Gamification engages, but it is the employees' contributions to information security we value the most in Secure Practice, says security manager and data protection officer Ole Martin Refvik from Admincontrol.
Since their incorporation in 2005, Admincontrol has provided collaboration services and data rooms for boards and due diligence processes. This includes storing sensitive information for the majority of enterprises on the Oslo Stock Exchange, and security has always been an important part of their internal culture.
Admincontrol values how employees' can contribute to information security with Secure Practice, says Ole Martin Refvik. (Photo: Erlend Andreas Gjære)
Ole Martin Refvik is security manager and data protection officer at Admincontrol. He tells that his colleagues are trained both when they are hired, and repeatedly throughout the year. He still believes that learning from personal experience is the that approach that sticks best.
– Compared to traditional ways of security training, Secure Practice offers a clear focus on learning while doing. The human interaction from using the tools is important, and the solution here is clearly unique from other products in the market.
Refvik explains that in particular the experience with points for reporting emails has motivated an effort from several of his colleagues.
– It is obvious that gamification can crank up the engagement. After an introductory phase, we did an award ceremony to the most active contributor at our annual internal kick-off. At some point, some had found it a bit unfair that others had received more phishing attempts than themselves!
The amount of suspicious email received can naturally vary between different groups of employees. It can therefor also be useful for some to receive an «a-ha» experience at regular intervals.
– Simulated phishing has become a useful tool to keep the attention fresh. People have become more conscious, and are not easily fooled, he says about the results so far.
Admincontrol is certified after comprehensive standards for information security, including both ISO 27001 and SOC 2, and this affects the internal security work accordingly.
– But it was not the certifications which caused us to choose Secure Practice, Refvik says. A lack of reporting is a lost opportunity for improvement. On this basis, I had already much earlier begun asking employees to report on suspicious emails, he continues.
However, he found that this job required both time and effort, and that tool support was required. He greatly appreciates the opportunity to outsource this very specific part of the job, and that most of it can be automated.
Obvious value proposition
– It was not difficult to see that we needed a solution like this. We had already documented the extent of phishing attacks, and it was not difficult to argue about the risk. It was mostly a matter of finding the best tool to ensure that I can spend my time on other measures, Refvik says.
He tells that the solution from Secure Practice was both competitive on pricing, and very easy to roll out to the organization. The fact that the service is developed in Norway and the vendor is very easy to communicate with, has also been positive parts of the collaboration.
– Securing companies against phishing attachs and giving people a realistic way to learn, that is a very important job that we experience Secure Practice to be doing, the security manager concludes.