The importance of security culture can be seen now more than ever. Many of us work remotely; there are app concerns; and the lines between personal and business use of devices and networks are blurred, challenging our cyber resilience. Therefore, despite all the great tools, frameworks and protective measures in place, we need to ensure people are doing what they can to help protect the larger network. These basic tips can make a great checklist for creating a culture of cybersecurity at work, regardless of employees’ level of security literacy.

What Goes Up, Must Come Down

Business today is astoundingly convenient. We can work off our phones, bring-your-own-device (BYOD) capabilities are wide-ranging and we can work from anywhere with a solid internet connection. These conveniences helped fuel a meteoric rise in security-related technologies, such as artificial intelligence and monitoring capabilities. But if the cybersecurity culture concerns are left unaddressed, those meteoric rises can become crashes and craters.

For this reason alone, employees must accept they have security responsibilities. Once they have done so, they have many ways to handle those responsibilities. Your organization can develop a cybersecurity culture relatively easily if you focus on the following: support your team, demystify security concerns, accurately convey the consequences and focus on the basics.

What is Cybersecurity Culture? 

It is organizational behavior 101: just like any other business function, you need to set up your team for success. Your best-laid plans will go to waste with over-engineered policies, jargon and difficult to understand or erratic procedures.

Security is a tough business. It has a lot of moving parts, and is not for everyone.

Employ the Dee Hock rule: “Simple, clear purpose and principles give rise to complex and intelligent behavior. Complex rules and regulations give rise to simple and stupid behavior.” 

Remember, you’re seeking buy-in from people who do not see security as part of their problem, so messaging matters. Plans that require long explanations (or worse, a manual!) will just get in the way of creating a culture of cybersecurity at work. Be mindful of this when adding administrative and physical controls.

Remember, if your organization practices poor cyber hygiene and does not have a security-first mindset, don’t expect one to develop naturally. Practicing what you preach and maintaining good leadership matter if you want attitudes to change.

Demystification: Don’t Make People Feel Overwhelmed

Think of security as the running game in football. It’s not particularly exciting; it’s not overly complex; and it’s really a nose grind. But if you do it right and get three and a half yards per carry, you put points up every time you touch the ball. And unless you get cute or sloppy, your losses shouldn’t be more than a couple of yards. The running game has clear, simple purpose and principles. Sound familiar?

Like football, creating a cybersecurity culture is a team sport. People need to buy in or expect resistance. Don’t bog people down with complex terminology or constant “or else” individually-tagged approaches. It becomes draining and people tune out. Rather, find points of common understanding, such as interruptions to business operations and what impact they would have to ensure culture change. 

If cybersecurity is perceived as a mystery, what do you think is going to happen? That people are going to line up and say “me first!” to buy in? Nope. They’re going to say, “no thanks, it’s your problem.” 

It’s no different than any other culture issue an organization faces. You need to create a sense of belonging and understanding. If you want people to buy in, they need to understand the risks in a way that makes them feel like part of the team. One way to do that is to accurately convey to them the consequences of not having a culture of cybersecurity.

Key Points for Creating a Culture of Cybersecurity at Work

Do not single people out. It’s a last resort, one best done with extreme discretion. And, never pile on. Cybersecurity is touchy as it is. You don’t want people feeling like they are walking on eggshells constantly. For an individual to internalize an issue, you need to find answers to these questions, in a simple and clear manner:

  • What is being done?
  • Why it is being done?
  • What is the result of not doing it?
  • How does it impact the business?
  • How does it impact the individual?

Generalities rarely go over well when trying to emphasize the importance of security culture. Specificity, on the other hand, can work wonders. Here are a couple examples of how all five questions can be answered in one shot.

  • As a law firm: we need to stop the BYOD policy and all work needs to be done on a corporate device, because of chain of custody issues. If we don’t, personal devices may be subpoenaed and confiscated. We don’t want your personal information being captured, as it may be admissible in a court of law.
  • As a research and development firm: all work must be done on the corporate network to thwart intellectual theft attempts. If we cannot control all information on our private intranet, we risk losing years’ worth of research that we will not be able to monetize. The company will then have to shut down and our jobs will be lost.

Notice again: these are clear, simple purposes and principles. Use any of these statements on your staff and they immediately get it. Nothing is left to chance or misinterpretation. If you throw out generalities like “security concerns” or “the policy states,” don’t be surprised if you get a shrug back.

The Basics: Can’t Go Wrong with Some Good Oldies

The last piece of the puzzle is simply people doing the basics. Once you get buy-in for creating a culture of cybersecurity, use a cheat sheet of easy things that both your colleagues and you, as an organization, can do. Here’s a list to get you started:

  • Avoid suspicious websites.
  • Keep an eye on data traffic.
  • Make backups.
  • Don’t use networks you don’t know or own.
  • Update your devices often. Set a schedule to do this, even at the personal level.
  • Know how to use the tools you have at your disposal.
  • Don’t over-engineer.
  • Resist the temptation to be lax, because even one wrong move can be devastating.

Good security is no different than healthy eating or good training. You need to do it every day for it to work, and it’s the system that matters. Your entire pattern of behavior makes you stronger.

Keep in mind, these tips are geared toward the individual. Individual employees make up the ‘micro’ part of the cybersecurity culture and privacy challenges. The other part of the system, the ‘macro’ challenges, can be best addressed by using best practice frameworks on the managerial level and doing the things you should be doing, such as periodic assessments, penetration tests, risk posture reviews and regular monitoring.

Today’s realities mean some conveniences need to be re-evaluated. One stands out: use of personal devices and networks. Short version: don’t mix use. There may be a higher upfront cost to performing this separation, but in the long run, it may save you from that one incident that makes you go bust. 

There is a possible bonus too: with today’s emphasis on work/life balance, you may get more people buying into a cybersecurity culture if they know they that separation exists and will be respected.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today