Why Digital Trust Begins in Everyday Work – Not in the IT Department
Jul 01, 2026Digital Trust Stories / Cyber SecurityJust before nine in the morning, an employee logs into the company network. A few clicks later, he has access to confidential information. In the evening, he is on a train, working on presentations over public Wi‑Fi. This is how millions of people work today. But behind every login, every connection and every digital signature is an identity that attackers can abuse. Digital identity theft is a serious threat. As Chief Information Security Officer (CISO), Dražen Morog creates the framework for information security and cybersecurity at DEKRA – and makes sure digital identities stay secure.
Small Conveniences Create Major Risks for Digital Identity
In day-to-day digital business, even small oversights can turn security into risk: a screen stays unlocked just for a coffee. Employees share login details. Passwords are stuck to monitors.
Dražen Morog knows this is usually not about bad intentions or laziness. “Employees simply want to get their work done as efficiently as possible,” he says. But this lack of risk awareness in everyday
work is exactly what makes the situation dangerous, the CISO adds. “Through identity theft, attackers do not need to break through firewalls or hack systems. They simply take over an employee’s digital self and, with it, all that person’s rights in the system. Everything that happens from that moment on happens in the employee’s name.”
Protecting Digital Identities: Information Security and Cybersecurity Must Work in Practice
The CISO of the DEKRA Group knows this reality from first-hand experience. He began his career as a telecommunications electronics technician. He later qualified for university through adult education, studied communications engineering and moved into information security, taking on CISO roles from 2010 onward. Dražen Morog has been Chief Information Security Officer at DEKRA since 2021. Because of his background, he knows what matters in day-to-day work: “Information security and cybersecurity above all have to work in real life. They have to work in the office just as well as they do in the field. We are here to support our colleagues. So we have to understand them. Otherwise it will not work.”
For the CISO, one thing is clear: “Every company needs security rules that fit the way people actually work. If locking screens, handling passwords carefully and never sharing logins become routine, that closes a key gap in the protection of digital identities.”
Because of my training, I understand colleagues who work hands-on in the field. I used to be one of them myself. Cybersecurity must never slow people down. It has to enable, reduce risk and increase opportunity. We need to make the value of information security and cybersecurity visible. Combined with clear rules and awareness, that gives companies the best protection and strengthens trust.
Dražen Morog, Chief Information Security Officer at DEKRA
Deepfakes: When We Can no Longer Trust Familiar Faces and Voices
In the age of Artificial Intelligence (AI), the threat scenario has changed. Cybercriminals exploit our trust. One example: time is short, a project deadline is approaching – and that is exactly when the boss calls. The voice sounds familiar, the tone is firm, the task is supposedly urgent: “Please approve this immediately. It cannot wait.” In moments like these, many people tend not to question what they hear, but to act. That is exactly what deepfakes are designed for – digitally supported imitations of faces and voices.
“We recently saw a case like this at a customer’s company. An employee was just about to trigger a supposedly ordered money transfer. But then he did the right thing: he paused and checked with his supervisor through a second channel. The instruction was fake.” For Dražen Morog, this case shows one thing clearly: vigilance matters, but in the long run it is not enough. With AI support, professional cybercriminals can now imitate voices and digital senders so convincingly that even experienced employees begin to doubt themselves. “That is why every company needs clear verification paths and a mandatory two-channel rule. This is not a recommendation – it is governance. As a global testing organization, DEKRA is more aware of this than most. We cannot simply hope that someone will do the right thing at the right moment. We have to build a system that supports people in doing it.”
There is no such thing as one hundred percent security. It is always about balancing risk: how much security do I need so I can still work efficiently? Information security and cybersecurity must never become a burden.
Dražen Morog, Chief Information Security Officer at DEKRA
Connected Systems as a Target for Cyberattacks
His practical background is also why Dražen Morog does not just look at office workplaces. It is not just people who have a digital self – machines also need to prove who they are. Every control unit, every sensor needs a reliable identity so connected systems can trust one another. Modern cars are computers on wheels, with components constantly exchanging data. These interfaces are exactly what attackers want to exploit. Their goal is to insert themselves into communication flows or find weaknesses in certificates and protocols. In cars, this is not only a digital risk, but a physical one. If an attack succeeds, criminals can influence systems – from tampering with control units to functions such as emergency braking or partially automated driving.
