Contact us: +45 32 67 26 26

The Ultimate Guide To A Strong Security Culture

Sarah Hofmann
By: Sarah Hofmann Cyber Security | 6 December

With 95% of cybersecurity breaches caused by human error, a strong security culture is the foundation of a secure organisation. But what is a security culture? We’ll tell you in a minute, but we can promise that a strong culture keeps employees motivated to practice good IT security habits and makes a security incident less likely. The problem is that getting people to care about IT security is hard, which means that many organisations have room to grow their security cultures.  

We’ve done a lot of research about company culture and security habits, and now we’re sharing everything that science and research tell us with you - in this ultimate security culture guide. Keep reading to find out what it means to have a strong security culture, why it’s important, what things can impact a security culture, and how you can improve the security culture in your organisation.

Table of contents

The human element of cybersecurity is underestimated 

Before we go forward, I want to make sure you know why we are here. Let’s start out with two different statistics: 

  • 95% of security breaches are caused by human error 
  • Only 3% of total IT security spending goes towards security awareness training for employees  

You might look at these two facts and be a little confused. It doesn’t make sense that companies spend so little on human behavior, when human error is the number one reason for security breaches.  

Human behavior can be your greatest weakness or defense when it comes to IT security. We believe that building a strong security culture is a way to transform your staff into a human firewall. And the best part is that building a security culture does not have to break the bank. In fact, small changes can make a big difference. So, come along, and take the next steps towards a better security culture.

What is a security culture? 

Let’s start with the basics: culture in general 

When you think of the word “culture,” you likely have a good understanding of what it means. When people in a group exchange their beliefs, values, and behaviors with others, a group culture is formed. You can see the group’s culture by their attitudes and priorities.  

Having a strong culture is desirable because it can make people at a company feel connected to one another and increase their job satisfaction. The same goes for cybersecurity cultures. But what exactly is a security culture? Let’s dig into that now.

A security culture is a group’s attitudes and behaviors about IT security 

Just like any other group of people, an organisation or office has its own culture. For example, some workplace cultures encourage collaboration and flexibility. A security culture within an organisation is just one part of an organisation’s culture, but it matters! It describes how the employees and the organisation think about, value, prioritize, and behave when it comes to cybersecurity. This culture is always evolving and takes work to improve and maintain. It’s formed by the constant interaction between employees’ own beliefs and behaviors about security and the organisation’s security goals, policies, and priorities. 

Having a strong security culture means that both the organisation and the employees who work there believe security is important and behave in ways that promote good IT security. It means that security is a regular part of everyone’s work life and is a normal part of the conversation at work.    

If you’re reading this and thinking “I can’t remember the last time I heard people in my office casually talking about IT security,” then it’s probably time to invest in strengthening your security culture. Later on, we’ll give you some simple and practical tips on how to do this.  

An organisation’s security culture influences individual behavior 

Culture flows in two directions. It flows from the group to the individual, because company norms affect employee attitudes. It also flows from the individual to the group, as employees’ own feelings and behaviors can be seen and copied by others in the company. We know, it’s complicated! But since people often act how they are expected to, a strong security culture has a big impact on employee behavior. For example, take a look at these examples of how an employee might act in a company with a good security culture versus a bad security culture. 

An employee at a company with a good security culture is more likely to: 
  • Regularly practice good digital habits 

  • Know that they are responsible for the security of their organisation 

  • Discuss security topics with their colleagues and report incidents appropriately 

  • Warn their colleagues about suspicious emails or other threats 

  • Understand security threats and proactively reduce the likelihood of these threats 

  • Follow the IT security policy 

An employee at a company with a weak security culture is more likely to: 
  • Share or reuse passwords 

  • Download dangerous software, like malware, from the internet 

  • Click on phishing links or attachments or fill in sensitive information  

  • Connect to public, unprotected Wi-Fi on their work devices at busy places like airports 

  • Expose the company to a security breach 

  • Not recognize and/or fail to report security incidents to the IT department 

A strong security culture can make a big difference in how digitally secure a company is, as you can see from the typical behaviors above. We’ve talked about what a security culture is and what it looks like in an organisation. But why is it important to have a security culture in the first place? That’s what we’re going to talk about next.

Why having a strong security culture is important 

A strong security culture is important because human error causes 95% of security breaches in organisations. With that kind of statistic, it just makes sense to focus on human behavior.  

Having a strong security culture can motivate employees to take security seriously, understand the threats, and practice good IT security habits. A security culture lets employees know that security should be on their minds and gives employees the support they need to prioritize security in their work. It also helps employees feel comfortable talking about security issues with others in the office

Security is everyone’s responsibility 

Companies that have strong security cultures are made up of employees who understand the security risks and take steps to avoid them. You might be thinking,  

“if everybody knows about security risks, then what’s the point of having the IT department to keep a company safe?”  

