Creating a security-first culture
Thu 5 Aug 2021 | Finbarr Toesland

Long gone are the days where the responsibility for cybersecurity rested solely on the shoulders of the IT department.
In the workplace of today, threats can originate from a range of locations and effectively protecting sensitive systems now requires all employees to become more aware of security issues. No single person or department can stop cybercrime at their business by themselves.
A GOV.UK survey in early 2020 found that 46% of UK businesses and charities reported a cyber-attack during the year, illustrating the widespread nature of cyber threats today. By fostering a security-first culture where staff feel empowered to make the right security decisions, the entire organisation will benefit as threats will be less likely to be successful.
While the exact culture will differ due to the unique circumstances and size of each organisation, at its core a security-focused culture means all staff will hold a shared set of values around how to approach security. A workforce where acting in a security-conscious way is the norm and all manner of potential cyber threats are made aware of to workers is a central part of a powerful culture of security.
For example, being able to identify phishing emails and proactively report them to the IT department and regularly changing passwords are the basics of a strong cybersecurity work environment. For leaders, this could mean performing due diligence on new software providers to confirm these IT partners comply with relevant internal policies, such as data protection.
Cybersecurity culture
The first step on the journey towards establishing a security-first culture should involve a frank assessment of where your organisation currently is when it comes to cybersecurity. It’s not unusual for this evaluation to uncover previously unknown issues, especially as close to 80% of senior IT and IT security leaders believe their businesses lack sufficient protection against cyberattacks, according to an IDG Research Services survey.
By identifying weak points in your cyber defences as soon as possible. Ensuring that all employees understand their cybersecurity responsibilities and receive training on best practices will be essential in getting their buy-in. In practice, this means going beyond just explaining the value of cybersecurity to staff and includes ensuring that their concerns are heard throughout the transition.
It’s important to identify staff members who are continuously making security-related mistakes to offer extra training. But it’s equally valuable to reward good security habits and celebrate when processes are working well. This can incentivise employees to become more aware of what good cybersecurity looks like and make modelling best practice behaviour easier.
When an effective security culture has been created at an enterprise, the potential of damaging cyber events can be reduced. A switched-on workforce will be more aware of new security threats and will be better placed to quickly respond to any security incidents before they are able to carry out the most damage.
In organisations that have a security culture at their core, the importance of considering potential cyber breaches won’t just be left to employees carrying out their day-to-day activities. Purchasing teams need to more deeply integrate security assessments into their decision-making process when selecting software, equipment and other tools. Requiring all staff to use unintuitive and clunky communication tools may lead to them cutting corners and communicating private business data through more user-friendly insecure channels.
Challenging cyber environment
Even at enterprises that have followed best practice security procedures, mistakes can happen. Whether it be a new employee falling for a sophisticated phishing scam or being the victim of a targeted hacking attack; no organization can fully guarantee they won’t be at the receiving end of attacks from cybercriminals.
However, a security-first culture can help mitigate some of the damage from these ever-growing threats. If an employee inadvertently enters sensitive login information after clicking on a scam email, it’s vital they inform the relevant IT personnel. But in a workplace where cybersecurity is rarely discussed or policies are unclear, staff may not be aware of the damage a data breach can cause or could fear getting disciplined or fired if they reported the incident.
Once a culture of security has been created, it requires ongoing updates and attention from leaders and staff alike. Like any wide-ranging initiative that impacts an entire organisation, a balance should be created between the burden placed on workers from new security considerations and their ability to carry out core job functions effectively. Overloading staff with security-related tests or requirements before they start low-risk tasks is clearly not beneficial to the business.
As recent high-profile successful cyberattacks, such as the Colonial Pipeline ransomware attack, have shown, the repercussions of a single cyber strike can be widespread. Just as businesses seek to bolster their cyber defences, criminal hackers are also searching for new tools to break through and steal data.
Establishing a solid security-based culture can be one of the most effective ways to reduce the likelihood of a devastating cyberattack. While technology clearly has a critical role to play in stopping attacks from being successful, providing employees with the know-how and understanding of the threats they face is vital.