When I attended new employee orientation at a global technology company several decades ago, I remember very brief cybersecurity training. The gist was to contact someone in IT if we noticed any potential issues. While I was with the company, I only thought about cybersecurity when I passed the server room, and I could only peek into that locked, dark room full of machines when one of the tech guys opened the door. Back then, I always felt that it was someone else’s job to keep our data safe. Time and experience have changed the way I look at things.

Over the past year, I’ve spent a lot of time thinking about how to improve cybersecurity at businesses and agencies of all sizes. And research backs up my current assumption that companies are taking it seriously and passing on that message to employees.

Almost every suggestion and solution comes back to one key concept — use cybersecurity training to create a culture where everyone feels cyber safety is part of their job and has the knowledge to protect the company’s data, infrastructure and apps.

5 Components of a cybersecurity culture

Creating the right culture seems somewhat nebulous. Where can you find a concrete road map to help build a mindset of digital safety?

This Infosec report is a good place to start. It also lets you see where other companies stack up in terms of how mature they are in their digital defenses and culture.

These are the five domains outlined in the report — and what they mean:

  • Trust – Relationship between your workforce and your security practices and personnel
  • Responsibility – Employees’ perception of their roles in organizational security
  • Confidence – Likelihood that employees translate learned information and skills into secure behaviors
  • Engagement – Willingness of employees to get involved and apply resources and support
  • Outcome – Perceived consequences measure the impact employees believe an incident will have on the organization and their lives.

Cybersecurity training that covers all of these domains will create an overall culture that encourages safety. By starting with building trust between IT and the employees, the culture moves from employees viewing cybersecurity as ‘big brother’ to a partnership.

Employees are then more likely to fully hear and take to heart the idea that they really hold the power to prevent or cause an attack that can have damaging outcomes. Once this trust is in place, cybersecurity training provides employees with confidence. This then translates into engagement, so employees can improve their behaviors.

3 Keys to cybersecurity training

That list provides a good foundation, but we still need tangible tasks to help companies build these five domains. Creating a new culture isn’t easy or an overnight fix. It’s a long process that comes from proactive and strategic changes.

Here are three actions companies can take to change their culture:

Make cybersecurity training fun

Provide convenient and fun training. Employees should care about digital safety, understand how to prevent it and what to do if they come across anything they find strange. You can’t do that in a once-a-year, boring lecture during the company meeting.

Instead, make a concerted effort to have an ongoing dialogue about these issues with every employee. By having human resources partner with IT, you may see improved training results.

When thinking about the right approach, look at your overall company culture and your employees’ needs. Consider using microlearning to keep the topic at the top of their minds in short bits.

Offer goal posts

One way to make cybersecurity culture engaging is to offer goalposts in the form of certifications. A key to repairing the skills gap is helping employees to land new collar careers by earning cybersecurity certifications.

By helping current employees to do this, you can help reduce skills gaps and also promote your own employees. Companies can also partner with K-12 schools to encourage cybersecurity education and even high schoolers earning certifications.

Use AI tools

Artificial intelligence (AI) tools can analyze the most up-to-date data and more quickly spot potential attacks. In addition, you can prioritize alerts so you know which ones aren’t relevant and which are critical.

Now that attackers are using AI tools to design and launch attacks, groups not using these tools are giving them a running head start. It’s challenging, if not impossible, to defend against these tools without using equal or better ones.

Making cybersecurity everyone’s job

The greatest challenge is that you can only control your actions. Your employees need to really feel they each can make a difference.

There are many things that can encourage those feelings, such as publicly giving employees rewards for reporting issues, creating messaging to keep employees up to date on current threats and starting a secret shopping-style program to see which employees need more training on phishing schemes.

You can also share with employees how current breaches are affecting other companies, such as layoffs and revenue losses. By seeing the impact that clicking on a single unknown link can have on so many people, employees often see how seemingly small actions play a big role.

In the end, you have to keep sharing the message and creating the right culture until your employees feel digital safety is part of their job. This doesn’t happen overnight. Or even in a year. You have to keep sharing the message and, most importantly, walking the walk.

By staying persistent and truly believing in your message, business and IT leaders can help employees have their own lightbulb moment when they see that they can make a difference. It’s then — and only then — that a company begins down the path of a cybersecurity culture.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today