To involve employees in cyber-security concerns

We interview Joakim Karlén about how to involve all employees in the work with information security and cyber hygiene. (Video version is in Swedish)

Interviewer: Let’s start from the beginning – what does cyber hygiene actually mean?

Joakim Karlén: – When you hear the word hygiene, you think about the things you should always do, like washing your hands.

It’s actually the same in cybersecurity. Cyber hygiene is about ensuring that everyone knows and follows the basic routines needed to protect both themselves and the organisation.

Small and large organisations – different conditions

Interviewer: When working with smaller organisations, how does their work differ from that of larger ones?

Joakim Karlén: – Larger organisations often have more structure and support, such as an IT department that drives the security work.

In smaller organisations, individual responsibility becomes greater. Everyone needs to understand how their own actions affect security – because you can’t rely on the same support functions.

Interviewer: What are the most common mistakes?

Joakim Karlén: – The most common mistake is not having control over your digital assets. Many lack routines for how computers and mobile devices should be handled, or training in basic security practices. This means they miss simple but crucial safeguards.

Creating engagement

Interviewer: So how do you get employees to think actively about these issues?

Joakim Karlén: – It starts with education. You need to explain why the rules exist and connect them to everyday work:

What do you do in your daily routine, and what risks exist in those specific moments?

Many don’t see cybersecurity as part of their job – but it is. Just as you wouldn’t run around the office with scissors, you shouldn’t handle your digital tools in a risky way. Cyber hygiene is about understanding the tools you use and how to handle them safely.

Behaviour rather than technology

Interviewer: So ultimately it’s about culture and behaviour?

Joakim Karlén: – Exactly. Cyber hygiene is not just technology – it is above all behaviour and awareness.

To support that culture, you need clear routines and checklists – for example, for how new employees are introduced to security practices.

You can also practice incidents, such as through simulated attacks, so that everyone learns their role if something goes wrong. When you train for failure scenarios, people become more aware of their responsibilities – and more confident in how to act.

Interviewer: Which threats should organisations focus on right now?

Joakim Karlén: – We’re seeing that attacks are becoming more frequent and more automated.

Many small organisations think “we’re not interesting” – but the attackers don’t know that. They attack anything that can be attacked. And with today’s AI tools, it’s possible to pretend to be someone else and carry out advanced social engineering attacks with far greater precision and volume than before. This means the risk of being deceived increases dramatically – especially if employees aren’t vigilant.

Cyber hygiene is about doing the simple things right – every day. It requires structure, training, and engagement from everyone.