As cyberattacks become more prevalent and sophisticated, companies must put more faith in their employees to make sure they don’t put data at risk or fall victim to ransomware. But, employees are busier than ever. And, creating a cybersecurity culture at work becomes both more important and more challenging when employees work at home.

Creating a strong company culture throughout the organization can flow into and out of a security operation center (SOC), encouraging workers to stay on top of security concerns as a matter of course. 

For many organizations, especially in today’s uncertain economy, security is still an afterthought and undervalued. As the threat landscape evolves into a more grueling territory for the enterprise, companies can benefit from ensuring employees have some degree of threat awareness. A well-designed awareness program can generate large benefits and promote a healthy culture of cybersecurity. 

Employees: The Weakest Link in the Security Chain

According to security expert and American cryptographer Bruce Schneier, security boils down to your worst employee. And, keeping employees up to speed on the importance of security can be a challenge. 

It’s only human to get caught up in daily workloads without giving much thought to security. Even before the age of ransomware, rampant malware and sophisticated threats, training employees on cybersecurity best practices was a challenge. And, many chief information security officers and security professionals still find the same concerns exist today. However, many companies are in a better position to build a cybersecurity culture throughout their organization.

In discussions surrounding awareness and culture, the best methods for promoting security awareness internally seem to include interesting, relevant and engaging programs that are promoted from the top down.

Training For a Culture of Cybersecurity

Sometimes it’s the unconventional methods of security training that produce the best results. Let’s face it: for most employees, the perception of security is that it can be tedious.

In 2019, Talking Rain Beverage Company started posting cybersecurity tips and tricks inside bathroom door stalls as a means of educating their team members. Additionally, employees who aced training received valuable awards, while others who failed to complete training had to work with their human resources team to get up to speed. Another successful component of Talking Rain’s security program put awareness to the test by leveraging real-world scenarios like sending employees mock phishing emails to see how they’d react.

Training aside, a great way to help employees is to let your software and network policies carry some of the security load. Simple strategies like forcing devices to automatically lock, deploying endpoint management software or using secure password management systems can work wonders. When the number of security-related decisions employees have to make on a given day are reduced, your company benefits. 

By addressing most security headaches with helpful solutions and policies, pain points are reduced significantly when it comes time to promote security awareness and culture. 

However you choose to train your workforce, note that empowering your employees is critical. To change behavior, there must be actions behind the messaging. And, scaring people into security rarely works. Employees need to be shown the how and the why. If they don’t feel empowered, their investment in the program will be minimal.

Solutions like the well-respected KnowBe4 awareness training can go a long way in helping you in creating a culture of cybersecurity at work. 

Cybersecurity at Work Starts at the Top 

Perhaps above everything else, the most crucial element of an organization’s culture of cybersecurity is buy-in from top-level executives. Before any sort of awareness undertaking, C-suite executives should understand the company’s risk tolerance and categorize threat levels. 

One way to achieve this is to run red team and blue team type activities. For example, one team gets together to simulate an attack while the other must explain how they’ll defend against it.

For the security department, using scare tactics that won’t work on employees might just yield results with the C-suite. Getting top-level buy-in is easier if you can clearly convey the risks of a poor security awareness program. 

Cybersecurity Culture Do’s and Don’ts

If you’re unsure where to get started, the National Institute of Standards and Technology (NIST) has a great framework that can inform cybersecurity training and awareness. 

Additionally, here are 10 do’s and don’ts to follow:

  • Do use constructive and collaborative criticism to deal with users or employees who don’t adhere to your training program. 
  • Do test your employees more than quarterly, and preferably monthly. Monthly tests like a mock phishing campaign can reap large security rewards.
  • Do report program results to the C-suite (with easily digestible decks and graphs) as often as necessary.
  • Do allow for a simple process for employees to report suspicious emails.
  • Do use interactive training before testing your employees on anything.
  • Don’t be overly forceful or overbearing with the program.
  • Don’t forget to include managers, key stakeholders and relevant IT teams in the process.
  • Don’t use the same phishing test for each user or always send on the same day. 
  • Don’t start your awareness program with complicated concepts.
  • Don’t forget to remind everyone in your organization that a robust security culture extends beyond the office to help employees keep safe at home as well.

Now more than ever, IT decision-makers have their hands full with the current work from home movement that doesn’t appear to be ending anytime soon. One thing that hasn’t and won’t change is your employees are the last line of defense against threat actors.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today