How to Make Cybersecurity Part of Your Culture


If you’re heading up a startup, or even a business in a period of transition, which so many are because of the pandemic, it’s a good time to think about cybersecurity. There is such an often-overlooked element of cybersecurity which is the human element.

It’s frequently human errors or a lack of knowledge and understanding that proves detrimental in cybersecurity, even with the best protective protocols and technology in place.

You need to build a culture where cybersecurity is understood and valued. It needs to be one where your employees recognize the importance of their individual role in cybersecurity.

The following are tips that can help in the creation of that type of culture, whether you have a startup or an established business.

The Value of Establishing Cybersecurity As Part of Your Culture

While you may be a small business with a smaller budget, big companies and enterprises put literally millions of dollars towards hardware, software and applications to protect their sensitive data yet often don’t properly train their employees.

This becomes relevant because around 90% of cyber-attacks are due to human behavior or error.

If you’re trying to quantify the value of security culture to other people in your company, helping them understand this reality is a good starting point.

For example, the vast majority of all cyberattacks begin with a  phishing email, yet so many employees have no understanding of how to recognize one.

Just by having universal buy-in, especially from otherwise possibly reluctant parties in your organization, you’re taking steps toward a culture of cybersecurity. Executive action can and does drive priorities for your employees, so it needs to be a top-down mission.

From there, you can work more specifically to get employee support.

Be Honest About Your Weaknesses

Part of any good corporate culture, no matter what it’s centered on, is honestly assessing your weakness and being transparent in where you’d like to be versus where you are.

Do a full audit of your current cybersecurity protocols, go over the knowledge your employees currently have versus what they might need, and see where your significant gaps exist. You can begin by prioritizing those.

Also, no matter what you do or ask of your employees, you want to explain the whys behind it.

Instill the Overarching Goal that Security Is for Everyone

Too often, employees will have it in their heads that security is a tech thing and that it’s just for IT to worry about them. When you have a culture of security, everyone understands they’re part of it.

It’s for everyone, and everyone owns it.

Start with Awareness

Before you can begin implementing particular training programs and protocols, you want to ensure security awareness.

This is a general concept where you’re just giving information about basic-level security.

You might want visual reminders throughout the workplace, or perhaps you include security-related information in company emails or on your intranet.

Find What Motivates Your Employees

It can be tricky when you’re attempting to drive change to find what motivates employees, but it’s essential. There are intrinsic and extrinsic motivators, and you may have to hone in on these individually to figure out what works for your employees.

For example, maybe recognition for smart security-driven decisions will be a motivator.

You might also try to make things a little more fun and engaging with security training, although it’s tough.

Invest in Training

Investing in proper, thorough, and ongoing training isn’t all you need for a culture of security, but it goes a long way. When you invest in training, you should communicate all of your policies. You should have regularly updated guides that you share with employees.

Provide real-world examples to your employees in training.

Some of the topics you need to make sure you cover include account access, authentication, password management, and encryption. Backing up work, phishing attacks and sending personal or sensitive information should also be covered.

Keep things up to date and make it all a conversation. For example, if you hear a news story about something involving cybersecurity, share it with your team and get them talking about it. When you allow people to ask questions, share concerns, and just have a dialogue about a topic on an ongoing basis, it’s going to become more a part of your culture.

With all this needs to be accountability. You need to hold your employees accountable for their role in cybersecurity and be proactive in how you do so.