Human error is the most common cause of IT security breaches in Danish companies. In many cases, it is based on a poor safety culture. The responsibility lies not with the individual employee but with the management.

Measurements from the last six months with the HackerStop tool show that companies usually score lowest on issues related to dialogue and openness between management and employees. For example, the measurements show that few people know what to do if they or others in the company are exposed to hacker attacks, or how they best protect their devices (such as work computers) from others being able to access them. This is a sign that there is a lack of focus on the human aspect of IT security.

If companies are to succeed with a real change in behaviour and thus increase their IT security level, it requires a cultural change. And in order to change the culture, it is important that management constantly encourages employees to think about IT security and provide them with simple and concrete tools to be able to act properly.

The management has a responsibility to develop a strong culture of IT security. It must be a culture based on openness and awareness. However, I am currently experiencing that many companies do not think they can be hacked because cybercriminals simply won’t find them interesting. That’s a wrong assumption. Cybercriminals use computer programs that in a relatively short time can screen an arbitrary company for weaknesses. Cybercriminals often choose to hack the companies that have gaps in their IT systems, as these are the “easy” victims and can, for example, take corporate data and systems hostage. Thus, all companies can stand for shots,” says Claudia Zöllner, who is part of Dansk IT’s HackerStop team, and adds: 

I also find that many employees do not have much focus on and interest in IT security. They don’t think it’s important to report bugs associated with hacker attacks. There are also employees who do not dare to report errors to the IT department. There may be a culture in their workplace that means that you can’t make or talk about mistakes. That’s a big problem. These mistakes can have significant consequences for the company.

Openness is therefore the alpha and omega when creating a good safety culture. It is important that everyone in the company feels that they can tell if they have made a mistake in managing IT security that enables a hacker attack.

If you speak openly and honestly about mistakes, companies have a very good starting point to prevent or reduce a hacker attack. It’s important that employees feel like they can say it out loud if they clicked on the wrong link in an email or if they lost a work phone or computer. If management constantly helps their employees think about IT security – through dialogue and awareness – this will translate into real behavioural changes,” says Claudia Zöllner. 

If businesses are to have a stronger defence against cybercriminals and hackers, everyone in the company must take responsibility. It is important that management takes the lead and speaks openly about IT security. Employees should be encouraged to report suspicions. Everyone can learn from each other, so the company can prevent cyber-attacks.  

Tools to strengthen IT security

Employees are thus a good and easy place to start when companies need to raise their IT security level. Companies should examine where they are weakest and thus decide where to take action. HackerStop is a digital tool that companies can use to get a quick overview of the IT security behaviour in the company.

HackerStop is the foundation of the Danish Industry Foundation and developed by Dansk IT in collaboration with NBI. It provides a continuous and anonymised overview of employees’ maturity and awareness within IT security. The overview is based on a measurement where employees must answer questions within the following factors: 

• Messages
• Devices
• Rules
• Passwords
• Information
• Incidents

Each employee gets their own report with recommendations on where to strengthen their knowledge and how. Furthermore, management gets an anonymised report, which they can use to insert bets where the needs are greatest and provide the most value for the company. Measurements can be taken on an ongoing basis so that management can gain an insight into whether the employees’ digital IT security skills are strengthened. 

HackerStop is a useful tool to lower companies’ risk of cyberattacks and support companies’ competitiveness internationally.

Read more about the tool at hackerstop.dk.