling that nothing is being done with their report. And this is completely understandable’.
‘In addition to this lack of awareness, IT and security feel like a cost in many companies which stands in the way of business operations. Business and IT should work together, but that is often not the case'. In addition, Van de Wouwer recommends sharing knowledge, possibly even with fellow colleagues. 'You can always be the first to suffer a cyber security breach, in which case you're unlucky. But there is no good reason why you should be the 500th company to face the same security incident when you could have easily prevented it by sharing your knowledge'.