3 Steps to Create a Culture of Cybersecurity

by Mary-Michael Horowitz

It seems like every business is trying to improve its company culture. And that’s a good thing. An effective culture is built on solid values and a core purpose. It gives employees the opportunity to understand what makes the company tick – what its beliefs are, what its goals are and how each person can help move the business forward.

In the same way, I encourage businesses to think about creating a culture of cybersecurity. Ensuring your business, and its data, stay safe from the many cyber threats lurking in the ether means constant education and discussion so that each team member understands how to safeguard the business and demonstrates that day in and day out.

Here are three steps to create a culture of cybersecurity in your business:

1. Involve the entire company
Cybersecurity isn’t just an IT thing. It’s an everybody thing. So, take the time to teach everyone in the company why cybersecurity matters. Train employees to know what to look for, like how to spot a phishing email, and to whom suspicious activity should be reported. Explain to the team the reality of cyberattacks. If employees understand the consequences of their actions and the potentially devastating results, they’re probably going to be more likely to buy into a culture of cybersecurity. We suggest companies provide their teams with formal training at least annually, if not quarterly. These training shouldn’t be stiff and dull. Make them fun and engaging with friendly competitions or games, rewards and demonstrations.

2. Keep cybersecurity top of mind
Holding annual or quarterly cybersecurity training sessions is important in establishing a culture of cybersecurity, but it’s not enough on its own. To truly build a strong culture, security needs to be top-of-mind for employees. Things like posters hanging around the office with brief security tips, handouts with reminders of things to look out for and quarterly newsletters with more in-depth tips and takeaways from the latest hacks making headlines all help make security part of the daily conversation.

3. Create a sense of responsibility
In addition to teaching your team how to prevent and spot cyber attacks, it’s equally essential to ensure employees feel comfortable reporting their findings.

Consider this scenario:

Maria from accounting notices a suspicious-looking email in her inbox and realizes it’s likely a phishing email, so she doesn’t open it. Feeling proud that she spotted the email before opening it, she moves on to the next task at hand. She figures since she didn’t fall for it, there’s no need to do anything else. She never reports it. Hackers often send out mass amounts of phishing emails – possibly to employees within the same company – looking for the weakest link. So while Maria didn’t take the bait, her coworker who receives a similar email the next day might. Reporting suspicious emails allow IT and company leaders to create awareness around the issue. What if Maria had fallen for the phishing email but still didn’t tell anyone? The consequences could have been tragic. It’s important to create a workplace where people feel open and invested. Instilling fear in employees for reporting cybersecurity issues won’t help. Instead, offer an incentive or award. For example, give a special treat to those who report a phishing email.

About the Author

Mary-Michael Horowitz is VP of sales and operations at Asylas, security, privacy, and risk consulting firm located in Nashville, TN. She works with small- and medium-sized businesses to align business goals and objectives with technology solutions that fit for today and plan for the future.