When I attended new employee orientation at a global technology company several decades ago, I remember very brief cybersecurity training. The gist was to contact someone in IT if we noticed any potential issues. While I was with the company, I only thought about cybersecurity when I passed the server room, and I could only peek into that locked, dark room full of machines when one of the tech guys opened the door. Back then, I always felt that it was someone else’s job to keep our data safe. Time and experience have changed the way I look at things.

Over the past year, I’ve spent a lot of time thinking about how to improve cybersecurity at businesses and agencies of all sizes. And research backs up my current assumption that companies are taking it seriously and passing on that message to employees.

Almost every suggestion and solution comes back to one key concept — use cybersecurity training to create a culture where everyone feels cyber safety is part of their job and has the knowledge to protect the company’s data, infrastructure and apps.

5 Components of a Cybersecurity Culture

Creating the right culture seems somewhat nebulous. Where can you find a concrete road map to help build a mindset of digital safety?

This Infosec report is a good place to start. It also lets you see where other companies stack up in terms of how mature they are in their digital defenses and culture.

These are the five domains outlined in the report — and what they mean:

  • Trust – Relationship between your workforce and your security practices and personnel
  • Responsibility – Employees’ perception of their roles in organizational security
  • Confidence – Likelihood that employees translate learned information and skills into secure behaviors
  • Engagement – Willingness of employees to get involved and apply resources and support
  • Outcome – Perceived consequences measure the impact employees believe an incident will have on the organization and their lives.

Cybersecurity training that covers all of these domains will create an overall culture that encourages safety. By starting with building trust between IT and the employees, the culture moves from employees viewing cybersecurity as ‘big brother’ to a partnership.

Employees are then more likely to fully hear and take to heart the idea that they really hold the power to prevent or cause an attack that can have damaging outcomes. Once this trust is in place, cybersecurity training provides employees with confidence. This then translates into engagement, so employees can improve their behaviors.

3 Keys to Cybersecurity Training

That list provides a good foundation, but we still need tangible tasks to help companies build these five domains. Creating a new culture isn’t easy or an overnight fix. It’s a long process that comes from proactive and strategic changes.

Here are three actions companies can take to change their culture:

Make Cybersecurity Training Fun

Provide convenient and fun training. Employees should care about digital safety, understand how to prevent it and what to do if they come across anything they find strange. You can’t do that in a once-a-year, boring lecture during the company meeting.

Instead, make a concerted effort to have an ongoing dialogue about these issues with every employee. By having human resources partner with IT, you may see improved training results.

When thinking about the right approach, look at your overall company culture and your employees’ needs. Consider using microlearning to keep the topic at the top of their minds in short bits.

Offer Goal Posts

One way to make cybersecurity culture engaging is to offer goalposts in the form of certifications. A key to repairing the skills gap is helping employees to land new collar careers by earning cybersecurity certifications.

By helping current employees to do this, you can help reduce skills gaps and also promote your own employees. Companies can also partner with K-12 schools to encourage cybersecurity education and even high schoolers earning certifications.

Use AI Tools

Artificial intelligence (AI) tools can analyze the most up-to-date data and more quickly spot potential attacks. In addition, you can prioritize alerts so you know which ones aren’t relevant and which are critical.

Now that attackers are using AI tools to design and launch attacks, groups not using these tools are giving them a running head start. It’s challenging, if not impossible, to defend against these tools without using equal or better ones.

Making Cybersecurity Everyone’s Job

The greatest challenge is that you can only control your actions. Your employees need to really feel they each can make a difference.

There are many things that can encourage those feelings, such as publicly giving employees rewards for reporting issues, creating messaging to keep employees up to date on current threats and starting a secret shopping-style program to see which employees need more training on phishing schemes.

You can also share with employees how current breaches are affecting other companies, such as layoffs and revenue losses. By seeing the impact that clicking on a single unknown link can have on so many people, employees often see how seemingly small actions play a big role.

In the end, you have to keep sharing the message and creating the right culture until your employees feel digital safety is part of their job. This doesn’t happen overnight. Or even in a year. You have to keep sharing the message and, most importantly, walking the walk.

By staying persistent and truly believing in your message, business and IT leaders can help employees have their own lightbulb moment when they see that they can make a difference. It’s then — and only then — that a company begins down the path of a cybersecurity culture.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…