How to create a culture of security at your organization

Simar Kohli
April 7, 2022

The way we work has fundamentally changed. Although the initial growth of remote and hybrid work was brought on by Covid-19, working outside of the office is here to stay. It’s simply too beneficial to both employees and employers.

However, the new way of work carries lots of additional risks to company data. Many companies have become remote-first without updating their information security programs to protect new workflows. This can be seen in the fact that data breaches reached records highs in 2021.

Cybersecurity discourse is focused on building impenetrable security infrastructure and using tons of tools, but research from Stanford found the vast majority of breaches (83%) are attributable to human errors. One of the best ways to prevent human error is by building a culture of security.

Builtin defines company culture as “a set of shared values, goals, attitudes and practices that characterize an organization.” When we refer to a culture of security, we’re talking about creating a company culture that makes security a major point of emphasis. Security should be embedded in all parts of the organization’s culture and a part of daily activities.

Culture isn’t built overnight. Creating a culture of security at your organization can’t be done as an annual event or on an infrequent basis. It can take years of consistently emphasizing security every day to create a culture that truly permeates your company. All employees must buy into the culture for it to be effective. However, there are some things CEOs, CISOs, and other business leaders can do to help build a solid foundation of a strong security culture in their organization.

1. Make it abundantly clear that security is everyone’s job

One of the biggest downsides of remote work is that it exponentially increases the number of entry points for hackers to access a company. Employees are now able to work from home, from a coffee shop, or at an Airbnb instead of the office. Many people log into accounts containing private data on their personal devices or connect to work systems on public wifi. Employees now have a greater level of autonomy and access to company resources than before, but this autonomy creates risk.

Given the increased risk profile of remote/hybrid companies, leaders at these organizations must constantly emphasize the importance of all employees following best security practices at all times. Protecting your organization's data is no longer configured to the IT department or security teams. It is everyone’s responsibility. The most important step in building a culture of security is having the entire organization buy in to the culture and understand that maintaining security is everyone's job.

2. Focus on rewarding good behavior instead of punishing mistakes

Although human errors cause most data breaches, treating individuals as vulnerabilities instead of as people is not a good way of securing your company. Every employee should feel empowered to help their company. Studies from all fields of life have consistently shown that positive feedback is a much better tool for driving change as opposed to negative consequences. For example, if you notice an employee chose to enable MFA on their own accord you should congratulate them! People that are praised for following best practices are going to continue to follow them.

On the flip side penalizing employees when they make a mistake hurts security culture. For example, an employee that self-reports accidentally sharing PHI should not be punished since they will be less likely to be honest in the future. Security errors should be treated as learning opportunities where employees can gain the knowledge needed to prevent them from making the same mistake twice. Having an open and honest culture where people are not scared to report accidents is paramount to keeping your organization safe. You should also empower employees to report potential threats or suspicious activity within the organization without fear of retaliation.

3. Convey the impacts of weak security posture in ways people relate to

Another way leaders can build a culture of security is by showcasing how security lapses hurt everyone. For example, a data breach could hurt your company by losing customer trust and/or paying regulatory fines. Research shows that 31% of corporate data breaches lead to employee layoffs. You should explain how preventing security incidents is in everyone’s best interest since it helps the company while protecting everyone’s livelihood.

Leaders should use real-life examples of breaches to show how everyday employees can serve as either assets or liabilities for their company’s defenses. For example, the recent Lapsus$ breach was caused by employees approving MFA requests because of notification fatigue. Snapchat was breached when an employee shared confidential data with a hacker that was impersonating their CEO. Tying real-life events to everyday actions helps employees understand the impacts of their actions and incentives them to participate in the security process.

4. Integrate security awareness into normal workflows

This is one of the most important steps in building a culture of security. Employees should receive cybersecurity training and tips within the context of real work. Annual check-the-box training in an outdated LMS is no longer enough to deal with an evolving threat landscape. High-quality training is necessary to ensure that employees protect data at all times.

Security awareness training should meet employees in the apps they use and relate to securing common workflows. The entire company should undergo security awareness training, even employees in non-technical roles. Your security team and senior management should utilize training to educate employees to recognize threats such as phishing emails to prevent cyber attacks that could compromise your business security.

Haekka’s Slack-based security awareness training is a great way to build a culture of security in your organization. Haekka’s platform is launching event-driven training to automatically help employees avoid risky actions. Haekka also has quizzes, weekly security tips, and a large training catalog with multiple types of security awareness and compliance training. It also collects evidence of training to make passing audits a breeze! If you want a training awareness platform that resembles real work, schedule a demo with one of our founders today!