An important element in an organisation’s information and IT security management are the actions of staff members.
“Technical measures are not sufficient, as it is rather the human factor that becomes the “door opener” for cybercriminals and creates information and IT security risks. That is why, this year, Lund University’s Internal Audit Office is reviewing the University’s information and IT security culture,” says Jean Odgaard, Head of Auditing, Internal Audit Office.
The review is being carried out through a number of different activities conducted during autumn 2023. Two of the activities are focused on getting a picture of how security-conscious University staff members are. The Internal Audit Office has therefore engaged an external IT security expert who, working in cooperation with the Internal Audit Office, has staged a phishing attack via email on 15 November as well as an attempt to defraud using phone calls (known as voice fishing, or vishing) between 20 and 22 November.
Results will be analysed
The activities are now concluded, and the Internal Audit Office will process and analyse the results. The results and the associated analysis, as well as recommendations for improvements, will be presented in the Internal Audit Office’s overall report to the University Board. The work on improvements will start in the next stage.
“The aim of the staged activities has not been to single out individual staff members, managers or functions – we wanted to get results for Lund University as a whole. We will not be looking at how individuals or parts of the organisation have acted,” says Jean Odgaard.
“We saw that there were many people within the University, both managers and staff members, who were vigilant and immediate in both their response and actions regarding the activities. That is very positive.”
“The numerous touchpoints universities represent have been increasingly exploited by hostile interests who are out to steal, distort or destroy research data, for example. It is often the human factor that determines if these interests are granted access to data. A good IT security culture presupposes that all users are aware of the risk that they could be faced with fraudulent communication,” says Therese Kropp, internal auditor, who led the review.