Developing a Cybersecurity Culture in the Workplace

As we mention in our article about Cybersecurity frameworks, everyday employees are often the target of cybercriminals who intend to circumvent common and advanced security controls such as firewalls and intrusion detection systems.  Because of this, it is important to think about the most effective ways to ensure that employees develop a thorough understanding of cybersecurity and their role in protecting company assets.  

Regardless of the quality or quantity of policies and procedures or technical controls in place, statistics show that a security breach is still likely to occur if employees are not properly trained on their role in cybersecurity. So how do you get your employees involved and interested in helping protect critical company assets?  There is no foolproof methodology, but our experience with our clients has shown some common successful themes:

Ways to Engage Your Employees in a Cybersecurity Culture in the Workplace

  1. Tap Into Who Your Employees Are To Gain Ownership: Make security personal.  Deep down inside, your employees are very concerned about their own personal identity and well-being; why shouldn’t they exercise the same care when it comes to their work identity or company information?  Training employees on what they can do to protect their own information and how important it is will easily translate to the workplace.  If you can get your employees interested in protecting themselves, their family and their own computer or device, it is going to translate to your business.  After all, anything that harms the business can ultimately harm them.
  2. Regularly Communicate Related Cybersecurity News: Be selective with cybersecurity-related news and communicate relative and meaningful notes and stories to your employees early and often to ensure continued awareness. Showing them what can go wrong will make your employees think twice about what they do on a daily basis and they will be less likely to repeat the mistakes of others.
  3. Develop Effective Awareness Material: Awareness material usually isn’t effective unless it is fun.  We often encourage our clients to work with their marketing department to develop professional yet memorable training materials or posters tailored for their organization. Additionally, it’s always a good idea to include cybersecurity awareness material in a new-hire packet and within the IT policies for new-hire acknowledgment. This will ensure that employees are trained on the topic from day one.
  4. Measure Awareness: Measure your cybersecurity awareness program by regularly testing your organization’s security posture and susceptibility to common attacks. For example, phishing is a very common attack that leads to the majority of breaches today.  A phishing attack occurs when an employee is sent a misleading email that will dupe them into clicking on a malicious link or revealing personal or confidential information, which an attacker can use illicitly. We recommend running controlled phishing simulation assessments on a regular basis to train your employees about how to recognize phishing attacks. You can then track any improvements or regression as your awareness program matures, and ultimately, measure the effectiveness.
  5. Act Upon Policy Violations and Award Advocates: It is important to make employees accountable for violations to company security policies, but it’s important to do so in a way that will not alienate those individuals.  For example, use situations where they may have done something wrong as a “teachable moment” rather than punishing them.  On the flip side of that, reward your employees who take care to follow good security practices with a gift card or a certificate of achievement that they can display.

An organization’s greatest weakness can be an uneducated or unsympathetic employee who treats company data with no care.  Change the mindset at your organization and make your employees advocates of security.

Visit the Schneider Downs Our Thoughts On blog for more articles about cybersecurity and contact us with questions for our cybersecurity team.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Norton Believes Credential Stuffing Attack Led to LifeLock Breach
Why Cybersecurity Programs are Facing Increased Scrutiny from Private Equity Firms
Start The New Year Off Secure: 5 Cybersecurity Resolutions for 2023
TikTok: Spreading Holiday Cheer and Personal Information
Cybersecurity BY David Murphy
Key Benefits of Server Message Block Signing
SEC and PCAOB Developments Conference Day 1
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.