When it comes to managing cybersecurity in our organizations, we’re pretty comfortable dealing with the technology side. It’s a pretty stable constant that (generally) does what it’s supposed to, can be tweaked and customized, and objectively measured.
Human beings...not so easy.
People are weird, messy, and random. That’s what makes us so interesting, but it’s also what makes us susceptible to cyber-attacks.
That’s where cybersecurity awareness training comes in. One of the major goals of training is to develop a strong cybersecurity culture—but what does that even mean?
We’re going to unpack that in this post and talk about what you can do to proactively build a healthy cybersecurity culture inside your organization.
What is cybersecurity culture?
Let’s take a step back and talk about organizational culture first.
Organizational culture refers to the beliefs, perceptions, values, and attitudes that are shared by your employees. We should care about culture because it greatly influences employee behaviour—for better or for worse.
Culture also happens whether you like it or not. Every organization has many cultures in it that reflect the diversity of its people, departments and skills. This means that you already have a cybersecurity culture, even if you’re not actively building it.
Alright, so what’s a cybersecurity culture then?
Let’s use some examples, because it’s easy to get culture and behaviours mixed up.
We know what good and bad cybersecurity behaviours are, like using strong passwords and updating devices. Your cybersecurity culture is that slurry of factors that put someone in a position to do (or more often, not do) that cybersecurity behaviour.
Is your culture proactive, where people engage in cybersecurity best practices on their own, or reactive, where people only act after you tell them? Do people take ownership for updating their own devices and accounts, or do they wait for IT to handle everything for them? Do people help each other out when there are technical problems, or does everyone fend for themselves?
Culture begets behaviour.
How do you build a healthy cybersecurity culture?
At the end of the day, everything you do and say is going to shape your organization’s cybersecurity culture. From our experience working with IT and security professionals across Canada, here are several tips or considerations that can help you shape a positive culture.
Get executive support behind a vision
Every large change or program needs a strong vision for employees to rally behind, and one of the best ways to get people to pay attention to that vision is to have a senior-level champion.
Sponsorship might look different depending on your organization, and generally the higher up you go, the more impactful that sponsorship will be. Try to get at least one C-Level (or equivalent) member to champion your program. Don’t be afraid to look beyond your CEO/president and CIO/CTO technical leaders - a people-leader like a head of HR or communications can be extremely beneficial specifically when implementing a cybersecurity awareness program.
Create user-friendly processes
When we talk about the purpose of training and culture, it’s to change negative (or non-existent) behaviours into good ones. The most important behaviour is for your employees to tell you when something bad happens, or when something doesn’t feel right.
There are many tools and channels you can create to support your employees and receive reports about threats. Here’s some of our favourites:
- Online help desk or web form
- Dedicated email alias
- Report-a-phish button in your email client
- A cybersecurity or IT channel in your internal instant messaging platform
Whatever channels you choose to implement, make sure they are easy for your employees to use and can seamlessly integrate into their working routine. You don’t want to train your users into becoming hyper-vigilant and reporting threats, only to confuse and frustrate them on the processes they need to use to speak up. If the process feel onerous or confusing you’ll lose momentum and internal buy-in.
Use transparent communications
Technology and cybersecurity are notorious for being convoluted, mystical black boxes that the average person does not want to even think about. Unfortunately, this does more harm than good - you do not want to become a gatekeeper with you on one side and your users on the other.
You need to talk about cyber risks and your programs and policies in a way that makes it easy for everyone in your organization—especially non-technical folks—to understand. Keep it concise: what are the risks, and what do people need to do to avoid those risks? You do not need to get into the technical weeds unless someone is genuinely interested.
This is where you should ask for outside help if communications is not your strong suit. If your organization has a marketing or communications department, they can help you with company-wide emails, town halls and newsletters.
When it comes to awareness training, your HR department (or a learning and development department, if you have one) has experience with training people. Third-party training providers also do this for a living, and can take the heavy lifting of building clear and concise training material off your chest.
Implement awareness training
Training is one of the main vehicles you have to develop and mold culture in your organization—but it doesn’t have to suck.
Instead of yearly lunch-and-learns or off-site seminars, provide your employees with smaller, online training more frequently. Make your training focus on educating people and changing behaviour, not on the acceptance of your policies as a compliance check mark.
Don’t be afraid to have fun with your training. If it’s boring, employees will tune out and absorb nothing. We’re not saying you need to turn your training into a video game but make it something employees don’t dread either.
Lean on real, Canadian examples of cyber-attacks, and explain the importance of cybersecurity both at work and at home. Then start diving into common threats and best practices to protect against them. Personalize the message by relating it to common threats employees might face at home (identity theft, phishing emails, spam calls).
You can also make your training interactive by incorporating phishing simulations, which reinforce your training material. Remember, if someone falls for a fake phish, turn it into a learning opportunity, not a shame exercise.
Turn training into a game
One way to go above-and-beyond with your training program is to introduce gamification, which is a fancy word for having some fun and introducing game elements.
Scores that are tied to training and go up-or-down based on course completion and reporting phishing simulations is one of the more advanced methods we’ve seen. You’d be surprised how competitive your users get when they can put a number to their training and compare it with their colleagues.
Even if they’re not competing between each other, the fact that a person can see their score and how it changes over time helps them see progress, which is important to keep the inertia of training high.
Along with scores, we’ve also seen organizations implement leaderboards and badges alongside their awareness training.
At CIRA, we have a quarterly leaderboard that shows the top 10 employees with the best cyber risk scores, which we share in our all-staff email newsletter.
Why do we do this? It’s an easy way to celebrate wins and success.
With cybersecurity it’s extremely easy to focus on the negative. It’s easy to get beaten down and disenfranchised when you read about hacks, data breaches and compromises happening all the time across the country. That helplessness can fight against you when you’re trying to get people bought into a training program that requires some level of repeat behaviour.
Do not promote an attitude of shame
Above all, regardless of what tools, communication channels and processes you put in place, your cybersecurity culture should be make people feel comfortable to come to you and ask for help as a trusted advisor.
You earn this culture through positivity and education, not forced through fear and shame.
We generally recommend not doing anything that publicly puts your employees on blast. When someone doesn’t understand a policy, doesn’t know a cybersecurity best practice, or falls for a phishing test, you need to avoid shaming and punitive language. Treat every moment like a learning opportunity, empathize with your people, and communicate in a constructive manner.
Instead, be honest with your programs—and try to have some fun with it. People will respect that you’re trying to protect them and empower them to protect themselves, but this will only be true with
You can catch more flies with honey (or better yet, maple syrup) than with vinegar.
Benefits of a strong cybersecurity culture
A strong and healthy cybersecurity culture is one where people are knowledgeable about cyber threats, are receptive to your technology and process designs, and feel empowered to change their behaviours to help protect themselves and others in your organization.
There are the obvious, surface-level benefits to a healthy cybersecurity culture, namely reduced incidents, lower phishing clicks, and less time spent restoring devices and services. All of this means time and money savings for your organization.
Those are reason enough alone to care about creating a strong culture, but there are also other, hidden benefits, like making it easier to roll out new technologies and processes, and having people proactively telling you when something doesn’t feel right, allowing you to act faster.
Employees are always going to be the final line of defense against a cyber-attack. A healthy, positive culture around cybersecurity means that they will be educated and empowered to act when they are presented with a situation that can compromise them and your organization.
Your people are the last line of defence against cyber threats.