How Mads Created Cyber Security Awareness For DTU Biosustain
It’s crucial to have a strong cyber security at DTU Biosustain. They are doing research that will potentially change the world; therefore, they are a big target for hacking. Mads is the one who has this burden on his shoulders. He must make sure that they are protected as an organisation. We’ve talked to him to hear his thoughts about cyber security, awareness and how he created a stop motion video with a dancing Donald Trump to create awareness about phishing. If you are mostly interested in how Mads and DTU Biosustain use our awareness training, you can click here to jump straight to the point.
Who is DTU Biosustain?
Who is Mads?
Mads is responsible for IT at DTU Biosustain.
- Mads Gleerup Christensen
- Head of IT
- BSc from RUC
Table Of contents
- Who is DTU Biosustain?
- Why is cyber security important?
- Technical solutions and awareness training go hand in hand
- How DTU Biosustain use Awareness training
- Awareness training leads to visible change
- What about phishing training
- Physical awareness to increase the training attendance
- Watch DTU Biosustain’s own awareness video
- 3 tips for other companies
- The security work in 5 years
- Create awareness in your company
Who is DTU Biosustain?
DTU is the Danish Technological University. They have more than 6000 employees divided into different research centers and institutes. We’ve talked to Mads, who is responsible for IT at DTU Biosustain, which is one of those research centers. DTU Biosustain has a team of 300 employees. They are funded by Novo Nordisk and are researching how to make sustainable chemicals with genetic modification. They have their own cyber security but are of course collaborating with DTU as whole.
The IT-team at DTU Biosustain
Mads is the main IT-guy at DTU Biosustain. Mads has a degree in corporate governance and computer science. He didn’t like coding that much, but it did give him an understanding of IT, which he now combines with the knowledge he has about the human aspects of company culture. He’s in charge of a small team of 4, including himself. They are 3 full time employees and a student worker. He’s also in charge of the IT in another DTU institute with the same setup, but in this article, we’ll focus on his work at DTU Biosustain, where he tries to create awareness about the importance of cyber security.
Why is cyber security important?
Cyber security is important for all companies, but for a research centre like DTU Biosustain it is crucial. Mads says that they probably wouldn’t be here without it.
“If we didn’t work with IT-security, everything would be different. We probably wouldn’t exist. We see universities and biotech companies being attacked all the time. Recently, we got attacked ourselves and it was only because of a vigilant employee that things didn’t go south.”
Universities have a lot of data to protect.
“We are a research center that can hire some of the best scientists in the world. They work with groundbreaking research. If that gets stolen or if we waste the scientists’ time because our security isn’t good enough, that would be really bad.”
Because DTU Biosustain works with the newest research studies, it makes them a target for a lot of cyberattacks. The data and knowledge they possess have a lot value. Therefore, it’s only natural that they focus on cyber security.
Where does the threat come from?
Today, every single company is exposed to attacks, as a lot of cyber-attacks are automated and don’t target any specific companies. We do, however, also see a lot of targeted attacks when it makes sense for cyber criminals. This is the case for DTU Biosustain. As Mads says, they fear governments, hackers and many more.
“The reality is that we are alert of international cyber criminals and every time we come home from a conference, we must clean everything and format the computers in a sandbox. We know that we get malware everywhere we go. It’s awful to think about.”
At DTU Biosustain, they must protect every single computer.
“We must be extremely aware of who is going where. It’s important that our employees know that this is the reality that they are a part of, and it's our job to make them aware of it.”
Because of these kinds of threats, it’s obvious that cyber security is not only a technical issue at DTU Biosustain, but just as much a question about employees and their behavior.
It’s a big challenge to be a university
A challenge for Mads as head of IT is that DTU is a university. This means a lot of people are walking in and out of the buildings every single day.
“E.g., Novo Nordisk has an incredibly high security standard where employees only have accsess to what they need. Here, we are a university with free access to the buildings from the street. You don’t even need a keycard in the daytime. And it’s the same thing with a big part of our IT infrastructure.”
DTU Biosustain has a lot of users who need access to a lot of things. This makes it difficult to protect the centre's systems and makes it even more important that users and employees are aware.
Technical solutions and awareness training go hand in hand
Cyber security is historically seen as a task for the IT department. Back in the day, cyber security was a question of a good IT infrastructure, strong firewalls, anti-virus systems and all the technical shields you could find. This is in many ways still the truth, but it’s not the only truth. As we use more and more digital devices in our everyday lives, we have all become a huge part of cyber security. This is also something Mads acknowledges.
