The importance of security culture can be seen now more than ever. Many of us work remotely; there are app concerns; and the lines between personal and business use of devices and networks are blurred, challenging our cyber resilience. Therefore, despite all the great tools, frameworks and protective measures in place, we need to ensure people are doing what they can to help protect the larger network. These basic tips can make a great checklist for creating a culture of cybersecurity at work, regardless of employees’ level of security literacy.

What goes up, must come down

Business today is astoundingly convenient. We can work off our phones, bring-your-own-device (BYOD) capabilities are wide-ranging and we can work from anywhere with a solid internet connection. These conveniences helped fuel a meteoric rise in security-related technologies, such as artificial intelligence and monitoring capabilities. But if the cybersecurity culture concerns are left unaddressed, those meteoric rises can become crashes and craters.

For this reason alone, employees must accept they have security responsibilities. Once they have done so, they have many ways to handle those responsibilities. Your organization can develop a cybersecurity culture relatively easily if you focus on the following: support your team, demystify security concerns, accurately convey the consequences and focus on the basics.

What is cybersecurity culture?

It is organizational behavior 101: just like any other business function, you need to set up your team for success. Your best-laid plans will go to waste with over-engineered policies, jargon and difficult to understand or erratic procedures.

Security is a tough business. It has a lot of moving parts, and is not for everyone.

Employ the Dee Hock rule: “Simple, clear purpose and principles give rise to complex and intelligent behavior. Complex rules and regulations give rise to simple and stupid behavior.”

Remember, you’re seeking buy-in from people who do not see security as part of their problem, so messaging matters. Plans that require long explanations (or worse, a manual!) will just get in the way of creating a culture of cybersecurity at work. Be mindful of this when adding administrative and physical controls.

Remember, if your organization practices poor cyber hygiene and does not have a security-first mindset, don’t expect one to develop naturally. Practicing what you preach and maintaining good leadership matter if you want attitudes to change.

Demystification: Don’t make people feel overwhelmed

Think of security as the running game in football. It’s not particularly exciting; it’s not overly complex; and it’s really a nose grind. But if you do it right and get three and a half yards per carry, you put points up every time you touch the ball. And unless you get cute or sloppy, your losses shouldn’t be more than a couple of yards. The running game has clear, simple purpose and principles. Sound familiar?

Like football, creating a cybersecurity culture is a team sport. People need to buy in or expect resistance. Don’t bog people down with complex terminology or constant “or else” individually-tagged approaches. It becomes draining and people tune out. Rather, find points of common understanding, such as interruptions to business operations and what impact they would have to ensure culture change.

If cybersecurity is perceived as a mystery, what do you think is going to happen? That people are going to line up and say “me first!” to buy in? Nope. They’re going to say, “no thanks, it’s your problem.”

It’s no different than any other culture issue an organization faces. You need to create a sense of belonging and understanding. If you want people to buy in, they need to understand the risks in a way that makes them feel like part of the team. One way to do that is to accurately convey to them the consequences of not having a culture of cybersecurity.

Key points for creating a culture of cybersecurity at work

Do not single people out. It’s a last resort, one best done with extreme discretion. And, never pile on. Cybersecurity is touchy as it is. You don’t want people feeling like they are walking on eggshells constantly. For an individual to internalize an issue, you need to find answers to these questions, in a simple and clear manner:

  • What is being done?
  • Why it is being done?
  • What is the result of not doing it?
  • How does it impact the business?
  • How does it impact the individual?

Generalities rarely go over well when trying to emphasize the importance of security culture. Specificity, on the other hand, can work wonders. Here are a couple examples of how all five questions can be answered in one shot.

  • As a law firm: we need to stop the BYOD policy and all work needs to be done on a corporate device, because of chain of custody issues. If we don’t, personal devices may be subpoenaed and confiscated. We don’t want your personal information being captured, as it may be admissible in a court of law.
  • As a research and development firm: all work must be done on the corporate network to thwart intellectual theft attempts. If we cannot control all information on our private intranet, we risk losing years’ worth of research that we will not be able to monetize. The company will then have to shut down and our jobs will be lost.

Notice again: these are clear, simple purposes and principles. Use any of these statements on your staff and they immediately get it. Nothing is left to chance or misinterpretation. If you throw out generalities like “security concerns” or “the policy states,” don’t be surprised if you get a shrug back.

The basics: Can’t go wrong with some good oldies

The last piece of the puzzle is simply people doing the basics. Once you get buy-in for creating a culture of cybersecurity, use a cheat sheet of easy things that both your colleagues and you, as an organization, can do. Here’s a list to get you started:

  • Avoid suspicious websites.
  • Keep an eye on data traffic.
  • Make backups.
  • Don’t use networks you don’t know or own.
  • Update your devices often. Set a schedule to do this, even at the personal level.
  • Know how to use the tools you have at your disposal.
  • Don’t over-engineer.
  • Resist the temptation to be lax, because even one wrong move can be devastating.

Good security is no different than healthy eating or good training. You need to do it every day for it to work, and it’s the system that matters. Your entire pattern of behavior makes you stronger.

Keep in mind, these tips are geared toward the individual. Individual employees make up the ‘micro’ part of the cybersecurity culture and privacy challenges. The other part of the system, the ‘macro’ challenges, can be best addressed by using best practice frameworks on the managerial level and doing the things you should be doing, such as periodic assessments, penetration tests, risk posture reviews and regular monitoring.

Today’s realities mean some conveniences need to be re-evaluated. One stands out: use of personal devices and networks. Short version: don’t mix use. There may be a higher upfront cost to performing this separation, but in the long run, it may save you from that one incident that makes you go bust.

There is a possible bonus too: with today’s emphasis on work/life balance, you may get more people buying into a cybersecurity culture if they know they that separation exists and will be respected.

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today