Why You Need to Establish a Cyber Security Culture in Within Your Organization

Daniel Tobok
E: [email protected]
Posted on: March 20, 2018

You can do a great job of policing your networks, keeping patches up to date and do your best to uncover intrusions, but you might still be susceptible to cyber intrusions.


Because your number one cybersecurity vulnerability isn’t your network — it’s your employees.

We’ve all had coworkers who have opened an email attachment from an unknown source – even though they had been warned not to do so – and infected their own computer, or others.

“A leading cause of security breaches is a basic human vulnerability: our susceptibility to deception,” says a study by the University of Albany in conjunction with SUNY.

With the increase in users connecting to cloud servers, email, social media, and daily internet usage, the opportunity for something that could harm a business’ network is high no matter how security-conscience the business is. Combine that with the prevalence of remote workers and employees using their personal laptops or cell phones to access networks and systems, or using public WiFi, and the likelihood of a cybersecurity breach compounds further.

Because employees are a business’ top cybersecurity vulnerability, establishing a solid cyber defense requires the creation of a cybersecurity culture within the organization.

Everyone Has To Participate

From the entry-level employees to the big boss in the corner office, it must be everybody’s mission to follow safety and security protocols. All it takes is one person replying to a phishing email or sharing their password to cause a potentially significant problem.

When Someone Catches Something, Call it Out!

How often has someone in your company sent you an email and asked if it’s something malicious? How often does an employee click on an email and caused a problem that needed to be fixed quickly to minimize any potential vulnerabilities? These situations happen, probably too much. Instead of sending out that same email saying, “If you see this, don’t, click on it,” an effective way to get organizational buy-in is to give credit to the person that flags an issue in the first place. It may encourage others to think twice before clicking a potentially damaging link or opening an email that seems too good to be true (it usually is) and get others to flag potential problems for you before they become real problems.

Help employees and executives understand that by sharing potential threats and concerns, they are all taking part in making the workplace a safer place for everyone while establishing a grassroots cyber defense that’s effective against potentially severe cybersecurity issues.

Spread The Message And The Risks

For everyone in the organization to play an active role in your business’ cybersecurity culture, they must understand just how critical cybersecurity is to the organization and its growth. Here are a few facts that might help you drive the point home:

Phishing emails account for 91% of cyber-attacks (someone innocently clicking on a random email or link). One study suggests that 1 out of every 131 emails contains a malware threat.

Computer virus and malware attacks grew by 145% in 2017, while data breaches increased 164%.

More than 50% of all businesses experienced a cyber attack of some form last year

81% of breaches are the result of either stolen or weak passwords.

One IT manager purposely slowed his network to a crawl to get people’s attention. When employees complained, he let it be known that all it takes is one random email to cause the whole system to be compromised. While we’re not advocating this tactic, it was useful in bringing the problem to the attention of employees who interact with the company’s network on a daily basis.

Formal Policies And Procedures

You likely have an Employee Handbook or Organizational Best Practices guide that outlines your organization’s human resources policies and procedures. Review yours and see what it says about best practices in your area. Employees are regularly reminded about the importance of building security, such as keeping office doors closed but fail to address leaving computers on when people leave the office. Doing so eases access to anyone who’s looking to cause a problem for your organization at will to do so.

It’s also critical that your organization establishes a formal password policy to ensure they’re strong and effective against a breach (i.e., using letters, numbers, and symbols). A recent study by Keeper, a password storage company, determined that 50% of people use the 25 most common passwords. Scanning 10 million passwords that were leaked in data breaches, the most commonly used passwords included 123456, qwerty, and password.

Some companies require password changes every 30 days or even more often. Consider 2FA (two-factor authentication) when logging into an account or service. While employees may complain about the practice, it’s a reminder every month of how important security is and how seriously the organization takes it. It’s also a good idea to do an occasional sweep through the office and check on monitors, under calendars, and keyboards to see if that’s what they are doing.

Consider restricting employee access to systems, networks, and software they don’t need as part of their job. Give them access to only what they need and use. If they need to access something for which they don’t have access, make them justify the need.

Cyber Security Training And Education

According to a study by the Aberdeen Group, consistent training can change behavior and reduce cybersecurity-related threats by more than 45%. Consider making security training a part of each employee’s onboarding process, with at least an annual refresher course. It’s critical to the well-being of your organization that every employee knows the company’s stance on cybersecurity and why it’s essential.

While every business can do a great job of policing its networks and having an eye for dangerous intrusions, it can still be left open to cybersecurity-related issues. To establish an embedded and effective cybersecurity culture in your organization, all employees at every level of your organization must not only be on board but actively involved in your cybersecurity defense.