As cyberattacks become more prevalent and sophisticated, companies must put more faith in their employees to make sure they don’t put data at risk or fall victim to ransomware. But, employees are busier than ever. And, creating a cybersecurity culture at work becomes both more important and more challenging when employees work at home.

Creating a strong company culture throughout the organization can flow into and out of a security operation center (SOC), encouraging workers to stay on top of security concerns as a matter of course. 

For many organizations, especially in today’s uncertain economy, security is still an afterthought and undervalued. As the threat landscape evolves into a more grueling territory for the enterprise, companies can benefit from ensuring employees have some degree of threat awareness. A well-designed awareness program can generate large benefits and promote a healthy culture of cybersecurity. 

Employees: The Weakest Link in the Security Chain

According to security expert and American cryptographer Bruce Schneier, security boils down to your worst employee. And, keeping employees up to speed on the importance of security can be a challenge. 

It’s only human to get caught up in daily workloads without giving much thought to security. Even before the age of ransomware, rampant malware and sophisticated threats, training employees on cybersecurity best practices was a challenge. And, many chief information security officers and security professionals still find the same concerns exist today. However, many companies are in a better position to build a cybersecurity culture throughout their organization.

In discussions surrounding awareness and culture, the best methods for promoting security awareness internally seem to include interesting, relevant and engaging programs that are promoted from the top down.

Training For a Culture of Cybersecurity

Sometimes it’s the unconventional methods of security training that produce the best results. Let’s face it: for most employees, the perception of security is that it can be tedious.

In 2019, Talking Rain Beverage Company started posting cybersecurity tips and tricks inside bathroom door stalls as a means of educating their team members. Additionally, employees who aced training received valuable awards, while others who failed to complete training had to work with their human resources team to get up to speed. Another successful component of Talking Rain’s security program put awareness to the test by leveraging real-world scenarios like sending employees mock phishing emails to see how they’d react.

Training aside, a great way to help employees is to let your software and network policies carry some of the security load. Simple strategies like forcing devices to automatically lock, deploying endpoint management software or using secure password management systems can work wonders. When the number of security-related decisions employees have to make on a given day are reduced, your company benefits. 

By addressing most security headaches with helpful solutions and policies, pain points are reduced significantly when it comes time to promote security awareness and culture. 

However you choose to train your workforce, note that empowering your employees is critical. To change behavior, there must be actions behind the messaging. And, scaring people into security rarely works. Employees need to be shown the how and the why. If they don’t feel empowered, their investment in the program will be minimal.

Solutions like the well-respected KnowBe4 awareness training can go a long way in helping you in creating a culture of cybersecurity at work. 

Cybersecurity at Work Starts at the Top 

Perhaps above everything else, the most crucial element of an organization’s culture of cybersecurity is buy-in from top-level executives. Before any sort of awareness undertaking, C-suite executives should understand the company’s risk tolerance and categorize threat levels. 

One way to achieve this is to run red team and blue team type activities. For example, one team gets together to simulate an attack while the other must explain how they’ll defend against it.

For the security department, using scare tactics that won’t work on employees might just yield results with the C-suite. Getting top-level buy-in is easier if you can clearly convey the risks of a poor security awareness program. 

Cybersecurity Culture Do’s and Don’ts

If you’re unsure where to get started, the National Institute of Standards and Technology (NIST) has a great framework that can inform cybersecurity training and awareness. 

Additionally, here are 10 do’s and don’ts to follow:

  • Do use constructive and collaborative criticism to deal with users or employees who don’t adhere to your training program. 
  • Do test your employees more than quarterly, and preferably monthly. Monthly tests like a mock phishing campaign can reap large security rewards.
  • Do report program results to the C-suite (with easily digestible decks and graphs) as often as necessary.
  • Do allow for a simple process for employees to report suspicious emails.
  • Do use interactive training before testing your employees on anything.
  • Don’t be overly forceful or overbearing with the program.
  • Don’t forget to include managers, key stakeholders and relevant IT teams in the process.
  • Don’t use the same phishing test for each user or always send on the same day. 
  • Don’t start your awareness program with complicated concepts.
  • Don’t forget to remind everyone in your organization that a robust security culture extends beyond the office to help employees keep safe at home as well.

Now more than ever, IT decision-makers have their hands full with the current work from home movement that doesn’t appear to be ending anytime soon. One thing that hasn’t and won’t change is your employees are the last line of defense against threat actors.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…