Technology & Innovation

Creating a culture of cyber security

Discover why you need to create a positive culture of cyber security in your organisation and the steps to take to make it happen.

Although it’s gaining recognition, the importance of investing in people and culture when it comes to cyber security has been a little overlooked historically.

However, now is the time to correct that.

In order to have an effective cyber security programme with awareness and vigilance among your employees, you need to create a positive culture of cyber security in your organisation.

What is cyber security culture?

Cyber security culture is when good cyber security practices are so embedded in your organisation, your employees do the right things intuitively.

Your employees should live these values. You can encourage them to regularly think about their role in cyber security and how they act according to those beliefs, which ultimately will contribute to the security of the business.

Cyber security is much more than technology. A high percentage of all cyber attacks involve an attacker targeting a human at some point in the chain.

A strong cyber security culture means people will become an important part of your defence and can prevent attacks in ways it is almost impossible to replicate through technology alone.

Security culture is there to support and empower people to do this.

Top 3 things that make up a positive cyber security culture

1. Make cyber security visible and part of your business goals

    If you want your employees to understand why cyber security is important to the organisation, then you need to be clear on how it relates to them, their role, and the business.

    Making the reasons why it is important very specific will also help people to understand and engage with these messages.

    Cyber security should be talked about, promoted, and rewarded especially by leaders. You want to show that cyber security isn’t just the responsibility of IT teams and everyone is in it together.

    Tone from the top is really important and your leaders should be the role models for these behaviours and hold themselves to an even higher standard.

    2. Focus on the cyber security basics

    People in your organisation are busy and even the most engaged employees will have limits on what they can remember.

    It’s better they do three things really well than trying to do 10 things inconsistently.

    Be clear on what’s expected of colleagues and focus on the foundations of a cyber secure culture, such as setting long and strong passwords, enabling 2-Factor Authentication on all accounts, and reporting suspicious emails quickly.

    Decide which behaviours are most important to you and then communicate them consistently. Remember communications 101—when you are tired of saying it, people are starting to hear it.

    Training should also never be compliance-based or boring. Make it relevant, fun, and reward the right behaviours, relating training back to real-world examples and your business’s values.

    Focus on the basics and the core of what you need for your business to operate in a secure way. (You can watch our video on risk management to support this approach.)

    3. Have a simple way for people to report cyber security issues or concerns

    There should be a simple and clear way for colleagues to report a security incident or anything unusual.

    Regardless of the size of your business, making this process clear will reduce confusion and ensure that everyone feels safe to raise concerns and act on them.

    There is no such thing as over-reporting in cyber security. Watch our video on how to prepare for security incidents to learn more.

    Everyone in an organisation, but especially leaders and those responsible for technology, have a responsibility when it comes to security. Supporting initiatives, creating spaces to talk about it regularly, and being clear on what the minimum standards are will help you build a transparent culture.

    Create a space where everyone understands that managing cyber risk is an ongoing activity that depends on communication and collaboration.

    Final thoughts

    Building a culture of security takes time and requires your organisation to change.

    Utilising these three core behaviours will help you achieve this. Your employees and stakeholders will become a strong line of defence for your business, so that it continues to thrive even in the face of threats.