Cybersecurity is about continuous risk management. It's a process of identifying and understanding the risks you're going to face daily as you work with technology, and then figuring out what actions you can take to mitigate them.
But great cybersecurity isn’t made in isolation. It’s not a task solely meant for the IT or security teams. Nor is it just about implementing the latest and greatest cybersecurity tools and techniques.
Building a security-aware culture at work requires a comprehensive approach that involves employees at all levels of the organization. Every person plays a pivotal role in reducing risk and fostering a security-aware culture can empower employees to excel in that role.
So, what exactly does a security-aware culture look like, and how can you implement one today? Well, you should always start at the top.
Start at the top
It’s important to have a dedicated cybersecurity leader—someone to lead or spearhead cybersecurity in your organization.
And by “dedicated leader” we don’t mean you need to immediately hire a Chief Information Security Officer. Your chosen leader might already wear a couple of different hats, especially among smaller organizations with limited resources, but has an interest in security or experience in a related field.
Whichever way you go about it, this works for two reasons.
One, it creates accountability. When somebody has cybersecurity written into their job description, it’s going to be more of a priority. Two, it sends a message to the rest of the company and other companies you work with that you take cybersecurity seriously.
Continuously raise awareness
To make cybersecurity a part of your culture, it requires more than just an annual email reminding employees about common signs of a phishing attempt.
It’s a good idea to start strong quickly. Make cybersecurity awareness a part of your onboarding function by walking through any previous cybersecurity incidents or recurring phishing emails that employees receive. For example, let them know that the CEO will never email them about gift cards.
Making new employees aware of what you're seeing helps them understand both what they might encounter, and what's expected of them. If you come out saying cybersecurity is important to this company and it's something we need to take seriously to grow, then you're empowering that employee to prioritize taking the time to make good decisions.
And then, continue the awareness. If you use a collaborative messaging app, for example, start a group chat where employees are encouraged to share if they received a phishing email. Chances are, another employee received the same malicious message, and a timely warning could prevent an incident.
This could even be a good place to post news articles about cybersecurity incidents occurring to similar organizations. This helps to normalize the idea that it could happen to you and there is a need for constant vigilance.
Set expectations clearly
When it comes to good cybersecurity, the people component is huge. Employers need to enable their people to make good decisions in bad situations.
One of the ways that you can do that is by letting staff know that you’ve created a culture where they're not going to be penalized if they need to take time to pause and confirm whether an email, for example, is legitimate.
Email hijacking is becoming more and more common. Threat actors are getting on a client's system, analyzing entire email relationships, having all that information, and then planting the seeds to try to get money from the individual or passwords or whatnot.
So, you need to make sure that your employees are given the space to decide whether something seems suspicious. We recommend encouraging employees to take the time to pick up the phone and call the person on the other end of the email when something seems out of place. It only takes a few minutes and shows that your company takes cybersecurity seriously and has been trained well.
Let policies pave the way
One incredibly important, yet affordable, way to foster a security-aware culture is through policies and processes. Policies take time but not a lot of money, making them a great option for budget-conscious organizations.
Create an acceptable use policy so employees understand what’s okay—and what’s not—while using corporate equipment. Implement a password creation and management policy in which you encourage the use of password managers.
But, when it comes to policies, consider the Goldilocks Principle. If you have too much security in place, it becomes a barrier to productivity. You have too little security in place and you're just more vulnerable.
So, you have to find the perfect middle, and what that looks like differs across organizations.
Don’t just train, explain
Wherever your Goldilocks middle is, make sure that employees know why you’re asking these things of them. If someone is already busy and you’re adding another task to their day—be it implementing multifactor authentication or setting up and using a virtual private network—you might be met with resistance.
So, if you’re asking for more, explain why. Taking MFA as an example, let employees know that Microsoft recently conducted a major study and found that MFA reduces 99% of cyberattacks. For only a few minutes out of their day, we could avoid a major incident that could have serious detrimental effects on the organization.
Refine, refine, refine
Much like cybersecurity itself, building a security-aware culture is a continuous process.
For example, new threats are emerging all the time. While it still may be smart to remind employees that princes will not urgently reach out for money, there are other highly sophisticated phishing campaigns that they should be aware of too.
Similarly, an acceptable use policy from 2015 might not be as comprehensive as organizations need today—particularly those that embrace hybrid or remote workplaces.
By keeping cybersecurity policies up to date and fine-tuning them regularly, businesses can stay protected against the latest cyber threats, avoid legal complexities, and maintain a strong security posture.