DELA's strategic approach to measure the effect of security awareness training

Thanks to the security awareness scan, we know what the effect of awareness training is, how DELA is doing and where we need to make adjustments.

culture scan (2)

How safely does your organization work? What is the effect of your security awareness program? Does it affect employee behavior, and are your efforts worth it? Roland Anthonijsz, security & data protection officer at the DELA cooperative, asked himself these questions. To gain more insight into the security culture of the organization and the effect of awareness training, DELA used the security awareness scan of Infosequre.

Measuring the effect of an awareness program

"At DELA, we attach great importance to information security. Like all other players in the financial industry, we are increasingly confronted with phishing, malware and ransomware attacks. However, we must also not forget the "insider threat". Improper employee actions can result in a serious data breach”, says Roland.

"Because a mistake was made that way, we wanted to know the effect of our awareness program. Are our people well prepared? Or do we have to repeat certain topics? And what’s general stance in terms of cyber security? The security awareness scan has provided us with answers to these questions. "

Security awareness scan: 3 steps

1. Audit

The security awareness scan starts with an audit. With this we map the maturity level of your organization when it comes to awareness. We take a closer look at policy and the security awareness processes that have been set up.

The audit at DELA showed that the organization is quite mature when it comes to security awareness. That was no surprise to Roland. Before the funeral insurance company, (with branches in the Netherlands, Belgium and Germany), approached Infosequre, it had already done a lot to raise awareness.

"We have launched awareness programs before. We also regularly publish articles internally and we have even developed our own training, "Roland explains. "But it was not an inviting course. The subject was dry because it mainly consisted of text. No videos or images were actually used and there was hardly any interactivity.”

“If you want to achieve your goal, an awareness training must not only be correct in terms of content, but also fun to follow. This was the main reason for further searching. After all, most employees will have to follow the awareness training.”

2. Survey

The audit is followed by a survey that maps out 3 factors:

  • the attitude of your employees towards safe working
  • the extent to which employees believe that information-safe working is important to the organization
  • the extent to which employees feel that they are well equipped to work safely

Together these 3 factors form the starting point for a growth plan. At DELA, the survey was distributed to all 1,800 employees. The results showed that the people in the organization are very involved and want to work safely.

"Our corporate culture exudes our so-called BIO values: commitment, integrity and entrepreneurship," explains Roland. "These core values are prominent in progress discussions between employee and manager and are even part of our assessment cycle. This also includes good housekeeping: responsible handling of data from our customers and members. "

"The culture measurement showed that employees are aware of the risks, but do not always have the right tools to work safely" 

Although DELA employees think it is important to handle confidential information carefully, they were found to be missing concrete tips and tricks. Roland explains: "Our employees are intrinsically motivated to handle data with care, but sometimes still miss concrete instructions: How do you send a file securely? How does a password manager work? How does VPN work at DELA? You can see that awareness training encourages you to think about these types of topics. That is what you need to achieve your goal. It shows commitment. "

3. Workshop

We conclude the security awareness scan with a workshop in which we discuss outliers in the research. During the workshop, 15 people were given the opportunity to explain their vision of information security at DELA based on the topics in the survey.

In the field of onboarding, it turned out that, apart from freelancers and temporary workers, most employees feel well informed about the applicable security guidelines. The freelancers and temp workers do not follow the same route as DELA’s own employees, so they missed information.

"Are our people well prepared? Or do we need to repeat certain topics? And where do we generally stand in terms of cyber security? The security awareness scan has given us the answers to these questions."

Another point of attention is the findability of the guidelines in the field of information security. Although the majority of employees indicate that they know where to find the guidelines, no one can give the exact location.

The 3 parts of the culture scan complement each other and thus identify the most important challenges.

Roll out awareness training

DELA started the security awareness scan after employees had followed security awareness e-learning for some time. "In retrospect, we would have liked to have done the scan prior to the training as a baseline measurement," says Roland. "When we started, however, the scan was not yet part of the service package." 

“The training sessions were very good. We've got a rhythm going. We publish a new training every month. Because the training courses are short, the time investment for our employees is manageable. This is important, because they must follow many other training courses in addition to information security.”

“The programm encourage employees to think. That's what you need to achieve your goal”

"When rolling out the program, we look at what is going on inside and outside DELA. What do employees have difficulty with, and which topics are related to this? What threats do we see in the media?

As far as the content of the training courses is concerned, we have opted for generic content. In retrospect, I would have preferred to do it differently. Sometimes things work differently for us than they are shown in the training. That leads to questions. I prefer to focus some topics on our specific situations next time. It is good to know that this is possible at Infosequre. Overall, we are very satisfied. "


"During the entire process, Infosequre thinks along with you and questions are answered quickly. In addition to the scan and e-learning, we are also considering using the security awareness escape room when the pandemic is over. We also look forward to getting started with the new interactive modules that have been developed. Repetition is necessary. We also get the feedback from employees that they like repetition. "

cyberscan

Management commitment

"An important precondition for the rollout of an awareness program is the involvement of the board and management," says Roland. "We report the results periodically. Initially, several departments scored lower than 65% in terms of participation. We thought that was too low. Management then directed the managers to show the right example. And that has helped. Now 70 to 80% of employees follow the training courses within 2 months."

roland anthonijsz cultuur scan
Roland Anthonijsz
Security & data protection officer

How is our organization doing with regard to cyber security? Are our people well prepared? Do we need to adjust? The security awareness scan has provided us with answers to these questions.

A number of compliments

“The feedback we receive from employees on the awareness program is very positive. This is a selection of the compliments we received from employees:"

    • The courses work well as a reminder. It’s great that we get it.
    • The training courses are good and meaningful and make it clear why information-safe working is important.
    • I think the online training courses are an eye-opener.
    • We are given all the resources and training to be able to work safely. I think that's great.
    • Our organization facilitates a lot to enable us to work information-consciously. This gives me a safe feeling as an employee, and it is also nice for the members.
    • Even though the information can sometimes be obvious, the training courses are meaningful. With repetition you get information security back to the top of mind.
    • It is great that we continuously receive training to be able to work safely. A real plus! It keeps you on your toes.
    • My grade is 9. That's a nice compliment :D

    When we ask Roland if all employees are so enthusiastic, he starts laughing: "Of course there are also employees who grumble that they have to follow an e-learning again. It all comes on top of the daily activities. But most employees like to get tools to work safely. "

    Concrete handles

    Of the 1,800 employees, 839 took part in the online survey. The results show that attitude, norm and control all score higher than the target score of 4.

    When we take a closer look at control, we see that several departments score slightly less well. The explanations in the scan show why: the control experienced by employees is related to knowledge and / or tools that they lack. Tools like a password manager or paper shredder are mentioned as tips. These tips and all other results are included in the final report with concrete tools for improvement.

    Overall, with a score of 4.5 out of 5, the behavioral intention of employees is positive. There are hardly any differences by position, department or age. DELA scores well!

Security awareness scan
THE SOLUTION FOR COMPANIES THAT WANT TO gain more insight into the security culture and the effect of awareness training

Security awareness culture scan

The cybersecurity culture scan gives you the specific data to take with you on your journey towards sustained behavior change.

Talk to our specialist Choose a plan
Back to overview
References
Chamber of Commerce number 58063900

+31 (0)85 30 397 10

info@infosequre.com