What exactly does Ortec do?
ORTEC combines data and mathematics worldwide to create value for diverse organizations and society. They do this by optimizing business processes in a unique way that allows organizations to make business processes more efficient, flexible and sustainable. ORTEC and Awareways crossed paths on several occasions after which they joined forces in 2018.
Security and privacy
From the outset, ORTEC wanted to work on raising awareness of security and privacy. “As part of the ISO 27001 certification, the need arose to devote more attention to these subjects.” Explains Jet Woudstra, Compliance & Quality Officer at ORTEC. “But how? At that point we knew we wanted ‘something’ with security awareness and ‘something’ with privacy.” To record the state of affairs, a baseline measurement followed.
From baseline measurement to awareness
“Awareways conducted a baseline measurement with us. We actually didn’t really have an idea of what to expect.” The presentation of the results didn’t just yield interesting figures. It turned out that the desired attitude within Ortec was already more advanced than expected. “That was really a positive surprise. This showed that almost all employees considered subjects such as security and privacy to be very important, but did not yet really envision how they could then apply this in their behavior.” That, of course, is already a favorable starting position. “Also, the presentation really made the path to awareness come alive. Awareways makes a particularly interesting link to behavioral psychology.”
Introduction of security policy
At the time of the baseline measurement, ORTEC had not yet specifically addressed security and privacy policies. “Policy is something that many people find boring, but strangely enough it became clear that there was actually a great need for it. We therefore immediately set to work on drafting this, so that it could be included immediately in the first awareness training (Level Bronze, RvdS).” In order to enthuse employees, we worked together on an appropriate communication campaign. Awareways had a striking proposal for this with a motto, posters and banners. Together we tailored this proposal to our budget and organizational culture.” As part of this, management was renamed ‘the great example’. “As soon as the first security awareness training was live, all the board members took the lead in this. This ensured that employees quickly followed.”
Soon the topics started to live within ORTEC’s culture. It wasn’t just in numbers that more awareness was created. ORTEC had already done an experiment with phishing itself, but still preferred to outsource it. “With the phishing simulations from Awareways, we were of course able to see that the number of ‘clickers’ went down from 8% to 4%. Also, the number of incident reports increased significantly. We are very proud of that, but we also saw it reflected in people’s behavior. Employees made prints of their obtained certificate and made up all kinds of jokes to draw each other’s attention to things.” That the way the training courses were offered led to success is clear. “Many employees became very enthusiastic about the way the training was offered, especially because of the gamification elements.”
Guidance on security policy
Although the starting level was significantly higher than ORTEC had expected, implementing new policies obviously does not happen overnight. “With the help of the Awareways project manager we were able to go through the process step by step. We found this guidance to be very pleasant, as there was room each time to take the next step and adapt to the situation.” Incidentally, this also applies to the training content. “It was very helpful that Awareways arrived with a series of questions as a guide and we could then tailor it together. This was sometimes a challenge, because we have offices and employees all over the world and therefore there are many different cultures within ORTEC as well.”
By the time we spoke to Jet Woudstra, the first three levels had been completed. “We are now up to the fourth level, diamond.” So far, there is already real visible change. “It’s good to be able to see that more incidents are being raised and more are being reported, but most of all we see that employees are really giving it a place in our work culture.”