As cyberattacks become more prevalent and sophisticated, companies must put more faith in their employees to make sure they don’t put data at risk or fall victim to ransomware. But, employees are busier than ever. And, creating a cybersecurity culture at work becomes both more important and more challenging when employees work at home.

Creating a strong company culture throughout the organization can flow into and out of a security operation center (SOC), encouraging workers to stay on top of security concerns as a matter of course. 

For many organizations, especially in today’s uncertain economy, security is still an afterthought and undervalued. As the threat landscape evolves into a more grueling territory for the enterprise, companies can benefit from ensuring employees have some degree of threat awareness. A well-designed awareness program can generate large benefits and promote a healthy culture of cybersecurity. 

Employees: The Weakest Link in the Security Chain

According to security expert and American cryptographer Bruce Schneier, security boils down to your worst employee. And, keeping employees up to speed on the importance of security can be a challenge. 

It’s only human to get caught up in daily workloads without giving much thought to security. Even before the age of ransomware, rampant malware and sophisticated threats, training employees on cybersecurity best practices was a challenge. And, many chief information security officers and security professionals still find the same concerns exist today. However, many companies are in a better position to build a cybersecurity culture throughout their organization.

In discussions surrounding awareness and culture, the best methods for promoting security awareness internally seem to include interesting, relevant and engaging programs that are promoted from the top down.

Training For a Culture of Cybersecurity

Sometimes it’s the unconventional methods of security training that produce the best results. Let’s face it: for most employees, the perception of security is that it can be tedious.

In 2019, Talking Rain Beverage Company started posting cybersecurity tips and tricks inside bathroom door stalls as a means of educating their team members. Additionally, employees who aced training received valuable awards, while others who failed to complete training had to work with their human resources team to get up to speed. Another successful component of Talking Rain’s security program put awareness to the test by leveraging real-world scenarios like sending employees mock phishing emails to see how they’d react.

Training aside, a great way to help employees is to let your software and network policies carry some of the security load. Simple strategies like forcing devices to automatically lock, deploying endpoint management software or using secure password management systems can work wonders. When the number of security-related decisions employees have to make on a given day are reduced, your company benefits. 

By addressing most security headaches with helpful solutions and policies, pain points are reduced significantly when it comes time to promote security awareness and culture. 

However you choose to train your workforce, note that empowering your employees is critical. To change behavior, there must be actions behind the messaging. And, scaring people into security rarely works. Employees need to be shown the how and the why. If they don’t feel empowered, their investment in the program will be minimal.

Solutions like the well-respected KnowBe4 awareness training can go a long way in helping you in creating a culture of cybersecurity at work. 

Cybersecurity at Work Starts at the Top 

Perhaps above everything else, the most crucial element of an organization’s culture of cybersecurity is buy-in from top-level executives. Before any sort of awareness undertaking, C-suite executives should understand the company’s risk tolerance and categorize threat levels. 

One way to achieve this is to run red team and blue team type activities. For example, one team gets together to simulate an attack while the other must explain how they’ll defend against it.

For the security department, using scare tactics that won’t work on employees might just yield results with the C-suite. Getting top-level buy-in is easier if you can clearly convey the risks of a poor security awareness program. 

Cybersecurity Culture Do’s and Don’ts

If you’re unsure where to get started, the National Institute of Standards and Technology (NIST) has a great framework that can inform cybersecurity training and awareness. 

Additionally, here are 10 do’s and don’ts to follow:

  • Do use constructive and collaborative criticism to deal with users or employees who don’t adhere to your training program. 
  • Do test your employees more than quarterly, and preferably monthly. Monthly tests like a mock phishing campaign can reap large security rewards.
  • Do report program results to the C-suite (with easily digestible decks and graphs) as often as necessary.
  • Do allow for a simple process for employees to report suspicious emails.
  • Do use interactive training before testing your employees on anything.
  • Don’t be overly forceful or overbearing with the program.
  • Don’t forget to include managers, key stakeholders and relevant IT teams in the process.
  • Don’t use the same phishing test for each user or always send on the same day. 
  • Don’t start your awareness program with complicated concepts.
  • Don’t forget to remind everyone in your organization that a robust security culture extends beyond the office to help employees keep safe at home as well.

Now more than ever, IT decision-makers have their hands full with the current work from home movement that doesn’t appear to be ending anytime soon. One thing that hasn’t and won’t change is your employees are the last line of defense against threat actors.

More from CISO

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today