“We buy all the best systems. This means phishing mails and hacker attacks rarely succeed. But… when something slips through this defense, it only takes one person who clicks a zip-file and then the malware spreads, or maybe somebody gives their username and password to who-knows-who.”
DTU Biosustain spends a lot of money on technical solutions but it’s not enough. They need to educate employees.
“We can have as many good systems as there are, but if all of us don’t have the same basic level and can separate the good from the bad, then they don’t help.”
So, let’s dive into the awareness at DTU Biosustain.
How DTU Biosustain use Awareness training
DTU Biosustain has different initiatives to create awareness in the company. They use CyberPilot’s Awareness training, they have some physical awareness and Mads has created an awareness video about phishing. We’ll touch upon all 3 of these initiatives.
CyberPilot Awareness training
The first part of the awareness training in DTU Biosustain is our awareness training. DTU Biosustain’s employees receive our courses about the GDPR and cyber security bi-monthly to spread awareness about topics such as phishing, passwords, personal data and much more. New employees also receive a bunch of courses in the onboarding phase to catch up.
The Awareness training is inclusive and non-judgmental
Mads thinks the Awareness training works well.
“Generally, I think the concept of awareness training is genius. I believe a lot of our employees' IT knowledge is below the level that we expect it to be. It’s nice for me to see that the IT department can increase the level of knowledge.”
Mads believes that the concept works, but there are many vendors out there who do Awareness training. So why did he choose CyberPilot?
“I think that what you do is really good. First of all, it tells a story. It isn’t condescending. The worst thing is when people feel talked down to by the IT department. It’s when they say: ’I feel stupid when I come into your office and ask questions, and you are just sitting there with your World of Warcraft hair.’ I want everybody to feel welcome.”
Mads does, however, also mention that of course the level of the courses is too low for some people, but this isn’t an issue:
“Of course, some people already know the answers and for them the courses are a bit too easy. You might lose them, but they already have a high enough level of cyber security knowledge. For those who don’t have that level of knowledge, I think your Awareness training is spot on. I’ve never had any negative feedback from any of them.”
Our Awareness training is all about creating awareness and improving the basic level of cyber security knowledge in companies.
Awareness training leads to visible change
One of the difficult things about awareness training is to measure the effect of it. We always love data to prove the effect, but it’s difficult to get when we talk about something as fluffy as cyber security culture and knowledge. However, Mads is certain the training helps.
“Awareness works! I know that without having any numbers to back it and without having any basis whatsoever for saying it except for my gut feeling.”
Later on in our conversation it actually turns out that Mads does have some measurements to back it up, they’re just more qualitative than quantitative.
“I used to get an email from maybe one person saying ’I’ve received this email, and my colleagues also got it. Is it real or a phishing email?’ Now, I receive several emails every time something happens, or a mail is out there. Even if it’s a mail that looks legit like it’s coming from a person from DTU people write me ‘The thing this person is writing is a bit strange. Is it one of those mails we are warned about by CyberPilot?’”
These kind of experiences show the effect of the Awareness training. Mads also had another example of how his work life has even become easier, as he doesn’t have to communicate to everybody when a phishing email is out there.
“I used to write ’This email is circulating.’ I don’t need to do that now. People are aware.”
It looks like awareness training works.
What about phishing training
DTU Biosustain also ran a phishing training campaign after receiving the training for a while. It was useful but Mads actually wished they did one before the training started as a baseline.
“I quickly received mails about the fact that the owner of the sender domain was CyberPilot. So, they were quick to see through it. I would have wished that we did one before the training to baseline our efforts. But it is a good sign that they saw through it. I think it’s because of the Awareness training.”
It shows how phishing training can be used to complement the training and also work as baseline of the effect of the awareness training. By doing phishing training, you get a real number of how you are progressing as company when it comes to spotting phishing emails.
It could maybe need a bit of spice
Mads actually didn’t have any negative feedback about the awareness training, except that on a personal level he thought it could use some edginess, but at the same time he understands that the training is for the masses.
“It’s a personal preference. Maybe 98% percent of people don’t want it to be edgy, but I think you could spice it up a bit. But then again, I don’t have anything to lose. I can only be fired or get yelled at a bit. You have a company to run where you have to make sure you don’t offend everybody.”
