Have you ever been in a manufacturing setting? In those settings, employees are surrounded by dangers: chemicals, machines, and loud noise are just a few. Governments have established safety laws to help protect employees, and companies are required to adopt those laws as their safety standards. But then there are companies that have made safety an integral part of their culture. In those companies, the legal requirements are simply a starting point. These companies have a goal of zero safety incidents. They put into place safety procedures that go far beyond what the law requires. Employees are expected to identify safety threats, make suggestions when they see a concern, and are rewarded for assuming ownership of safety issues. It probably wouldn’t surprise you to learn that in companies with a safety culture, there are not only fewer safety incidents but higher satisfaction from employees.

While the dangers around IT aren’t physical dangers like in manufacturing, they still pose a significant threat to the livelihood of the employees. Just as in manufacturing, you can choose to implement the bare minimum and require employees to follow the rules because you said so, or you can choose to create a security culture where employees willingly participate in making the digital workplace safer for everyone.

What are some of the signs of a security culture?

  • Employees are not only aware of the threats that exist but feel a personal responsibility to take an active role in protecting the organization against those threats.
  • Employees know how to identify potential threats, like phishing emails, and how to report them to the security team.
  • Employees understand the benefits of strong passwords and don’t reuse passwords across sites.
  • Employees don’t share passwords, door codes, keycards, or other assets because they recognize it works against their goal of a safety culture.
  • When an employee makes a mistake, they trust they can let the security team know and take the necessary actions to correct their misstep without fear of reprisal.
  • No one in the organization feels the rules don’t apply to them.

Once you’ve decided you want to create a security culture in your company, what’s next?


Step 1: Educate Employees on Their Responsibilities

Instead of giving your employees a list of “dos” and “don’ts”, educate them on the “why”. Help them understand how clicking on a link in a phishing email can disrupt the entire company and the long-term consequences that could have on them and their coworkers. Show them how a compromised password could allow an attacker to disrupt operations enough to threaten the viability of the company and their jobs. Explain to them how no security software can protect the company against every threat, and that’s why each employee needs to augment the security tools that exist. When employees see something amiss, help them understand it’s in their own self-interest to speak up.

As much as possible, turn security training into a security dialog. Listen to what employees have to say and incorporate their feedback into your processes and training. Once employees view ensuring security as part of their job description, training on security specifics, such as password strength and recognizing phishing emails, becomes relevant and helpful rather than another bureaucratic requirement taking time away from “real work”.

Step 2: Charge Leaders With Reinforcing Security

A team is only as strong as its leader. A culture of security won’t thrive unless each leader in your organization is committed to upholding security standards. That means talking about security regularly. In staff meetings, highlight employees that proactively helped with security. Share examples of new threats and how employees responded to those threats. If an employee makes a mistake and reports it quickly, praise them for quickly identifying the mistake and notifying the security team so something can be done. In a culture of fear, mistakes are hidden to avoid punishment. In a security culture, mistakes that are reported become opportunities for improvement, not punishment.

In some organizations, fake phishing emails are sent to employees. Employees that report the email to security are recognized for their diligence. Employees that click on the link in the email are notified that they fell for a scam and taught how to better recognize phishing emails. Healthy competition can be introduced to see which departments respond best to the phishing email, inspiring employees to continue their commitment to strengthening the entire organization.

Step 3: Hold Employees Accountable

When you can trace the origin of an attack, you can determine which employee or department is responsible. For example, an employee used company credentials to set up an account on an unauthorized website, or an entire department is sharing one login for a service. This insight allows you to discuss the situation with specific employees, ensure they correct their mistakes, and use that example to foster better security habits. In a security culture, this becomes an opportunity to improve security awareness and training curriculum.

When there is a pattern of insecure behavior despite training and corrective action, then you can move from education to discipline. In a security culture, employees will not appreciate coworkers that willingly and repeatedly flout the security rules. Instead of forcing the entire company to retake security training after an incident, focus on retraining your security slackers: employees who are lax about the rules and repeatedly make mistakes that have previously been identified. Over time, your least security-conscious employees may become the best-informed employees.

Step 4: Support Employees With Cutting-Edge Security Solutions

Just as employees should not feel that they don’t need to do anything to help with security because there are security tools running the background, employees also shouldn’t feel that they have to do all the work because management isn’t investing in the latest security tools. Just as a sports team invests in the latest technology to help athletes perform at their highest levels, your employees should feel that the company is investing in the latest technology to help the security culture perform at its highest level.

Work closely with security experts to choose and implement new security solutions that will help protect your company. Educate your employees on these new tools and how these tools will help the employees to strengthen the security culture and keep the company and their jobs safe. Encourage employees to get familiar with security tools. Create “digital fire drills” that allow employees to get experience seeing what happens when there’s a threat and reporting issue so that when it happens in real-life, employees already know what to expect.

Step 5: Lead by Example

Culture is constant. If you as a leader only focus on security once a year, you’ll never create a security culture. You need to ensure that security is always a focus: every quarter, every month, every week, every day. Make sure your employees see from your words and actions that you are passionate about security. Be the security role model, not only in never circumventing security rules but also in admitting when you made a mistake and sharing how you used that mistake to learn and improve. A security culture starts at the top.

Securing an organization is too much for one person or one team to handle alone. It requires the understanding and commitment of every employee, high and low. A security culture isn’t something you can build overnight. It takes strategy, consistency, leadership, and visibility. By taking the appropriate now steps to build your security culture, you’ll be well-positioned to combine the strengths of both security tools and savvy employees to protect your business against emerging threats.

If you’re ready to have a fresh set of eyes review your cybersecurity practices, we’d like to be your coach. Give us a call today to get started.