“Be Secure” – How to implement the 9 key behaviors in your team Information Protection and Cyber Security INTERNAL
Purpose and content of leadership toolkit Join in and make yourself acquainted with the Leadership Toolkit. Learn more about the objectives of the campaign and the 9 key behaviors. Understand all 9 behaviors “to Be Secure”, communicate and anchor them in your team. An electronic Leadership Guide, with information about the campaign and how you can become a role model in 3 pragmatic steps. A leaflet for employees, introducing all key behaviors and providing Do’s and Don’ts. A slide deck to not only discuss each secure behavior with your team but also with tips on “hidden slides” for you as disciplinary manager to embed them in your working day. Ensure that all of your team members have access to the leaflet for employees – in a printed or electronical version – before presenting the slide deck in your team meeting. Place the topic “Information Protection and Cyber Security” on the agenda of your regular team meetings and use the slide deck to discuss the 9 key behaviors. The slide deck includes an overview per behavior and a leadership preparation on hidden slides.
#1 Join in – your behavior makes the difference Your behavior is the most important security asset at BASF. You make a huge impact on Information Protection and Cyber Security by joining in to protect our information. What does this mean for each of us? Understand and identify where and how you can apply the key behaviors every day Don’t take security lightly by ignoring security measures out of convenience
#1 Join in – your behavior makes the difference Important note: Additional information for you as a leader. This is not part of the presentation #1 Join in – your behavior makes the difference How can you promote this key behavior in your team? Present each key behavior regularly in your team meetings and discuss the behavioral Do’s and Don'ts Hang up a poster of the “Be Secure” campaign in your office Share the link to the “Be Secure” portal with your team and encourage them to add it to their “Favorites” list Integrate secure behavior in your team’s performance cycle (objective setting, appraisals) Integrate the Information Protection Minimum Requirements in your team Give feedback if your team behaves in a (non-) secure manner Motivate your team to complete web based trainings on Information Protection
#2 Use strong passwords Accessing systems with user name and password is usually one of the first things we do each day at work. Select strong passwords, change your passwords regularly and use additional authentication factors. What does this mean for each of us? Create strong passwords in line with company requirements Don’t give other people access to your password(s) or other authentication factors
Important note: Additional information for you as a leader. This is not part of the presentation #2 Use strong passwords How can you promote this key behavior in your team? Inform your team about the password requirements Foster the use of strong passwords for systems and applications in your team and establish it in the workplace Propose to use a calendar reminder for changing passwords in your team Have a look periodically whether your team members lock their IT systems during absence
#3 Classify Information You are handling tons of information at work every day. How can you support others and your systems in handling information securely? Join in by classifying and marking your business information so that it is handled appropriately. What does this mean for each of us? Classify information by using the BASF Protection Classes and handle them accordingly Don’t neglect your responsibility to classify information and don’t underestimate your impact in doing so
#3 Classify Information Important note: Additional information for you as a leader. This is not part of the presentation #3 Classify Information How can you promote this key behavior in your team? Make sure to classify and mark shared information with your team correctly Point out examples with respect to correct and false classification Ensure that a classification list for your unit is available and share it in your team (ask your Information Protection Officer for support) If necessary introduce your team to the BASF Microsoft Office Wizard Present the classification wheel in a team meeting (write to be-secure@basf.com)
#4 Respect the Need-to-know principle The Need-to-know principle means only authorized people receive the information they need to perform their tasks. Always consider the Need-to-know principle and be careful when you share business information. What does this mean for each of us? Always consider which information your counterpart requires for his / her job Don’t be careless with your information nor with the tools that you use to share them
#4 Respect the Need-to-know principle Important note: Additional information for you as a leader. This is not part of the presentation #4 Respect the Need-to-know principle How can you promote this key behavior in your team? Explain the Need-to-know principle and the importance of complying to your team Check access rights (e.g. Teamrooms, Shared Drives etc.) regularly in your area of responsibility (at least once per year) Ensure a secure physical and/ or virtual environment for meetings Discuss the social media policies of BASF with your team
#5 Use public web services carefully Public web services make life easier for us. They let us collaborate in real time and are often free of charge. Only use BASF approved public web services for work purposes and be mindful in what you share online. What does this mean for each of us? Be aware of the BASF authorized web services for file storage, translation or communication Don’t use public web services for handling corporate information because you lose control over it
#5 Use public web services carefully Important note: Additional information for you as a leader. This is not part of the presentation #5 Use public web services carefully How can you promote this key behavior in your team? Use examples to discuss why certain public web services (e.g. Google Translate) are not allowed to be used at BASF Integrate the secure web services at BASF into your and your team’s work routine (e.g. using the BASF SharePoint) Be a role model and discourage the use of unsecure public web services if you observe it in your team Discuss (if needed with the Information Protection Officer) how social engineers use personal data unintentionally published on the internet and check recent incidents
#6 Check received files and hyperlinks before opening Have you ever received a malicious email that looked official? Scammers can actually be very smart in trying to trick receivers. Look out and check the source, links and files properly to protect from malware or getting scammed. What does this mean for each of us? Handle emails and their content cautiously Don’t be careless when reviewing and responding to emails
#6 Check received files and hyperlinks before opening Important note: Additional information for you as a leader. This is not part of the presentation #6 Check received files and hyperlinks before opening How can you promote this key behavior in your team? Share the link of the “Phishing” page on the “Be Secure” portal within your team. Encourage them to read the newsletters and to complete the training. Inform your team about how to handle phishing mails properly and provide your team with the checklist for identifying phishing mails Discuss phishing incidents that may have happened in your team or at BASF in general. Inform your colleagues or your Information Protection Officer, if such emails are currently circulating Explain to your team how to forward a suspicious email as an attachment to phishing@basf.com. Demonstrate how to do it: Simply choose or click on the email and press the key combination Ctrl + Alt + F. Please distribute this link.
