Cybersecurity impacts us all. Third parties process and handle data every day, whether they’re tapping your phone to pay via near-field communication (NFC) or processing a transaction while you pay your utility bill online. The importance of keeping your data private is growing every day: worldwide, cybercrime costs are expected to hit $10.5 trillion annually by 2025.
Cybersecurity becomes even more vital in the workplace: 95% of cybersecurity breaches list human error as a contributing factor. Threats aren’t going anywhere, but neither are the people in your workforce. This means that humans are the greatest threat in cybersecurity — but also one of our greatest defenses.
Most notably, however, 88% of breaches are caused by human error. This is vital to understanding how your organization’s employees can impact the business.
Through deeper education and by creating a culture of cybersecurity, companies can better safeguard against – and enable — their most necessary resource: their employees. Let’s dive into how to create a culture of cybersecurity so you can better arm your workforce for cybersecurity success.
How to create a culture of cybersecurity
What does “a culture of cybersecurity” actually mean?
A culture of cybersecurity is all about encouraging employees to take an active role in cybersecurity practices. The number of cyber threats grows every day, often deepening in complexity as threat actors become more advanced.
This means that your leaders and employees should also deepen their understanding of cybersecurity, too. Gone are the days when a simple check-the-box training would suffice. Now your most essential resource — your people — must also take an active role in protecting the company from cybercrime and attacks.
Best practices have changed, and we now have more generations in the workplace than ever before. Each generation sees different things: some might consider basic cyber hygiene as a normal habit, whereas others see it as a new concept they need to add to their workloads. It’s a balancing act to get everyone on board.
You might be asking: how do I get them to care?
The simple answer? Arm them with the resources they need to protect themselves from cyber threats. Cybersecurity culture starts at work, but it pays dividends at home as well, and often, the lines are blurred.
How your employees can take action to prevent cyber threats
You might be asking, how can I prevent my employees from becoming victims of cyber threats? Here are a few actions they can take:
Use passkeys and save them to a password manager
Passkeys are becoming more of the gold standard in securing online accounts. Saving them to a password manager or other authenticator is a great way to stay on top of each unique one. Additionally, implement multi-factor authentication to protect your online accounts as a backup. Multi-factor authentication prevents threat actors from getting into your private accounts, helping you stay secure by confirming your identity.
Engage in security awareness training
Security awareness training is vital to modern organizations. As our digital footprints continue to grow, so does the need for security training. Ensure that your training is culturally sensitive. Unsurprisingly, a lack of diversity and energy doesn’t work well with a lot of companies, but it is often the reality of the solution being sold. A training focusing on predominantly white male speakers may resonate less than a more diverse cast of characters, much like the real world. Your employees are diverse, so why shouldn’t your security training be too?
Use strong, unique passphrases for each service and website
Fluffy123 may have been an okay password in the 2000s (Who are we kidding? Not even then), but modern times call for modern solutions. These days, passphrases are preferable to passwords, because if you have to type it, it’s not quite as bad as randomly generated passwords. If the website or app you’re using doesn’t support passphrases, use a password manager to generate long, unique, and secure passwords using letters, numbers, and symbols. Make sure you have unique passwords for each website and app.
How can you foster a cybersecurity culture?
When staff understand how their actions impact the company’s security, they’re more likely to take it seriously. Therefore, fostering a culture of cybersecurity is vital to amplify your security measures and help employees understand the importance of cybersecurity awareness.
To foster a cybersecurity culture, you must first communicate with your employees how cybersecurity directly benefits them.
- How does this make their jobs easier and faster?
- In what ways does this benefit your employees?
- What measures are currently in place, and how do they affect employees at your organization?
- Which cybersecurity aspects are most important to your employees?
Building a culture of cybersecurity relies on understanding your organization’s culture, then its people, and then organizational change management. From there, you can begin to build out your culture of cybersecurity awareness by adding employee education and engagement into the mix.
Of course, no culture is sustained by employees alone. Leadership should support and encourage a security-minded culture. By demonstrating security culture from the top down, you can get executive buy-in while also serving as a persuasive case for why all staff should be security-minded in their actions.
