The importance of security culture can be seen now more than ever. Many of us work remotely; there are app concerns; and the lines between personal and business use of devices and networks are blurred, challenging our cyber resilience. Therefore, despite all the great tools, frameworks and protective measures in place, we need to ensure people are doing what they can to help protect the larger network. These basic tips can make a great checklist for creating a culture of cybersecurity at work, regardless of employees’ level of security literacy.

What Goes Up, Must Come Down

Business today is astoundingly convenient. We can work off our phones, bring-your-own-device (BYOD) capabilities are wide-ranging and we can work from anywhere with a solid internet connection. These conveniences helped fuel a meteoric rise in security-related technologies, such as artificial intelligence and monitoring capabilities. But if the cybersecurity culture concerns are left unaddressed, those meteoric rises can become crashes and craters.

For this reason alone, employees must accept they have security responsibilities. Once they have done so, they have many ways to handle those responsibilities. Your organization can develop a cybersecurity culture relatively easily if you focus on the following: support your team, demystify security concerns, accurately convey the consequences and focus on the basics.

What is Cybersecurity Culture? 

It is organizational behavior 101: just like any other business function, you need to set up your team for success. Your best-laid plans will go to waste with over-engineered policies, jargon and difficult to understand or erratic procedures.

Security is a tough business. It has a lot of moving parts, and is not for everyone.

Employ the Dee Hock rule: “Simple, clear purpose and principles give rise to complex and intelligent behavior. Complex rules and regulations give rise to simple and stupid behavior.” 

Remember, you’re seeking buy-in from people who do not see security as part of their problem, so messaging matters. Plans that require long explanations (or worse, a manual!) will just get in the way of creating a culture of cybersecurity at work. Be mindful of this when adding administrative and physical controls.

Remember, if your organization practices poor cyber hygiene and does not have a security-first mindset, don’t expect one to develop naturally. Practicing what you preach and maintaining good leadership matter if you want attitudes to change.

Demystification: Don’t Make People Feel Overwhelmed

Think of security as the running game in football. It’s not particularly exciting; it’s not overly complex; and it’s really a nose grind. But if you do it right and get three and a half yards per carry, you put points up every time you touch the ball. And unless you get cute or sloppy, your losses shouldn’t be more than a couple of yards. The running game has clear, simple purpose and principles. Sound familiar?

Like football, creating a cybersecurity culture is a team sport. People need to buy in or expect resistance. Don’t bog people down with complex terminology or constant “or else” individually-tagged approaches. It becomes draining and people tune out. Rather, find points of common understanding, such as interruptions to business operations and what impact they would have to ensure culture change. 

If cybersecurity is perceived as a mystery, what do you think is going to happen? That people are going to line up and say “me first!” to buy in? Nope. They’re going to say, “no thanks, it’s your problem.” 

It’s no different than any other culture issue an organization faces. You need to create a sense of belonging and understanding. If you want people to buy in, they need to understand the risks in a way that makes them feel like part of the team. One way to do that is to accurately convey to them the consequences of not having a culture of cybersecurity.

Key Points for Creating a Culture of Cybersecurity at Work

Do not single people out. It’s a last resort, one best done with extreme discretion. And, never pile on. Cybersecurity is touchy as it is. You don’t want people feeling like they are walking on eggshells constantly. For an individual to internalize an issue, you need to find answers to these questions, in a simple and clear manner:

  • What is being done?
  • Why it is being done?
  • What is the result of not doing it?
  • How does it impact the business?
  • How does it impact the individual?

Generalities rarely go over well when trying to emphasize the importance of security culture. Specificity, on the other hand, can work wonders. Here are a couple examples of how all five questions can be answered in one shot.

  • As a law firm: we need to stop the BYOD policy and all work needs to be done on a corporate device, because of chain of custody issues. If we don’t, personal devices may be subpoenaed and confiscated. We don’t want your personal information being captured, as it may be admissible in a court of law.
  • As a research and development firm: all work must be done on the corporate network to thwart intellectual theft attempts. If we cannot control all information on our private intranet, we risk losing years’ worth of research that we will not be able to monetize. The company will then have to shut down and our jobs will be lost.

Notice again: these are clear, simple purposes and principles. Use any of these statements on your staff and they immediately get it. Nothing is left to chance or misinterpretation. If you throw out generalities like “security concerns” or “the policy states,” don’t be surprised if you get a shrug back.

The Basics: Can’t Go Wrong with Some Good Oldies

The last piece of the puzzle is simply people doing the basics. Once you get buy-in for creating a culture of cybersecurity, use a cheat sheet of easy things that both your colleagues and you, as an organization, can do. Here’s a list to get you started:

  • Avoid suspicious websites.
  • Keep an eye on data traffic.
  • Make backups.
  • Don’t use networks you don’t know or own.
  • Update your devices often. Set a schedule to do this, even at the personal level.
  • Know how to use the tools you have at your disposal.
  • Don’t over-engineer.
  • Resist the temptation to be lax, because even one wrong move can be devastating.

Good security is no different than healthy eating or good training. You need to do it every day for it to work, and it’s the system that matters. Your entire pattern of behavior makes you stronger.

Keep in mind, these tips are geared toward the individual. Individual employees make up the ‘micro’ part of the cybersecurity culture and privacy challenges. The other part of the system, the ‘macro’ challenges, can be best addressed by using best practice frameworks on the managerial level and doing the things you should be doing, such as periodic assessments, penetration tests, risk posture reviews and regular monitoring.

Today’s realities mean some conveniences need to be re-evaluated. One stands out: use of personal devices and networks. Short version: don’t mix use. There may be a higher upfront cost to performing this separation, but in the long run, it may save you from that one incident that makes you go bust. 

There is a possible bonus too: with today’s emphasis on work/life balance, you may get more people buying into a cybersecurity culture if they know they that separation exists and will be respected.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…