Why your behaviour is just as important as your firewall

When you think of online security, you might think of a firewall or a password manager. But did you know that behaviour is just as important for protecting your business? Psychologist Inge Wetzer gives 3 tips for behaving more safely.

Every day Inge Wetzer, psychologist at security company Secura, sees people behaving unsafely and not properly protecting information. “You can have all your technology in order, but if your employee gives out a password to a scammer over the telephone, technology will not be of much use to you.” 

 

“Sixty percent of the employees Wetzer calls give her their password without a problem.”

No lack of knowledge

The human share in digital security is big, according to Wetzer. “We know that most data breaches (pdf, in Dutch) are caused by human error or carelessness.” The strange thing is, people do know the rules. “Most people score very high on a knowledge test. We all know that we should not leave papers with sensitive information  (in Dutch) lying around. And yet it happens.”

 

Too trusting

Wetzer calls employees on behalf of their employers. She then tests if she can get their password. “First, I have to get into the company. This often takes a few phone calls. I call:

'Hello, this is the service desk.' Huh, that is suspicious, the employee thinks. ‘We do not have a service desk, but an IT desk.’

Then I call another employee: ‘This is Anne from the IT desk.’

‘Oh, usually we have contact with Sjoerd,’ the employee responds, for example.

Next phone call: 'This is Sjoerd's intern.' Bingo!" 

As soon as the employee believes that Wetzer is trustworthy, she tells the following lie: “'We see suspicious activity on your PC, can I take a look with you? What is your username?' Then I ask if the password is autumn2020, for example. Then employees say 'Oh, that is no longer correct' or 'No, my password is now ...' And then the password follows.” Sixty percent of the employees who Wetzer calls give her their password without a problem. “That is a high percentage. People are naturally helpful and trusting.” 

Too much hassle

Your behaviour depends on several things, Wetzer explains. “You need a certain knowledge, because if you do not know what makes a password strong, you cannot create it. You also need motivation. 'Is this important enough to do?' You often see that people know they have to use a long password, but they think: 'I think that is too much hassle' or 'I can never remember that.'” 

It does not work

So, you need knowledge and motivation, but also what is referred to as ‘opportunity’ in psychology. “It could be that your employees know that it is better to use a secure  VPN connection when working remotely and that they want to,” explains Wetzer. “But if the VPN connection is not stable and keeps kicking people out, it just will not work. When you talk to people about why they behave unsafely at work, you often hear reasons like this.” 

Get started yourself

What can you do to make the behaviour of your employees or yourself safer? Wetzer has 3 tips:

1. Set 1 or 2 concrete improvement goals. After 3 months, what do you want your company to do correctly? For example: we want to always share sensitive information encrypted. What do you need to do, to achieve each goal?
2. Talk to your employees. What is stopping them from acting safely? What do they need to change that behaviour? Help them.3.

If you are self-employed, it can be difficult to motivate yourself to work on your company’s safety. Pick a moment 4 times a year to read more about it or follow a webinar. This way, you stay informed of developments, and you do not have to come up with it all yourself. 

Want to know what you can do to fight cybercrime? This is how you protect your business.