Well, we don’t think that all employees need to be IT experts – the IT expertise should definitely be left to the IT team! But it’s important that all staff have a general awareness of threats so that they can spot dangerous situations and bring in expert help from the IT team when it’s needed. Having a good security culture is not about making everybody into cybersecurity experts. Rather, it’s about making every employee able to see when the experts need to be called in for help with a problem.

You are important

A way to avoid security breaches 

When all employees are aware of security risks, they can react before a potential issue becomes a security breach. So, these companies are less likely to experience a serious security breach. These employees are also likely to call in the IT team for help at the early stages of a security incident, meaning that if they do experience a breach, they are able to recover much faster, due to open communication about IT threats and a culture of reporting incidents quickly with no shame or blame.  

Reducing the risk of a security breach is a good reason to have a strong security culture. Data breaches are extremely costly to businesses across the world. The high cost of experiencing a breach is something that no company wants to face, but security incidents are on the rise. Fostering a strong security culture with aware employees is the best way to defend your company against a breach.

It’s just like your own alarm system for health issues 

You can think of the everyday employee’s IT awareness the way you might think about your own knowledge of health problems compared to your doctors’. Chances are that you don’t have extensive medical knowledge about different kinds of illnesses, what their symptoms are, and how they are treated. But you do know when something is off in your body. And you probably have family and friends who can tell you “You don’t look so good today – you're really pale. Maybe you should see a doctor.” So, even though you don’t know exactly what is causing your headache and sore throat, you know when you should go to your helpful doctor. You also know that you should eat a balanced diet to support good health and protect your body from coming down with an illness.  

 

It’s the same thing with security! All employees don’t have to know the complex details about technical security systems. They just need to know what signs to look out for, like the signs of a phishing email, and what practices they should follow daily for good security health, like using strong passwords. And then, if an issue arises, they can always bring it to the IT team for help. With a good level of general awareness and others around for support, a strong security culture can catch problems before they become severe - and who wouldn’t want that?

Scientific studies find that these factors influence a security culture 

We know that culture is something that many companies struggle with. It is also just vague enough that it can leave you scratching your head wondering, “where do I even start?”   

So, to help you get started, we’ve laid out some things to consider when thinking about your own security culture.  

By the way, all of our advice and recommendations come from a combination of our own years of experience in the IT security field and a lot of research we’ve done in this area. We have read a lot of scientific studies about workplace culture and cybersecurity, and the findings have helped inform our work. If you are interested in checking out the studies yourself, we have linked to them in the text, and you can also find them listed at the end of this post. 

Now, without further ado, here are some things that can get in the way of a strong security culture, and some things that support a strong security culture.

Reasons your security culture may be lacking 

A security culture could be suffering for several reasons. Usually, there is more than one reason that a security culture is weak. Here are some common things in the office that can keep your security culture from thriving.  

  • Lack of prioritization from management: If leaders in the organisation do not think security is worth spending time or money on, their attitudes will trickle down to their employees. Thinking that security is “no big deal” is a sign that the security culture could use some nurturing.  

  • High staff turnover: With people constantly coming and going, the cultural mix of the office is always in flux. This makes a strong culture more difficult to establish and maintain.  

  • Security requirements that are too complicated: Getting people to care about security is hard enough. Making the policies and rules more complex than they need to be is an easy way to guarantee that they won’t be followed. It can cause negligence because people have to overcome many obstacles in order to understand and follow the rules. 

  • Imbalance between efficiency and security: A work culture with intense deadlines or one that encourages staff to get the job done as quickly as possible can lead staff to cut corners and ignore security risks. While efficiency is important, it has to be on equal footing with security so that everything works together smoothly. 

  • Thinking “it won’t happen to me”: Sometimes, even employees who know about security risks don’t associate themselves or their company with those risks. So, they don’t take proper precautions and can make mistakes. 

  • Low job satisfaction: Staff who are unhappy with their work are more likely to ignore security policies. 

If you are looking for ways to improve your security culture, making improvements in these areas is a great place to start.  

Things that encourage a strong security culture 

On the other hand, there are also factors that support the growth of a strong security culture. Here are some of those things to look for: 

  • Management that values and prioritizes security: Management’s values trickle down to employees at all levels. Having leadership that makes security a priority is a strong indicator that staff will also value security.  