#7 Only connect authorized devices and use encryption External devices are frequently used for work purposes. As a result, they are one of the most common ways to attack companies. Don’t connect unknown, non-BSF, found or private devices to the BASF infrastructure. And remember to encrypt sensitive infrastructure. What does this mean for each of us? Only use authorized devices and ensure that sensitive information is encrypted Don’t neglect your responsibility to fulfill the security requirements for portable devices
#7 Only connect authorized devices and use encryption Important note: Additional information for you as a leader. This is not part of the presentation #7 Only connect authorized devices and use encryption How can you promote this key behavior in your team? Use hardware encrypted USB sticks, if available (e.g. Kingston Traveler) Promote the importance of strong passwords for authorized devices in your team Remind your team to never leave mobile devices unattended Do not charge external devices using your laptop, or your BASF smartphone using external rechargers via USB interface. The power plug is the safest choice!
#8 Connect to BASF network when working outside the office Being outside the office also means being outside of the protected “BASF network environment”. Take additional security measures, such as using the BASF VPN, and always keep an eye on your physical environment. What does this mean for each of us? When working remotely always activate the BASF VPN Don’t process business information in an unsecure environment (e.g. a canteen, hotel lobby or airport)
#8 Connect to BASF network when working outside the office Important note: Additional information for you as a leader. This is not part of the presentation #8 Connect to BASF network when working outside the office How can you promote this key behavior in your team? Assure that your whole team can handle the BASF VPN tool, through introducing it in a team meeting Advise your team, to comply with information protection also on journeys and while traveling
#9 Get help from IS Service Desk and your local Information Protection Officer Questions are normal and mistakes can always happen. Speak out and address issues or uncertainty with the IS Service Desk (ISSD) or with your Information Protection Officer (IPO). What does this mean for you as a role model? Get familiar with the services provided by your local IPO and IS Service Desk Don’t hesitate to report incidents and queries to the IS Service Desk
Important note: Additional information for you as a leader. This is not part of the presentation #9 Get help from IS Service Desk and your local Information Protection Officer How can you promote this key behavior in your team? Inform your team of the contact details for your unit-specific Information Protection Officer (IPO) and IS Service Desk If applicable, organize a “Meet & Greet” with your local Information Protection Officer Actively take part in and promote events that are organized by your local Information Protection Officer and keep your team up-to-date Discuss the different roles and services of the Information Protection Officer and the IS Service Desk. (who should be approached when?)
The “Be Secure” portal forms the solid digital foundation of the IPCS awareness campaign The Global “Be Secure“ portal (be-secure.basf.net) went live in May 2015 Joint Project between the two competence centers GU and GS It is the global communication platform for the behavioral change campaign and beyond It illustrates 9 key behaviors for users to securely handle their jobs in 7 languages Highlights current specific topics (Phishing, IPO Spotlight)
Each key behavior page follows a 3-step communication approach 1 Animated videos, introducing the behavior and its context and creating attention Infographics, communicating users the Dos and Don’ts FAQ, explaining the details and giving step-by-step guidance 2 3
Information Protection and Cyber Security concerns everybody at BASF Information Protection and Cyber Security concerns everybody at BASF! Help us to spread the message of Be Secure…