4 Steps to Creating a Security Culture

October is Cybersecurity Awareness Month to remind organizations they need to remain steadfast in protecting data and privacy against cybercriminals. This year’s theme, “Seeing Yourself in Cyber,” highlights the critical role that people and culture play in preventing cyberattacks. 

The Federal Bureau of Investigation (FBI) reports that cybercrimes cost US companies $6.9 billion in 2021. More than 80% of the security breaches were caused by employees who exposed information directly or made a mistake enabling cybercriminals to access an organization’s systems, according to a Verizon 2022 Data Breaches Investigations Report.  

The statistics highlight the importance of ongoing employee education and training around data privacy and information security to strengthen a company’s security posture and to foster a culture where all employees are invested in promoting and adhering to cybersecurity best practices. 

Security is everyone’s business, not just those with “security” in their job title. All employees should understand security best practices, including password selection, user access rights, installing updates, how to identify potential phishing email, and company security processes and policies. Possessing this basic knowledge fosters a proactive security culture to serve as an employer’s front line of defense against potential threats and attacks. 

Organizations can take four steps to ensure everyone understands that cybersecurity is a team effort. 

1. Commit to ongoing education and awareness 

Keep employees informed of new or particularly prevalent threats, remind them of security procedures put in place to protect against these risks and their responsibility to remain vigilant and adhere to a company’s security protocols. Leverage training incorporating real-work scenarios, best practices and interactive exercises to capture the attention of employees and increase retention. Make helpful materials and resources easily accessible and ensure everyone on your team knows who to contact to report and respond to any potential or real attacks. 

2. Explain the “why” behind security policies  

Clearly explain the rationale behind a company’s security initiatives, including why they are important in employees’ job roles and the sustainability of the business. Be sure to include the impact on the company, its customers, on them and their colleagues. Answering “why” and “how” security policies are relevant to individuals builds trust and buy-in to accelerate the adoption of security behavior. 

3. Practice, practice, practice 

Regularly practice security plans and behaviors to sharpen employees’ ability to identify the various tactics used by cybercriminals and apply the knowledge and behaviors they’ve learned in training. For example, testing to see if employees can recognize a phishing email and what steps they take. Following the test, send all employees best practices for avoiding malicious email to reinforce what to do they next time they encounter one.  

4. Approach security and privacy holistically  

Understand how different teams and departments operate and intersect and encourage communication and participation between colleagues to address cyber vulnerabilities and ensure information assets are protected. Privacy and data protection requires everyone in a company to work closely together to defend against cybersecurity threats and satisfy compliance requirements, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). 

Traliant Insight 

Creating a culture where all employees understand that cybersecurity is a shared responsibility increases an organization’s ability to recognize and prevent cyberattacks and mitigate their effects. Ongoing training and communication increases workforce awareness about the tactics cybercriminals use, reinforces best practices for defending against these threats and fosters a pro-security attitude that enables individuals and organizations to respond quickly to security threats and vulnerabilities.