  • High levels of awareness about security risks: When staff understand security threats, they are more likely to engage in activities that support a strong security culture, such as discussing threats with their colleagues and reporting risks to the IT department.  

  • People are motivated to comply: Whether the motivation to follow IT security rules is internal or external, motivation to practice good IT habits is a key element in a strong security culture. For a scientific study of how motivation impacts IT security behavior, we recommend this article.  

  • Open communication about security: A company with a strong security culture gives employees space to discuss risks and report threats or accidents to the IT department. Blaming and shaming don’t prevent a breach from happening and can keep employees from coming forward with threats.  

  • Social norms that encourage secure practices: We are all influenced by our environment and the people in it. An office with social norms, like locking your computer screen when you get up from your desk, is more likely to have a strong security culture. Similarly, making an example of employees who use good security practices can also be a sign of a strong security culture.  

  • National culture: A workplace is not isolated from the rest of the world (even though it might feel that way sometimes). The value placed on security in the country you live in has an impact. For example, the GDPR in the EU has made data protection a part of the conversation in many companies. Employees understand that it’s important to keep personal data safe, in order to look after people’s privacy and to protect their data in case there is a security breach. So, it might be easier for EU-based companies to form a strong security culture.  

When you are thinking about your organisation’s security culture, you might evaluate whether any of the items on this list apply. And now that we’re thinking about the security culture in your organisation, we’ll move on with some practical tips that you can use to strengthen your security culture. In the next section, we give you 8 different ways to improve your security culture.

Want to strengthen your security culture? Our 8 practical tips can help 

When it comes to security cultures, there is always room for improvement. Depending on what your security culture currently looks like, you may wish to take small or big steps towards a stronger security culture. In these recommendations, we draw on our own years of experience helping organisations strengthen their security cultures. But you don’t just have to take our word for it! Published studies on improving compliance with security policies have many of the same takeaways.  

Here are 8 things you can do to strengthen your security culture: 

  • Clearly communicate IT security expectations and requirements 
  • Have a reporting process in place and test whether staff use it 
  • Get top managers and team leaders on board 
  • Measure attitudes and awareness to track progress over time 
  • Demonstrate the role each employee plays in protecting the organisation 
  • Highlight those who do security well 
  • Integrate security into the regular workday 
  • Keep it up 

Now, we’ll talk about each one of these tips with a little more detail. Let’s go! 

Clearly communicate IT security expectations and requirements 

Following the company’s security rules begins with knowing what they are. You may be surprised to know that in a study, 88% of employees had no clue about their organisation’s IT security policy. A common reason for this is that policies are overly complicated and given to employees as a large document to memorize. In these cases, people are much more likely to open the document, see that it’s extremely long and boring, and rapidly close the document never to return to it again. 

To make it as easy as possible for employees to know the IT security rules, you should communicate about them in a clear and simple way. One way to do this is to write short IT security and acceptable use policies that use plain language. Every employee should be able to understand what is expected of them. The policies should be given to employees during their onboarding, and the IT security policy should require mandatory participation in awareness training and/or other security awareness activities that teach employees about security risks. 

One way our customer, Novicell, does this is through a simple and easy to read GDPR handbook. You can read more about how they created simple guidelines here.

CTA_it-security-policy_blog_desktop

 

Have a reporting process in place and test whether staff use it 

Clear communication is key! You might be sensing that communication is a big trend in company culture – and that’s because it is key. You should have a clear process that employees can follow when they need to contact the IT department. Make sure that everybody knows who to go to if they have questions about a security issue, and how to report a suspected security risk or breach. It’s ok to test your employees to see how well they know the process. You could even send a phishing test email to measure how many people report it correctly and if colleagues warn each other. Knowing how to report an issue is one thing, but actually reporting threats and discussing them is needed for a strong security culture.

Get top managers and team leaders on board 

Managers and leadership set the tone for the rest of the organisation. If they value and prioritize security, their employees are more likely to do so as well. When managers make security a priority, they can set aside time for security-related training and ensure that work deadlines do not require staff to bypass security precautions. All managers and leaders should also take part in security awareness training, like the rest of the company. In this way, they can serve as positive role models and advocates, especially when they mention the importance of security to the rest of the staff. When managers take security seriously and prioritize it equally with other work tasks, their attitudes are often reflected in their employees’ behavior.

Measure employee awareness and attitudes to track your culture over time 

To see how your culture changes over time, you have to have a system in place for measuring employee awareness and attitudes. One way to measure this is to look at the percentage of employees who have completed all of their awareness training courses, and how quickly they complete the courses once they receive a course invitation. If your employees need multiple reminders to take a course, it’s a sign that they probably don’t care very much. On the other hand, quick completion of courses is a sign that employees value IT security and want to do their part. You can also make awareness activities relevant to employees’ needs, for example by giving lessons that are tailored to their job functions or conditions like remote work.

