We all know zero risk is impossible, but there’s still plenty of room for improvement, especially when it comes to employee security awareness. Despite your technology investments and controls, if employees are oblivious to the role they play in protecting your organization, you’ve got unnecessary risk. It only takes one employee's act of negligence to create organizational havoc and costly business disruption. The solution? Create a culture of security that underpins every action taken by staff when attacks are detected, identified, and remediated.
By creating a corporate culture that puts security first — rather than making it an afterthought — you can reduce your organization’s total risk. In this article, we explore some of the top challenges that can inhibit a positive cybersecurity culture, plus best practices for creating a work environment that keeps employees– and your data– safe.
Rise of Ransomware and Phishing Attacks
From double-extortion ransomware to cleverly-disguised phishing attacks, the volume and variety of cyberattacks targeting employees continues to accelerate. Additionally, the attacks are getting more sophisticated as malicious actors are looking for any opportunity to compromise corporate systems.
According to KnowBe4, 91% of successful data breaches start with a spear phishing attack, and 81% of hacking-related breaches result from stolen or weak passwords. When systems are compromised, the impact on an organization is severe; in 2022, the average cost of a data breach hit an all-time high of $4.35 million.
Creating a culture of security means that not only do employees understand the importance of strong cybersecurity and the consequences of poor online habits, but they also actively participate in protecting the organization from cyber attacks, too.
The Challenges in Establishing a Security-First Culture
Perhaps the most common challenge when creating a security-first culture is change management. Humans are naturally predisposed to familiar processes and policies and are often reluctant to change, even if that change is in the best interest of the organization.
The same is true when it comes to creating a security-first culture. Often, an employee's personal experience will trigger a need for better security. For example, they or someone they know might have suffered an account compromise or been the victim of identity theft. Corporate cybersecurity, however, is often thought of as an "IT" problem, rather than a communal one. As a result, it creates a disconnect between what security teams are trying to do and what they can actually achieve. Thus, your organization should establish a baseline foundation of why online work behavior matters, as well as the impact of careless clicking.
Fear of consequences is another barrier to your success. Many employees are told not to click on suspicious links or download unknown attachments but are often given little in the way of direction if they do make a mistake. Not wanting to cause trouble — and not wanting to get in trouble — staff may sweep these issues under the rug and hope for the best. As a result, security teams lack the data they need to make informed decisions, and employees adopt the "don't tell" security policy as the preferred option.
Best Practices to Create a Culture of Security
So how do companies shift the narrative and create a ground-up culture of security that doesn’t punish staff who make security mistakes?
While there's no silver bullet — attacks–and mistakes— will always happen, despite your best efforts. With that said, here are our tips for building and bolstering a corporate culture of security.
Assess Current Conditions
First up? Companies need to assess current workplace conditions to determine where potential risks exist. A good place to start is with employee access permissions. While external threats carry significant risk, accidental insider threats are often more damaging to companies since they may not be immediately detected– it could be weeks or months before attackers leverage data that's been accidentally shared or exploit loopholes that staff have inadvertently created.
It's also important to consider your current reporting practices. What happens when a staff member detects a potential security threat or makes a mistake? If the answer is "they do nothing,” then something has to change. Ideally, staff should be encouraged to report any possible threat, even if they’re unsure of the motive. What's more, they need to be assured that reporting these issues, even if they've inadvertently caused or encouraged them, won't be tied to immediate disciplinary action.
The bottom line: to create a corporate culture of security, you need to start with trust.
Rethink the Role of Security
Next, it's worth taking the time to help staff and C-suite members better understand the role of security. Here's why: many employees see security as the "department of no." And it makes sense. When staff members ask for access to a new tool or technology, the most common answer they hear is "no". As a result, many teams hide their use of specific software or systems from IT to continue using them, thinking they’ll ask for forgiveness later. The problem? Free software pulled from dubious sites online often carries the risk of malware payloads or persistent threats — exactly what security teams hope to avoid.
To create a security-first culture, companies need to rethink the role of security. Instead of "no," it's about facilitation and education. How can security teams enable department needs for new tools that are in line with existing security processes? How can they help educate staff to reduce total risk?
Cultivate Shared Responsibility
Cultivating a corporate culture of security is also a shared effort. Even the best infosec teams can't handle the sheer volume of current and emerging threats on their own; responsibility should be jointly shared with executive leadership. Buy-in and support at the C-suite level sets the stage for staff onboarding — and policies and processes must be consistent across all levels of the organization.
Remember too, staff education is never a one-and-done task. Prioritize and incorporate regular employee training and education into your plan. Regular courses that staff are required to attend along with mock phishing or ransomware exercises designed to test security knowledge are shown to reduce organizational risk. The caveat? The goal here is encouragement, not criticism — your staff will learn best when they have room to make mistakes.
As you develop your employee awareness program, don’t forget to promote your progress within your organization and continuously remind employees to be on the alert. Give public praise for employee efforts when clicks on simulated phishing campaign drops or when employees report unusual email activity. Over time, you will see clicks on malicious links decline and employees be more discerning about the emails and texts they receive.
Embracing Cultural Changes and Security Awareness
Creating a culture of security doesn't happen overnight. Instead, it requires a concerted effort by security professionals, staff, and C-suite members.
But the results are worth the investment. Your employees– and your organization– will be much safer as a result of your security awareness training. Creating a culture of security may not be the most glamorous aspect of your job. But if it helps to keep business running as usual and prevents cyber drama from occurring, you’ve succeeded. Afterall, “uneventful,” in the context of cybersecurity is a good thing.