This is where DEKRA supports vehicle manufacturers. In specialized laboratories, including in Málaga, Spain, experts test hardware and communication paths specifically for vulnerabilities. The goal is to identify these weaknesses early so manufacturers can improve their products and connected vehicles on our roads remain safe.
Europe and DEKRA Work Together
The European Union is currently tightening its rules through frameworks such as the Cyber Security Act and the Cyber Resilience Act. DEKRA is involved in their practical implementation, for example in the EU Horizon project “Custodes”. Dr. Jasmin Cosic, responsible for Partnership & BD Cybersecurity at DEKRA, contributes expertise directly to the project. This helps create binding frameworks that manufacturers must use to design, test and secure their connected products and systems – from automotive control units to industrial IoT solutions.
DEKRA Leads by Example
As Chief Information Security Officer, Dražen Morog is responsible at DEKRA for what is known as the “Second Line of Defense”: while DEKRA’s cybersecurity trainers help companies detect attacks, he and his team build the foundation – rules, structures and a security culture that holds up. One principle is clear: as an expert organization, DEKRA must lead by example in Digital Trust – the trust that digital systems and identities work securely and reliably. “We live by the level of protection we recommend,” Dražen Morog emphasizes. DEKRA operates internationally, with locations in Europe, Asia-Pacific and North and South America.
In practical terms, the CISO recommends making multi-factor authentication the standard, introducing clear rules for the use of home offices and company hardware, and setting requirements for external staff and service providers. A common mistake from his point of view is connecting private devices to the corporate network without adequate safeguards – in other words, an insecure form of “bring your own device”.
Five Practical Rules that Protect Digital Identities in Everyday Work
1. Cover your back
Do not enter login details when others can read along – for example in a meeting room, in the hallway or on the train.
Do not enter login details when others can read along – for example in a meeting room, in the hallway or on the train.
2. Lock your screen
Always lock your screen when you leave your desk. It should be as natural as locking your car – you wouldn’t leave that open either.
Always lock your screen when you leave your desk. It should be as natural as locking your car – you wouldn’t leave that open either.
3. Logins stay personal
Keep your login details to yourself. Anyone who shares passwords loses control over what happens in their name. It is like sending someone shopping with your own bank card and PIN.
Keep your login details to yourself. Anyone who shares passwords loses control over what happens in their name. It is like sending someone shopping with your own bank card and PIN.
4. Use a password manager
Many logins mean many different passwords. Password managers help you manage them securely – without sticky notes on the monitor.
Many logins mean many different passwords. Password managers help you manage them securely – without sticky notes on the monitor.
5. Use public networks only with protection
Whenever possible, use a VPN to access company resources in train stations or on trains. Think carefully about which data you access and where.
Whenever possible, use a VPN to access company resources in train stations or on trains. Think carefully about which data you access and where.
These rules of behavior are easy to put into practice, and they significantly reduce vulnerability. For Dražen Morog, they are a key building block of Digital Trust – complementing technical safeguards. What matters to the CISO is that people understand this: anyone who fails to follow the rules is taking on an unpredictable risk – for themselves and for the company.
Digital Identity is Here to Stay – Trust Will Make the Difference
Whether it is a login, a digital signature or automated data exchange between machines, no company can function today without reliable digital identities. The CISO is convinced: “The path toward digitalization and the use of AI are irreversible. We live and work in a digital world. We have to find our way in it and prevent digital identity theft.”
Artificial Intelligence is making the situation more serious: attacks appear more credible, and identities are easier to imitate. At the same time, AI can also improve security, for example by detecting anomalies. For Dražen Morog, what matters is that companies seize opportunities and manage risks. “Trust is not a state you reach once. We have to earn it anew every day – technically and in the way we handle digital identities. That is where DEKRA helps companies,” says the CISO.