It happens a lot, and it continues to puzzle me every time: I'm at a transportation company to sign up for a presentation on digital safety, when I see a whole series of framed ISO certifications. For driving cranes, for driving forklifts or transporting materials. All as a result of how things went during the time of the construction of the Empire State Building in 1930, because sometimes things went wrong with all those construction workers walking hundreds of meters above the ground on beams without any protection. But what about the security of the cell phone introduced just 50 years later? Everyone today has such a super-powerful handheld computer, but no one has an ISO certificate for it.
The protected parchment scrolls of Julius Cesar (Caesar cipher) and Enigma from World War II - these examples show that we as humanity have been working for centuries to protect the integrity and confidentiality of information.
Our cell phone: we make calls with it, send the most diverse information, log into our bank account, and use it to remotely control household appliances. Without thinking about whether it is safe to do it this way. The same goes for the 1001 accounts we create online for ordering goods, accessing information, or tracking our records at doctor's offices and hospitals. You're not alone when you use the same username and password in doing so, because it can't hurt, right? Until the shoe supplier you always order from gets hacked and all your data is out in the open. Then, the step to hacking your e-mail account and accessing your online bank account is made faster than you think.
Imagine this: 26 billion password combinations have been leaked worldwide, and with every successful cyberattack that number grows. Add to this the capabilities of AI, and cracking security codes (especially simple ones) becomes a cakewalk.
Therefore, make sure you have at least minimal knowledge about information security and that you use it. Make regular backups, use two-factor authentication wherever possible (yes, even on your e-mail account), stay away from the same and too obvious passwords, et cetera. Compare it to securing your home. You have good locks on windows and doors, maybe a camera at the front door, or a dog that barks when someone rings the doorbell. That is not to say that your house is an impregnable fortress, but if it is more difficult to get into your house than into that of your neighbor, then you're basically making it easy for criminals to choose. The same goes for securing your privacy, your identity, and more and less sensitive personal information. Offline, but nowadays especially online.
WoodWing's core business is Digital Asset Management – a line of business that involves a lot of data. Much of the data we manage is personal and sensitive in one way or another. So, good security is a basic requirement for us – always and everywhere. I see it as my responsibility as CISO to have and keep this subject on the agenda. Security is obviously my profession, but it is also a private passion of mine to make those around me aware of their digital security and to give them the practical tools they need to secure their privacy. If just 10% of my tips and comments stick, then they are already 90% more cyber-aware than the rest of the people in the Netherlands.
For our employees, we organize an annual security awareness session with appealing and relevant real-life examples. In addition, colleagues receive an e-mail from me every 15th of the month on the subject of security. In it, no hell and damnation and a predictable list of ‘thou shalt nots’, but interesting examples of how they can turn ISO regulations, for example, to their personal advantage. Technical tips for being (digitally) safer at work and at home are also regular parts of the update. By talking about things you can really use and act upon, we keep bringing important topics to employees' attention in a positive way.
I take the same approach for my colleagues from management and the board of executives. As a result, you see that they are increasingly aware of the fact that data protection and cybersecurity are subjects for which all of us carry a responsibility. With the tightening of laws and regulations, it is not impossible that a board member will be held accountable for certain aspects of these subjects and the execution thereof, with all the (legal) consequences this entails. Together, we ensure good digital resilience, with the IT department ensuring that people have access to technology that makes strengthening their resilience as easy as possible.
We also have regular discussions with clients about how to apply ISO guidelines in the context of data and privacy protection. We have been working very intensively on this subject for a very long time and have gained an abundance of knowledge and experience regarding these topics – knowledge that we are happy to share with others.
Of course, we are all very busy and we all have to deal with ever-expanding lists of concerns and priorities. But if cyber security ranks at number 11 on your list, chances are that the ‘hoodies’ in our society see you as the ideal candidate for their next hack.
As complex and long as this journey may look, it only takes one first step to start the journey and get to work. Hence, I end all my communications with the invitation to contact me with questions, ideas, or the need for a soundboard. Because digital security is pre-eminently a journey that you want to take together.