In recent years, the Belgian construction and contracting company Democo Group has made significant progress in the field of cybersecurity maturity. Every year they want to take additional steps. This year their focus is on creating a culture of cyber threat awareness among all employees.
“Cybersecurity is not just an IT issue,” explains John Louwet, Infrastructure & Security Engineer at Democo. “Together with the management and all employees of Democo, we want to further sharpen our awareness of cybersecurity and our security mentality.” To guide them step-by-step, Democo Group counts on the expertise of spotit. The collaboration between both parties started six years ago with an extensive security audit.
This audit gave us a clear picture of where we stood and what our most important goals were.
The findings led to a strategic security plan that was gradually implemented, partly by Democo’s internal team, partly with the support of spotit experts.
More attention to cybersecurity
Initially, cybersecurity did not receive sufficient attention within Democo and was only drawn from IT. That gradually changed. Thanks to growing awareness and support from management, significant changes have been systematically implemented in recent years. “We do about three major initiatives a year,” says John. “For example, in the beginning, passwords were kept in Excel. Naturally, we quickly changed this with the introduction of a password policy.” Active Directory was also tackled and the implementation of more advanced tools such as Cisco Umbrella is now a fact. In addition, all necessary documentation was developed, such as an incident response plan and a business continuity plan. Finally, Democo Group also joined spotit’s CSIRT service. This means they benefit from expert support in the event of a cyber incident.
A social engineering test doesn’t lie
The next important step towards more maturity is working on an ‘awareness culture’ in the workplace.
You could just walk in our offices and no one would question it, so to speak. To increase awareness about safety, we had a social engineering test carried out by spotit at the beginning of this year.
For example, USB sticks were sent to various Democo branches with the request to distribute them. This was under the guise of a competition in which employees could win a gift. Certain receptionists had questions and contacted IT. But not everyone. A large number of USB sticks were therefore distributed internally. 64 USB sticks were inserted into a computer and the PDF on the stick was also opened. This out of a total of 100. Two people even left their account details. Results that raise eyebrows and show that there is still work to be done.
Democo immediately took action. Shortly after carrying out the test, these results were presented during the Democo Group safety day. “All the results were discussed, what had actually happened and what they were not allowed to do. The fact that inserting a regular USB can have many bad consequences was clearly framed,” says John. In addition to introducing security training, employees now also receive regular messages via the Insites intranet that should continue to raise awareness. Democo Group also invested in an online training platform that continuously trains and informs employees about current threats such as phishing. “We won’t let it go anymore. We’re officially on the road,” John says belligerently.
Our collaboration with spotit is simply effective. They have the necessary expertise that we can use when needed. Our annual strategy brainstorms are also invaluable and often lead to projects that improve our cybersecurity.
Advice for other IT managers?
Based on his experiences, John is happy to share the following advice with fellow IT professionals: “A lot depends on the maturity of your organization. We have come a long way, so we first focused heavily on optimizing the existing tools. Start by strengthening the basics and then gradually expand with user awareness trainings and more advanced tools. Regular audits are also essential to continue to identify weaknesses and thus systematically improve your security posture.”
The journey that Democo Group has taken together with spotit over the recent years is a testimony to their dedication to improving their cybersecurity maturity. Thanks to the efforts made, Democo Group’s business is now much stronger equipped to deal with the many cyber threats.