Getting your business stakeholders to act by unifying your workflows
The most essential piece to building a culture of cybersecurity at your organization is bringing your workflows into one place. Stakeholders across your company are likely using disparate tools to do their part, which means they struggle to understand their action items and how to provide evidence. Hyperproof has bi-directional task integrations with popular project management systems including Jira, ServiceNow, and Asana that help GRC professionals to create tasks and assign them in Hyperproof. This helps centralize your cybersecurity work while working harmoniously with the rest of your organization in the tools they already love.
Task assignees receive notifications in their current project management system, complete their tasks in their tool of choice, and then updates to proof are synced automatically to Hyperproof.
With Hyperproof’s task management tools, IT, security and GRC professionals can:
- Eliminate the need to log into multiple systems to collect and verify information
- Create a harmonious and uninterrupted work environment for everyone
- Manage compliance tasks efficiently
- Reduce miscommunications and the risk of missed tasks
With Hyperproof, you can automate your critical workflows across all of your frameworks, from evidence collection, task reminders, and task assignments to real-time reporting so you can have clarity on who does what at all times.
Aligning business objectives to cybersecurity initiatives
When it comes to motivating your stakeholders to do their security-related work, you need to shift tactics entirely. They should still be trained and celebrated for their security successes, but motivating them to complete tasks comes from a different perspective: your business objectives and goals.
Stakeholders can better understand the nuances of security practices by connecting their actions to revenue. Without complying with industry and market regulations, the business would cease to operate, thus negatively impacting revenue goals and targets. Highlight the importance of keeping the business operating to persuade them to complete their training and security work on time. Our customer, Appian, understands this connection and nurtures it from within their organization.
Appian can more effectively expand into new and emerging markets by complying more easily with regulatory requirements across regions, all by using Hyperproof. By using the platform, Appian can focus instead on innovation and growth while doing away with tedious compliance and risk management processes.
Sometimes, your ability to close new business relies on adhering to certain regulatory frameworks. Adding new frameworks and programs only compounds upon the amount of work that stakeholders do day-to-day. However, by understanding that compliance is a business accelerator, they can begin to see that frameworks unlock new opportunities and markets, and they do not exist simply to bog them down with seemingly unnecessary administrative work.
Maintaining compliance helps open up new markets and expand your business. A company expanding into the EU will need to be GDPR compliant to onboard EU customers, so GDPR compliance should become a key part of your business strategy.
Your stakeholders should come to understand themselves as key actors in keeping your company safe, secure, and operating. By completing their security work, they can keep projects on track and help information security teams accomplish more through real partnerships instead of adversarial interactions.
It’s important to identify key champions and potential detractors and get them involved early on, as they are the hidden actors inside your organization that will either evangelize progress or hinder change. A favorite strategy of our InfoSec team is to recruit or appoint voices of dissent into supporting roles with visibility.
Tips to improve your cybersecurity culture
1. Provide interactive security training
Use interactive training to educate your staff on the basics and intermediate functions of cybersecurity. Make sure they know how to identify phishing, smishing, social engineering, and other types of cyber threats and attacks. Educate your employees about password management, including strong, unique passwords, avoiding password reuse, and implementing multi-factor authentication (MFA).
Knowing how to safely use and navigate the internet is vital. By recognizing malicious websites and downloads, maintaining responsible browsing habits on work devices, and properly handling attachments and links in emails, employees can become educated citizens of the net, mitigating a major risk for your organization: human error.
For those in certain industries who handle personally identifiable information (PII), protected health information (PHI), or other regulated sensitive information, consider holding additional data handling training.
What makes cybersecurity training interactive?
Include real-life examples and scenarios that your employees will find relatable or relevant to their work. Additionally, use case studies to provide extra context, including setting up a situation or business case and demonstrating good or bad security practices.
A case study might set up a situation where a Fortune 500 company has identified an incident due to a physical security breach. These often happen when employees let strangers into offices or other facilities. It’s important to make sure everyone on site has their own valid ID that allows them access, so maybe think twice before holding the door open as a common courtesy in these situations.