Luckily, you can always take the matters into your own hands and that’s exactly what Mads did. He created his own awareness video about phishing where he could add all the edge and spice he wanted to. But before we dive into that, I want to talk a little bit about how Mads created some physical awareness to support the awareness training.
Physical awareness to increase the training attendance
Besides the CyberPilot Awareness Training, Mads also started other initiatives to create awareness. For instance, he hung up posters on the wall.
“I started with some big posters. They had some form of half-provoking text, nothing evil, but eye-catching and some nice graphics.”
Mads also creates some awareness when people forget to take the courses. If he can see that the attendance is dropping a bit, he takes action.
“When I can see the attendance is a bit low, then I ask a colleague to go out with some flyers about the fact that they need to remember to take the courses. Since they don’t want to read a lot of mails from me, I must do something else. For example, I made a flyer about the fact that Mærsk lost 2 billion (d.kr.) when they had downtime because somebody clicked a link in an email. These kinds of examples are good to remind people of the importance. They can lose their research and their patents. I’m just making them aware, and it works. I can see a boost in people taking the courses for some time, and then it’s time for new flyers.”
The minority wants to take courses about cyber security voluntarily, they just want to keep moving with their daily work tasks. Sometimes, you need to remind people why they should take the courses.
The IT-department should be a safe space – no stupid questions
The last part of the physical awareness is to be present and talk to employees. People need to know that they can always ask questions.
“It’s been a huge deal for us to tell people: ’You shouldn’t be scared if you click something. Just come down and talk to us, then we’ll figure out what to do.’ They feel comfortable because it’s a part of their lives now. It’s not an unknown thing, where they think they might get fired or reprimanded by their boss. Cyber security is a part of their everyday lives now.”
The point Mads makes is crucial to creating a good cyber security. If your employees are comfortable coming to you if something has happened, then you have a better chance of reacting quickly and efficiently. And it’s also better to have a work environment where everybody feels safe, of course. It’s what a good cyber security culture is all about.
Watch DTU Biosustain’s own awareness video
As mentioned, Mads thought the cyber security awareness could be spiced up a bit, so what did he do? He created his own video together with a skilled stop-motion animator named Rolf. But why did he do it? What does it take to create your own videos, and does it work?
Before we answer those questions, let’s see the video:
A response to rising phishing attacks
Phishing attacks are a real threat for DTU Biosustain. Especially a few years back, when the spam filters weren’t as good as they are today. This was the main reason to create the video:
“We got hit by a lot of phishing emails. Like A LOT. It was a big challenge and not all employees were aware of how to react to the big internet and the threats it comes with.”
The video should be a quick reminder, a fix, a shot of adrenalin to make people remember the dangers of phishing emails.
“It’s like when you give your girlfriend roses. After a few days they start to hang a little bit. Then you give them some hot water and they raise their neck one more time. This project was meant to wake up people and say ’HEY!’”
It wasn’t the only reason to make the video, as Mads admits that it was also for fun.
“Maybe it was also kind of a selfish project because I thought it was fun to do. But it was primarily to create a wake-up call and have a chance to play around with stereotypes. It should be some fun awareness.”
And why not have fun while creating awareness?
How Mads created the video
Mads started out asking a bunch of advertising agencies, but they all wanted 500.000 d.kr. for a video plus 250.000 d.kr. for the survey to measure the effect afterwards. It’s safe to say that it wasn’t the scope of what Mads was doing. He had 300 employees who he hoped would knock on his door and say, “that’s a funny video” and that afterwards they would talk about the video over the water cooler. You know, nothing big.
Mads met Rolf and the idea was born
So, what do you do when you don’t want to spend half a million? Mads thought of a guy he met earlier named Rolf.
“I found this guy who makes videos. I think he’s totally crazy and extremely creative. He uses a lot of gadgets and small things that he finds everywhere. He made awareness videos for DTU about construction sites and the dangers of going into these, so I called him.”
Mads thought of him and knew what needed to happen. Rolf should make the video about phishing.
It’s a lot of work
From here on Mads created a storyboard and sent it to Rolf, who then applied his touch. The idea was to make it funny, provoking and about topics DTU Biosustain sees a lot in their everyday cyber security lives.
“We made a storyboard with all the things we see the most. Then Rolf made it simpler because nobody wants to see 15 minutes of talking heads. But that was basically our thought, to touch on the things that we are most exposed to and make a few people laugh.”
