Creating a culture of cyber security 

Although it is gaining recognition, the importance of investing in people and culture when it comes to cyber security has been a little overlooked historically. However, the time is now to correct that.  

In order to have an effective cyber security programme with awareness and vigilance among your employees, you can achieve this by creating a positive culture of cyber security in your organization. 

What is cyber security culture?  

Cyber security culture is when good cyber security practices are so embedded in your organization, your employees will do the right things intuitively. It refers to the values, beliefs and practices within any organisation when it comes to security. For example, all employees believe that enabling 2FA is important and it is implemented across the organisation.  

Your employees should live these values. You can encourage them to regularly think about their role in cyber security and how they act according to those beliefs, which ultimately will contribute to the security of the business.  

Cyber security is much more than technology. A high percentage of all cyber attacks involve an attacker targeting a human at some point in the chain. A strong cyber security culture means people will become an important part of your defense and can prevent attacks in ways it is almost impossible to replicate through technology alone.  

Security culture is there to support and empower people to do this.  

The top 3 things that make up a positive cyber security culture are:  

1. Make cyber security visible and part of your business goals 

If you want your employees to understand why cyber security is important to the organization, then you need to be clear on how it relates to them, their role, and the business. Making the reasons why it is important very specific will also help people to understand and engage with these messages.  

Cyber security should be talked about, promoted, and rewarded especially by leaders. You want to show that cyber security isn’t just the responsibility of IT teams, and everyone is in it together.  

Tone from the top is really important and your leaders should be the role model for these behaviors and hold themselves to an even higher standard. 

2. Focus on the cyber security basics 

People in your organization are busy and even the most engaged employees will have limits on what they can remember. It is better they do 3 things really well than trying to do 10 things inconsistently. Be clear on what is expected of colleagues and focus on the foundations of a cyber secure culture, such as setting long and strong passwords, enabling 2-Factor Authentication on all accounts, and reporting suspicious emails quickly.  

Decide which behaviours are most important to you and then communicate them consistently. Remember communications 101—when you are tired of saying it, people are starting to hear it.  

Training should also never be compliance-based or boring. Make it relevant, fun, and reward the right behaviors, relating training back to real-world examples and your business’s values.   

Focus on the basics and the core of what you need for your business to operate in a secure way. (You can watch our video on risk management to support this approach.) 

3. Have a simple way for people to report cyber security issues or concerns  

There should be a simple and clear way for colleagues to report a security incident or anything unusual. Regardless of the size of your business, making this process clear will reduce confusion and ensure that everyone feels safe to raise concerns and act on them.  

There is no such thing as over-reporting in cyber security. Watch our video on how to prepare for security incidents to learn more. 

Everyone in an organization, but especially leaders and those responsible for technology, have a responsibility when it comes to security. Supporting initiatives, creating spaces to talk about it regularly, and being clear on what the minimum standards are will help you build a transparent culture. Create a space where everyone understands that managing cyber risk is an ongoing activity that depends on communication and collaboration.  

Final thoughts 

Building a culture of security takes time and requires your organization to change. Utilizing these 3 core behaviors will help you achieve this. Your employees and stakeholders will become a strong line of defense for your business, so that it continues to thrive even in the face of threats.