The steps towards a cyber-secure organization - the Korzo Trajectory

From remote working to a stable digital infrastructure 

When Benno Vogt started at the Hague-based stage and makers' house Korzo in 2021, the way of working was undergoing drastic changes. Due to the pandemic, everyone suddenly had to work from home. This immediately exposed a weak spot in the organization’s IT facilities. ‘During the pandemic, the work situation changed drastically: previously, everyone worked on fixed computers in the office, but now everyone suddenly had to work from home. It quickly became apparent that the technology was not set up for this: employees had to work on their own laptops, and the VPN connection constantly let us down.’ 

Vogt was given IT responsibilities in addition to his financial tasks. It soon became clear that remote working was not temporary. Therefore, Korzo decided to seek external help. An external party brought order to the IT infrastructure and folder structure. 

Cybersecurity also requires policy and clear agreements 

Once the technical foundation was in place, Korzo looked beyond just systems. The stage house also worked on policy and agreements. This was necessary, Vogt explains: ‘Subsidy providers, through accountant audits, are imposing increasingly stricter requirements on organizations, including in the area of security. Even as a relatively small cultural organization, for which this is not the core business, we must comply.’ 

For this, too, Korzo called in external help. During several workshop days, they mapped out all the processes to be addressed. They also looked at risks such as fire, burglary, and not properly locking the premises. ‘For example, we checked who had access to which spaces. Based on that, we decided to switch to electronic keys.’ 

Additionally, Korzo created a complete overview of all the digital tools needed to perform their work, such as systems for invoicing, room reservations, online payments, and staff scheduling. These tools are assessed against strict standards. Korzo regularly checks this. This also applies to all physical suppliers the theater collaborates with. 

The result is a living overview. It shows what is already well-organized and what actions are still needed. This is important because the certificate that Korzo has now obtained is valid for two years. Therefore, periodic external audits take place.  

Cyber-secure working starts with employees 

Cybersecurity is not just about technology but primarily about people. ‘From file access rights to setting up procedures for when someone leaves the organization: you name it. To involve all our staff in this, we have created a handbook for new employees. In addition, everyone who starts with us must take a cyber awareness training, so it is immediately clear how seriously we take this. To keep everyone sharp, we revisit this topic during a monthly coffee round with the whole team. Everyone is also required to continue periodic training. Furthermore, everyone has access to useful tools, such as a password manager. I create handy videos to guide everyone through it.’ 
 

A credit card hack

The need for ongoing attention to cybersecurity is evident from minor incidents. For instance, Korzo's credit card was recently hacked, and phishing emails circulated. ‘It’s important to be open with each other about what went wrong in such moments: we simply cannot prevent these things entirely. It even happened to me: when I had just started working here, I received one of those fake emails from the director asking to transfer thousands of euros. Fortunately, we didn’t pay it.’  

The Korzo trajectory in practice

The trajectory Korzo followed to become a cyber-secure organization consisted of several phases: 

1. Inventory and risk analysis. All systems, data flows, and user rights were mapped out. This made vulnerabilities visible. 
2. Setting priorities. Not everything has to be done at once. The external party helped Korzo determine which risks were most urgent and where measures would have the most impact.  
3. Technical measures. Korzo addressed, among other things, password management, authentication, backups, network security, and rights structures.  
4. Policy development. Korzo developed protocols for data management, incident response, and system access.
5. Awareness. Since many incidents are caused by human behavior, awareness was also given a lot of attention.     

Cybersecurity tailored to a small organization 

Korzo is a relatively small organization. This makes it easier to maintain an overview and act quickly when something goes wrong. Still, there are always items on the wish list. ‘For example, we want to get rid of one password for the entire Wi-Fi network. On the other hand, we shouldn’t spend all our days on this. We are a theater company, not an IT company: we have other things to do. If we burden people too much with these kinds of questions, they won’t have space for it.’   

What other cultural organizations can learn from this

Changes sometimes trigger resistance. ‘People are creatures of habit: they’d rather keep things the way they are instead of switching to a new working method or tool. That’s why I always test something thoroughly before implementing changes. Because we continue to work carefully, we now have everyone on board.’   

Vogt encourages other cultural organizations to follow a similar trajectory. ‘It provides so many new insights. It also fosters a sense of togetherness: we take it seriously but try to keep it light.’ 

How to start with cybersecurity yourself

This article was written by Anne Louïse van den Dool (opens in new tab) on behalf of DEN.