In 2022, experts estimated that 85% of data breaches involved a human element. That includes exposure of confidential data, misconfigurations, or mistakenly enabling malicious actors to gain access to the network.
Unfortunately, humans today are considered the weakest link in your organization’s security. If employees feel there is a lack of shared context on cybersecurity threats and why they need to follow specific policies, it’s less likely they’ll stick to the requirements. This is highly likely to lead to security gaps. There are steps you can take to defend yourself against the persistent threats faced while keeping employees engaged.
This article explains how you can create a strong culture of security so that employees can instead be your greatest source of strength.
What is a security culture?
What action will your employees take when faced with a decision that could expose your organization to risk? Do they know the correct steps to take?
The answer to these questions gives you insight into the culture of security of your organization and how security plays an integral role in it.
The table below illustrates how employees act differently when the security culture is deeply embedded within an organization versus when it’s not.
Scenario | Employees without a security culture | Employees with a security culture |
An employee receives a suspicious email in their inbox. | The employee deletes it, clicks on the link, or doesn’t do anything but mention it casually to other employees “Did you get a weird email too from Bank1234?” | Employees receiving a suspicious email report it directly through a report to the cyber team or the person responsible for dealing with these issues. |
An employee finds a piece of paper with a list of passwords and accounts they’re linked to. | The employee throws the paper in the trash. | The employee reports the incident to the security team, who educate the organization about the importance of secure passwords, incorporating MFA (multi-factor authentication), and password managers. |
Benefits of having a strong security culture
When a strong security culture is in place, and your organization communicates the process and procedures to everyone, employees are more confident and proactively engage in making the right decisions.
As a result, the risk of security incidents decreases while the time security teams spend fighting threats and dealing with incidents should reduce. The company may also achieve higher levels of compliance than before, lowering the risk of financial damage, which can come if compliance requirements are not met.
9 key steps to create a company culture of security
Instead of blaming employees for being lazy or finding workarounds that expose your organization to risk, organizations need to lay the proper foundation for a culture that encourages collaboration between employees to find a more secure solution. You’ll need to build a strong culture of security by opening the doors of communication so everyone within the organization can explore and improve on best practices together.
Here are a few practical tips for achieving this:
1. Survey your current situation honestly
Before you can suggest how to improve the company culture of security, you’ll first need to thoroughly evaluate the current security situation.
That means you’ll need to get answers to questions such as:
- What is your organization’s highest priority at the moment?
- How does your organization ensure employees are up-to-date with the latest best practices?
- Are there issues with meeting compliance? Why?
- How does your organization deal with new threats as they arise?
Only after surveying managers, the C-suite, and employees will you have a better picture of the current situation and be able to create a roadmap with goals for improvement in the future.
2. Create a solid cybersecurity plan
You cannot have a culture of security without a strategy in place for detecting, measuring, and responding to security risks. While threat intelligence technology can help minimize the damage a malicious threat actor inflicts on your organization, they don’t eliminate the threats that employees bring to your organization through workarounds, insecure passwords, and misconfigurations.
To help you get started, incorporate these elements into your cybersecurity plan:
- Undertake a comprehensive risk assessment
- Work within a reliable security framework, choosing one that fits the type and size of the company
- Implement excellent security awareness training for all employees
- Build an incident response plan
- Outline the roles and responsibilities across the organization
- Evaluate the cybersecurity technology and tools you may need to deal with threats
- Consider the compliance requirements related to your company, such as PCI DSS, HIPPA, ISO 27001 and GDPR
- Review all security policies and ensure they remain up-to-date at all times
3. Create simple, clear security policies
Organizations often make the mistake of having security policies that are too technical for most employees to understand. Or they fail to communicate the process or system required for employees to report security issues.
In contrast, Yahoo built a strong security culture by giving its employees clear instructions regarding their best practices.
“When generating a new single sign-on password, we want all employees to generate and store the password within our corporate-approved password manager.”
4. Lead with transparency on expectations
In the past, security education translated to awareness. But awareness doesn’t communicate the actions you want your employees to take.
Your security culture should set specific goals:
- We want employees to recognize weak versus strong passwords and change their passwords regularly without being asked.
- We want employees to understand that they cannot share passwords, keycards, door codes, and other assets as they may easily fall into the hands of a malicious actor.
5. Employ accountability
When a breach occurs, you should be able to trace it back to a specific individual or department. Explain what happened and how the employees or department is accountable. For example, you may realize that the entire department is sharing the same password or they have set up an account through an unauthorized website. Use the incident to reinforce the need for better security practices.
6. Implement engaging security awareness training
Focus on high-quality, efficient training that includes interactive learning, quizzes, and short quizzes to reinforce learning. CybeReady’s fully managed cybersecurity awareness platform incorporates this type of training while decreasing the high-risk employee group by 82% and increasing employee resilience score by 5x, all within 12 months of training.
7. Ensure executive priority and support
Support for a culture of security must start with management explaining its importance and how it will help the organization achieve its business goals. Management can demonstrate its support by actively participating in the training. Department heads can also lead in installing a good culture of security within their team.
8. Reward employees for their security efforts
How can you blame employees that receive negative feedback for reporting security incidents for being uneager or motivated to report incidents again?
Create a culture that rewards employees and recognizes their contribution to security. This could include verbal praise of employees who complete cybersecurity training, offering cash rewards, or sending a message that says: “Thank you so much for helping us improve our security together!”
9. Instill the message that good security culture is up to everyone
The CISOs and security team cannot be solely responsible for creating the security culture in your organization. Executive leadership must show a visible role in cybersecurity to demonstrate its importance to the entire organization.
Addressing resistance to security culture
People hate change. Don’t expect employees to embrace a new security culture immediately. Instead, spend time educating employees on why a good security culture is essential and make it engaging for them. For example, most employees find multi-factor authentication (MFA) cumbersome. However, when you educate them by explaining that compromised credentials caused 62% of security attacks, they may be more open to accepting new security policies. Encourage greater flexibility and collaboration within the organization. You might consider adopting an employee’s workaround temporarily, for example, until the proper integration of new security policies takes place.
A gradual yet more efficient approach to a culture of security
Your organization’s security culture isn’t static. It needs to be a continuous and open discussion within the organization about the latest security procedures, best practices, and ideas to improve its security. Cybeready’s security awareness platform helps teams build a strong culture of security in your organization by teaching your employees how to proactively manage threats intelligently and identify and respond to potential threats. Its platform is also engaging and interactive, with measurable KPIs for security teams to ensure efficiency.
Want to deploy an engaging security awareness training program that builds your security culture? Request a demo today.