author photo
By Shannon Flynn
Tue | Oct 11, 2022 | 10:14 AM PDT

Cybersecurity today is about more than just having the right technical defenses. More often than not, an organization's insiders are its most pressing vulnerability. This Cybersecurity Awareness Month, businesses should assess how they're fostering a culture of online security.

Cybercrime moves quickly, and as digital technologies play an increasingly central role in business, it will only grow. Amid this trend, security must be at the forefront of everything every employee does at the company. Creating that kind of culture is often easier said than done, but it's far from impossible.

Here's how organizations can create a cybersecurity culture from onboarding onward.

Ensure security from the start

Companies that hope to develop a culture of cybersecurity must enforce their efforts from the beginning. That means screening job applicants for potential security red flags and providing the necessary training as part of onboarding. It's easier to form good habits from the start than replace bad ones, so cybersecurity training must begin early.

Specific security protocols will vary by company, but a few common threats should appear in every company's onboarding training. Phishing is one such concept, as only 53% of employees in 2021 could correctly define it, down from 63% in 2020. Other things to go over during this time include strong password management, multi-factor authentication (MFA), and the risks of using personal devices on work networks.

Make security awareness training relevant

Many organizations understand the importance of regular cybersecurity training, but fewer know how to make it stick. One of the best approaches is ensuring the training is relevant to employees' daily workflows and their lives outside of work. People who can see how critical cybersecurity practices are in their personal lives will be more likely to make habits out of them.

Highlight how best security practices apply to work and home life. That should involve emphasizing statistics like how 36% of U.S. consumers have had their online accounts hacked at least once. This information highlights how data security has a personal impact, which is more likely to elicit action from employees.

Avoid ambiguity

IT leaders that train and retrain employees must remove ambiguity from the conversation. Just as a lack of clear strategy is the leading issue with cloud migration, cybersecurity cultures will struggle to thrive without clarity. People who don't know the specific threats they face and the specific steps to manage them are more likely to become complacent.

Assign everyone a clear and detailed role with defined responsibilities. It helps to encourage questions and ensure everyone understands how they fit into the larger culture of cybersecurity. Be sure to make updates as new threats emerge and company protocols change.

Go beyond Cybersecurity Awareness Month

October provides the perfect opportunity to refresh the cybersecurity conversation, but security refreshers should be more frequent than a once-a-year event. One firm found more than 10,000 new ransomware variants in the first half of 2022 alone. A company's security culture will fall flat without regular review and updated training.

Cybercrime's continually evolving nature aside, repetition is key to creating lasting security habits. Teams that only go over threats and best practices once a year will likely become complacent before the next year is up. By contrast, bi-monthly or even monthly refreshers will help make security second nature.

Make security a conversation

It's important to realize that cybersecurity has to be a discussion. If security is to be a culture and not just a set of rules to follow, employees must engage in it. That means fostering an environment where everyone feels comfortable asking questions and making suggestions.

Part of boosting engagement is rewarding employees for performing well, suggesting effective improvements or asking questions. Studies show that 63% of employees feel underappreciated daily, which motivates them to leave or not work as hard. By contrast, if they think their security input is welcome, they'll likely engage in the conversation more. Regular security-related polls, forums and newsletters can also help.

Modern businesses need a culture of cybersecurity

Many physically hazardous workplaces have succeeded in making safety a matter of culture, and cybersecurity should follow suit. As digital threats rise, IT security must be all employees' second nature.

Creating a cybersecurity culture starts with hiring but doesn't end there. It's an ongoing, dynamic and multisided process. Workplaces that can follow these steps and adapt them to their specific workforce and company culture can ensure their employees are a security asset, not a vulnerability.