Creating a cyber security culture within the workplace

Human error remains the leading cause of data breaches – and these breaches cause organisations a great deal of financial and reputational damage.

In a study published in the Journal of the Association for Information Systems, researchers noted the following:

“A leading cause of security breaches is a basic human vulnerability: our susceptibility to deception. Hackers exploit this vulnerability by sending phishing emails that induce users to click on malicious links that then download malware or trick the victim into revealing personal confidential information to the hacker.”

When it comes to improving your organisation’s ability to guard against cyber threats, the best defensive strategy is creating a cyber security culture in the workplace.

We have outlined the most effective ways organisations can create such a culture.

Start from the top

For your business to implement a robust security programme, it’s no good relying on the IT department alone – everyone from senior management down needs to be on board.

Senior management that treat cyber security as a high priority is on average more likely to say that its core staff take it seriously (88% versus 76% overall), according to the Cyber security breaches survey 2017.

Make cyber security everyone’s responsibility

Your cyber security strategy is only as strong as your weakest link.

Organisations need to make sure that every employee is aware of the potential threats they face, whether it’s a phishing email, sharing passwords or using an insecure network.

Reward and recognise

Recognising success is key to making employees feel valued.

When an employee spots an intrusion attempt and notifies IT right away, praise them through a public employee gathering or all-staff email.

Make security fun and engaging

Traditional training can often be boring. Organisations must engage staff, which means going beyond PowerPoint presentations and tick-box exercises.

“Security can be so much more than PowerPoints and videos”, says Samantha Davison, security programme manager at Uber.

“Pick a fun theme and parody it – we did Game of Thrones. Give gamification a try. Throw a phishing writing workshop and have your employees write a phishing email for the company. The options are endless when you start to think outside the box.”

Invest in a comprehensive staff awareness programme

When it comes to staff awareness, the ‘one-size-fits-all’ approach of standard staff training programmes aren’t appropriate for all organisations, and don’t take into account the diverse needs and unique cultures of different businesses.

Instead, research shows that traditional cyber security awareness measures can be greatly enhanced by a multi-faceted security programme delivered through different media, channels and formats.

IT Governance’s Security Awareness Programme creates a total culture change and tackles employee behaviour to generate tangible and lasting organisation-wide security awareness.


Break away from traditional awareness training and get the results you need. Find out more >>