But it’s a long way from here. Rolf was working on the movie in his free time, as he had another full-time job. It took a whole year to create the video.
“What he does is stop-motion. He’s sitting in a cold garage near the German border and he is doing his thing. It takes a lot of time, and I was scolded by my boss for not pushing Rolf, but I’m pretty sure that people didn’t push Michelangelo when he was painting the Sistine chapel either. Creativity takes time.”
Even if you don’t pay advertising agencies half a million, it does cost money and a lot of time to create your own videos.
The video came to life
After a year, the video was ready to see the daylight. It was published on the DTU Biosustain’s intranet and when they see a wave of phishing attacks, it gets a revival again being sent out in the weekly newsletter. It isn’t being used as much as Mads wants it too, though. Maybe because it got as provocative as it did, he’s a little bit afraid of the reaction of upper management.
“They might think: ‘Mads you dumbass… You spent money on that?’”
Mads doesn’t fear for his job, but he knows that the video might stir the waters.
It’s received positive feedback
Even though Mads is a little bit nervous about just showing the video everywhere (which in itself is a paradox when making an awareness video) the feedback has been completely positive.
Mads adds that people might have a comment or two but only in a good way that starts the conversation.
“They might say, ’Damn, that’s stupid,’ but at the same time they are talking about phishing. Another one might say ’I’m from Eastern Europe, why do you portray me like that?’, but then I can say ‘Sorry about that.’ At the end of the day no one actually gets offended because they how the reality looks like. The reality is that we fear international cyber criminals”
If the video gets people to talk about phishing, it’s a success. This creates awareness about the threat and makes it more likely that employees spot the next phishing email in their inbox.
Maybe your company should make your own phishing video as well.
3 tips for other companies
I asked Mads if he had 3 good tips for other companies. He kind of could but mentioned that it is probably one big piece of advice instead. As he said:
“You can get really far with technical systems, and maybe it will make sure that only 2-3% of something 'wrong' gets through the systems."
I guess I’ll try.
Tip 1: Have a strong technical foundation
The first piece of advice is that you need technical solutions that help your cyber security.
The technical part is important but Mads also states that it’s not enough because if 2-3% gets through, this can be harmful, which leads us to the next piece of advice.
Tip 2: Your security is not stronger than your weakest user
Your technical solutions can’t live without aware employees.
“Your security isn’t stronger than your weakest user or somebody who had a busy day and therefore clicked a link or logged in on the wrong site.”
The message from Mads is clear. You must make your employees aware of threats so they can avoid making mistakes. The third piece of advice is a part of this, but to give 3 tips I must cut corners.
Tip 3: Create a healthy cyber security culture
The third piece of advice from Mads is to create a space where people aren’t scared of admitting potential mistakes. It is one thing to have aware employees, but another thing when these employees trust that they can come to the IT department if something goes wrong without being scared or punished.
“You need an embracing culture for all people’s level of IT knowledge because the worst thing is when someone is scared of coming to you, and instead tries to hide that they shared some information’s because they are embarrassed.”
All of these 3 pieces of advice are things that we at CyberPilot can approve, as we agree 100% with every single part of it.
The security work in 5 years
Where does Mads see his security work in 5 years? Or where does he hope it will be? That was my last question, and it’s easy to see that Mads thinks about the users as a crucial part of cyber security. His wish for the future is to get more user involvement in the cyber security work, just as we see designers do in design processes. He wants to sit with the users and see how they use different programs and systems this will make him capable of communicating and creating cyber security strategies that fit the everyday use of IT.
“We need to think about the human’s needs in everything we do. I hope we do this a lot more in 5 years so we really understand the needs and can adapt our cyber security and awareness to those needs.”
Let’s just say that we have the same hope. Cyber security shouldn’t make peoples work harder, but be easy to implement in everyday work life.
Create awareness in your company
A good cyber security culture is important. As DTU Biosustain and Mads show us, there’s a lot of ways of doing this. You could for example, create videos, or posters,talk to people, or create an awareness training program. If you want to try our awareness training for free, you can do that in no time.
How do you stay GDPR complian with 400 employees who needs to follow the same rules and processes? We've asked Anne from Novicell who is responsible for the GDPR at Novicell.
Cyber security and GDPR is important to Hesehus. Awareness traning is also a big part of their everyday work. Read here and see what it means to them.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.