To keep stakeholders and employees on their toes, you can use interactive quizzes to ensure they have been paying attention and listening to the security training. At Hyperproof, we utilize security training for all employees, with videos and quizzes to keep our staff engaged. We also have implemented systems for educating employees about regulatory and HR compliance that provide relevant situations, check-ins, and more.
If budget and resources allow, provide simulations to your staff so they can get hands-on experience interacting with and countering threat actors and social engineering attacks. A simulation might demonstrate how to effectively identify phishing or smishing attempts. By having your employees interact with an email message, they get the opportunity to connect the training with real-life experiences we’ve all had.
By providing immersive learning experiences, you will empower and better prepare your staff to recognize and respond to actual threats.
2. Regularly refresh your training with updated examples
Making your training relevant and timely is to keep it top of mind for your employees. If a breach or cyber attack makes the news, you might notice increased awareness of security practices. By timing your training well — like after a big cybersecurity story breaks or during an employee’s work anniversary — you can keep building your cybersecurity culture.
3. Gamify your cybersecurity training
Have some overly competitive colleagues? Gamifying your training may work to your benefit. By introducing leaderboards, prizes, badges, and more to your security training, you can activate the parts of your employees’ brains wired for competition.
Gamification transforms cybersecurity education into an engaging experience, fostering a sense of accomplishment and personal accountability for maintaining strong security practices. This approach not only makes learning more enjoyable but also motivates employees to actively participate in safeguarding the organization’s digital assets.
90% of employees say that gamification makes them more productive at work. Thankfully, according to Zippia, 61% of U.S. employees receive training with gamification at work. If you’re not gamifying your training, it may be time to look into it.
4. Reward and recognize contributors
It’s time to celebrate your biggest cybersecurity contributors. By recognizing employees for their hard work, you can establish a more cohesive culture that supports and rewards their security efforts. With a recognition program, you can highlight the top security-minded staff members who prioritize training and get them done before anyone else.
5. Celebrate internal champions
Internal champions can be a thriving part of your cybersecurity culture, serving as an aspirational goal for certain stakeholders. By celebrating your champions publicly, you can help inspire employees to take proactive steps to improve their own cybersecurity posture so that they may be recognized, too.
6. Connect professional and personal security
A common tactic for understanding the behavior of other people is the “what’s-in-it-for-me” strategy (WIIFM). How will being security aware help your staff in their day-to-day lives, even beyond their nine-to-five?
A real-world example of why security training matters
Cybersecurity training has helped prevent cyberattacks in employees’ personal lives. One Hyperproof employee completed cyber training in a previous role. The training covered phishing attacks with advanced social engineering: the threat actor would call their phone and pretend to be someone needing remote access to their device. From there, the social engineer would then brick the device and steal all of their data, including their banking information.
Two days later, a so-called Microsoft “employee” contacted the individual who had just gone through this security training, saying he needed remote access to their personal laptop to fix a “critical issue.” The threat actor used all of the tactics laid out by the security training: a sense of urgency, spoofing a phone number that looked like it could come from Microsoft, offering credible-sounding Microsoft credentials, and treating the employee incredulously when not immediately giving them the information they wanted.
This employee was incredibly lucky that they had just completed this training. At the time of this phishing attempt, this approach was relatively new and emerging. The employee may have fallen for it otherwise, but because of their work security training, they were able to deflect and avoid the attack.
Make cybersecurity a natural part of everyday work
As you build a culture of cybersecurity that enables your employees to succeed, you’ll find that simple cybersecurity steps and strategies each day are what keep the company safe in the long run. Not opening risky emails or attachments, reporting phishing and smishing attempts immediately, and communicating openly are some of the best ways to keep the organization secure.
By implementing the strategies we’ve outlined, organizations can begin to create a comprehensive approach to fostering a culture of cybersecurity that engages employees at all levels and makes security a shared responsibility throughout the company.
Monthly Newsletter