Demonstrate the role each employee plays 

Sometimes bad security behavior is a result of thinking “this won’t happen to me, so I don’t need to care about it.” This is why it’s important to empower employees so that they understand their role in keeping the organisation secure. The reality is that security is everyone’s responsibility, not just those responsible for IT. You can communicate this through different activities that cover the human role in security, such as phishing training. Sending simulated phishing emails helps people associate themselves with the risk in a more realistic way than reading about it in a manual. It shows that they could receive a phishing email and they might not be able to recognize it. All of this signals why it’s important for them to know the signs and take security seriously.

9 out of 10

Highlight those who do security well 

Rewarding good behavior goes a long way with security awareness and culture. You can encourage a strong security culture by recognizing individuals or teams that practice good security habits. For example, you could spotlight a team or employee that always does their training courses on time. They can become a good example for others to follow in the company, and they will enjoy the social recognition.

A note on motivation:  

Recognizing those who do security well works because it taps into our desire to be viewed positively by our peers. It’s important to also understand how motivation differs between people. Some may be intrinsically motivated to follow the rules, while others need extrinsic incentives, like social recognition. For those who need a little extra push, aside from social recognition, it’s ok to use sanctions to encourage them when needed. Of course, the kind of sanctions you use can vary based on your company. An example of a small push to get employees to move in the right direction could be an email from or conversation with somebody in a management position. It works because it is not a negative punishment, yet it shows that leaders in the organisation are paying attention.

Integrate security into the regular workday 

To keep security on the mind, make security awareness a simple and regular part of the workday. You can encourage passive awareness by using security-promoting office decorations like our free posters on cybersecurity and the GDPR. It’s important that your efforts to make security a regular part of the workday should be easy to understand and should not be a time burden for the rest of the staff. Quick awareness training courses can also be a part of this strategy of making security awareness a regular activity. Also, keep in mind that using multimedia leads to more awareness and better learning.

Make your efforts a continuous process 

Whatever you choose to do to raise security awareness in the office, make sure that it is ongoing. Continuity helps keep security top of mind, which reinforces a strong security culture in the office. You can, for example, release awareness training courses to employees once every other month and fill in the space between training courses with other reminders of good habits. Since culture can change over time, it's important that you keep the security work going in order to keep or see improvements.  

Now that you’ve seen our 8 tips for creating a stronger security culture, you may be wondering how this could actually look in your company. To help you imagine small steps that can improve your security culture, we’re bringing you an example of one of our customers. Keep reading to see easy things they did to improve their security culture. 

How one of our customers improved their security culture 

A strong security culture is something that we help many of our customers achieve. If you are wondering what these recommendations look like in real life, then look no further! Here’s what one of our customers does to improve their security culture:  

  • They have an IT security policy, and they test how well their employees understand it with a short quiz 
  • They make cybersecurity a topic in their weekly staff meetings. This opens up a conversation about IT security issues and allows the experts to answer questions, encouraging employees to discuss security regularly 

As you can see from this example, the steps this company took to improve their security culture were not a huge lift. But little changes can make a big difference, especially when they are part of the regular work routine, like bringing up IT security at meetings every week. All the more reason to invest in improving your security culture today.

Where do you go from here?  

Are you ready to take the next step toward improving the security culture in your organisation? We’ve covered a lot so far, and we know it can be overwhelming in the beginning. So, to make it a little easier for you, here are two actions you can take to get started. 

  1. Evaluate where your organisation is now. What parts of your culture could use improvement? 
  2. Implement new strategies to make improvements in these areas. We recommend the Plan Do Check Act cycle (PDCA) as a model for making changes and measuring how effective these changes are.  

Know that making cultural changes is not always easy and the results sometimes take a while to see. At first, there may be some resistance from those who do not think cybersecurity should be a big priority. But it’s important to keep going. With time and security activities that are easy to understand and quick to complete, you can get everyone on board with prioritizing security.

We’re here to help! 

At CyberPilot, our awareness training, phishing training, and other resources are designed with building a strong security culture in mind. We help organisations teach and motivate their employees to practice good habits. If you are interested in trying our awareness training for free, you can sign up for a 14-day free trial. And as always, you are more than welcome to reach out to our team if you have questions about how to strengthen your security culture.

Further reading 

In case you are interested in checking out the academic studies we used in writing this, here you go! And if you have read anything else that caught your interest about a security culture, we’d love to hear from you. Contact us on info@cyberpilot.io