How to build a cyber security culture and make it stick

By Benny Mansfield

How to build a cyber security culture and make it stick

Are you just box-ticking?

For many companies, cyber security awareness training involves an annual or six-monthly brief about best practices. Seen merely as a box to tick, this routine approach often fails to drive home the important role that employees play in defending your organisation against cyber related crime.

Luckily, there are far more effective ways to embed a cyber security culture that your people will truly live by once and for all.

Your most effective tool

A strong cyber security culture can be your most effective tool against cyber threats and by far the cheapest. Yet despite this, only 1 in 5 businesses in the UK have had staff receive or attend cyber security training or seminars (Cyber Security Breaches Survey 2018).

Add to this that a large proportion of cyber breaches involve an element of human error – from visiting a fraudulent email or by accidentally downloading a virus – cyber criminals are also targeting what tends to be the weakest link in an organisation – your users.

Culture’s the cure

Culture can be tricky to change. Leaving your cyber security culture to chance is a big no, no. It needs to be encouraged, nurtured and maintained.

If communications about cyber security are infrequent or simply pushed over to your IT team, how can you expect your staff to think any different? Instead, they should be regular and engaging if you ever want your people to take it seriously.

Below are some easy and cost effective ideas for you to try. Do them right and you could gain something that’s sought after by IT managers all over the world; a cyber security culture that protects your organisation from the inside.

1. Involve everyone

From CEO to shop floor, getting everyone involved ensures that your people understand that they all play a part in keeping the organisation safe.

2. Educate

Unless your people understand how easy it is to open the door, how can they be expected to keep it closed? From phishing to social engineering, you’ll need to make sure all your bases are covered. If you don’t think you have the knowledge in house, then it’s definitely worth getting the experts in to help.

Also, think about how you’ll deliver the training. To some, the thought of learning about cyber security could seem overwhelming. Try breaking it down into smaller chunks, perhaps with a number of shorter workshops.

3. Recognise and reward good practice

Make sure you regularly monitor how your employees are progressing and reward best practice. You could carry out checks on basic security measures such as locking screens when not in use.

Consider how you could implement a reward scheme to encourage them further. Setting examples of great performance can make a huge difference to how the rest of you teams adopt this new approach to cyber security.

4. Reinforce and encourage

All good things take time. Decide what you’re going to do and say, and see what they think. Gaining their buy-in from the beginning will make the task a whole lot easier. You will then need to give them time to adapt, and ensure your managers are actively encouraging best behaviour.

You may also want to add something to your employee handbook about cyber security and make it easily available to your staff.

Most importantly, keep learning as a business. Doing nothing is not enough to keep your business safe from both cyber criminals and human error!

For more advice, give us a call on 01284 700015 or email

Waves Duck Waves