9 Steps to Fostering a Cybersecurity-Aware Culture

Lawmakers, compliance standards, and cyber insurers are now requiring organizations to conduct cybersecurity awareness education and training. And not a moment too soon. Americans suffered $10 billion in losses from phishing scams and identity theft. That's because 95% of cyberattacks are the result of human error. What's more, the rising threat of AI-based social engineering is forcing organizations to take a harder look at their security status, procedures, tools, and culture.

For cybersecurity awareness to take root in an organization, much depends on changing employee attitudes. Ideally, employees should take responsibility for and be accountable to risky online behavior. Apart from teaching employees the characteristics that define social engineering and phishing threats, employees should be made aware that impulsive decisions like clicking a suspicious link without scrutiny can break a business.

So, what does it take to create a cybersecurity program that steers employee behavior toward adopting a security mindset? One that also enhances the culture? Below are simple and practical steps that can help:

1. Identify a Baseline: To understand what needs to change awareness-wise, behavior-wise and culture-wise in employees, you need to first understand what kind of culture and behaviors exist in the organization. Conduct a thorough assessment of how workers view security; how often is security training conducted; what is the frequency of security incidents; and what is the current phishing click-through rate.

2. Establish the Right Goals and Objectives: A cybersecurity awareness program is essentially a culture change program. You want employees not just to be aware, but to embrace security best practices. Specify goals and objectives. For example, the goal should be to reduce human error in cybersecurity incidents by educating employees on what constitutes security risk under the disguise of social engineering and phishing tactics. Objectives can include reducing the phish-prone percentage among employees, increasing the number of incidents reported, and improving the effectiveness of incident response.

3. Build a Comprehensive Plan: Develop a plan that outlines the steps the team will take to meet the desired goals and objectives. This can include updates to the security policy, the frequency of security training, methods and means of delivery, resources that will be mobilized, intended target audience, and timeline of implementation.

4. Get Buy-In From Leadership: Before rolling out a security awareness plan, it is crucial to get buy-in from upper management. Culture spread is generally top-down. With relative agreement and endorsement from leadership, they can be a catalyst in communicating and promoting your program. Studies show that executive support is a critical element in achieving long-term cyber resilience.

5. Implement the Program: Once you've secured the go-ahead from leadership, communicate the program to all employees. Start with managers and department heads because they hold influence across teams. Explain what you're doing, why you're doing it, what you expect from them and understand what they expect of you. Next, roll out your program as planned.

6. Repeat, Remind and Reinforce: Regular reinforcement is necessary to ensure that behaviors turn into habits.Train regularly, send reminders, communicate updates to policies and procedures and reinforce the need to stay vigilant. Run monthly mock phishing exercises so that employees learn to identify, block and report malicious threats. Be careful to avoid phishing fatigue. Simulate real-life security incidents, and conduct fire drills so that employees learn how to respond and who to contact in the event of a security breach or incident.

7. Tailor Training According to Experience: Cybersecurity skills, knowledge, and security maturity are not homogenous across the board. One will always find departments and specific users who need firsthand coaching or employees who are exposed to sensitive or proprietary data who may need additional training.

8. Use a Carrot, Not a Stick: The goal of security training is not to cause shame or fear among employees who fail a phishing test or make errors. They shouldn't feel betrayed or perceive security training as something that's harmful. Instead, practice empathy, prioritize well-being, and educate people with care. Celebrate wins and successes, use gamification, provide incentives and use other marketing tactics to increase participation. Consider the relative security skills of individuals. Select training and testing options that match their experience level.

9. Review Results: After implementing the plan, run both a security assessment and an employee survey to review the results. A successful security awareness program will show a noticeable reduction in risk and an improvement in the behavior and attitude of employees toward security. Communicate results to leadership and allow the entire organization to celebrate the positive outcomes. Continuously update and refine policies, practices, tools, and methods based on lessons learned from the initial assessment. Address any noted fallout and adjust the plan accordingly.

It's safe to say that cybersecurity awareness and education are not an optional addition to an organization's security posture. Lawmakers, cyber insurance auditors, and compliance standards require organizations to conduct regular security training due to the high percentage of cyberattacks caused by human error. A plan based on a regular training regimen done with commitment and patience can result in a resilient security posture.