How do people think about cybersecurity at your organisation? Is it seen as the IT department’s problem, or is it something that everyone feels responsible for? Do staff receive one security training session each year, or do they get frequent updates and reminders? These beliefs and behaviours comprise your security culture.

The culture which surrounds people’s approach to cyber security is very important. In and of itself, modern IT is very secure and, if configured correctly, is very hard for hackers to ‘break into’. And this is why the vast majority of breaches arise from human error. A security conscious culture aims to avoid these sorts of mistakes by ensuring everyone knows how to behave.

Influencing an organisation’s culture is notoriously difficult, however. Simply telling people that you’d like them to follow safe technology practises isn’t going to cut it. Instead, businesses need to take a more comprehensive approach.

What is a cyber security conscious culture?

Culture can be defined as: “the way of life, especially the general customs and beliefs, of a particular group of people at a particular time”.

When it comes to the security culture of an organisation, we’re talking about values shared by everyone relating to how they are expected to use IT. For example:

  • Customs: In our organisation we always restrict forwarding access to emails sent outside of the business.
  • Beliefs and values: At our company everyone is responsible for checking if emails look suspicious.
  • Way of life: In our business, we all attend monthly cyberthreat training webinars.

Even in organisations which don’t explicitly think about these issues, a security culture exists. If individuals don’t feel security is their responsibility or don’t know how to follow the rules, this is still a security culture – but probably not a very healthy one!

Dig deeper: How to maximise Microsoft 365 security

Challenges of creating a security conscious culture

A security conscious organisation is one where everyone understands cyber security best practise and takes responsibility for their (and their colleagues’) behaviour. The problem is that this is easier said than done. Here some of the reasons why:

  • Do as I say not as I do: When business leaders don’t follow best practise, it’s unrealistic to expect anyone else to either.
  • Confusing tech speak: Many non-technical people still see cyber security and IT as ‘dark arts’ which are largely incomprehensible.
  • Practical obstacles: Even with the best will in the world, people may find it very difficult to comply with your security standards if the processes are complex and time-consuming.

Despite these obstacles, it is perfectly possible to introduce a security conscious culture. Let’s see how.


On-demand webinar: Introduction to IT change management


How to implement a security conscious culture at your organisation

Changing the culture of an organisation takes time – it’s not something that happens overnight. The following steps can help you to gradually implement a security conscious culture:

1. Analyse the current culture

How do people really perceive cybersecurity at your organisation? What are their behaviours around things like attaching files or assigning permissions? Are they aware of your protocols – and do they follow them?

There is really only one way to find out about the true security culture at your business – and that’s to talk to people. Conduct surveys and focus groups to get an understanding of people’s behaviour. You will then have a baseline to improve on.

2. Focus your messaging on the why

If you want staff to adopt secure behaviours it is essential to focus on the ‘why’ when talking to them. Explain the reason for your existing permissions system and try to explain exactly how it benefits the individual and the company as a whole.

3. Continual communications

Messaging around cyber security needs to be provided in easy-to-understand terms without any technical jargon. It should also be sent out regularly in different formats: posters, intranet messages, pop-ups and quick training videos.

4. Focus on the positives

Research shows that punishing people for cyber security mistakes may be counterproductive. While threats of firing people for breaking protocol will certainly be remembered, this does not necessarily motivate people to comply in the moment they receive a phishing email.

Instead, encourage people with positive social rewards. For example, the team that has sent most people on security training courses should receive praise in companywide communications.

5. Lead from the top

As noted above, your company culture must be reinforced by the behaviours of senior executives.

6. Make compliance as easy as possible

Through your surveys and focus groups, you may have discovered that there are various pinch points where people really struggle to comply with your security standards. If so, it’s important to rethink some of your processes to ensure that people can follow best practise easier.


Security eBook: Introducing the Microsoft 365 Secure Score


What does your security culture look like?

By influencing the cyber security culture at your organisation, you stand to benefit from reduced risk of breaches and the associated costs. But a positive security conscious culture will not emerge on its own. By taking active steps to influence behaviour you’ll start to see more security conscious behaviour and fewer serious breaches at your company.  

FITTS can support you with training and change management to foster a more security conscious culture. Contact us to learn how we can help.