top of page

A guide to strengthening your organisation’s Security Culture

Once considered obscure terminology, words like malware, ransomware, phishing, business email compromise, vulnerabilities, exploits, and data breach have become chillingly commonplace in our daily discussions.

These are also some of the terms we see used in awareness campaigns, by the media, and by security vendors. The rapid digitisation of our lives has brought with it an ever-growing list of potential threats lurking in the shadows of our connected world.

Do you care about these terms? Despite their increasing relevance, the average person seems relatively indifferent to these digital threats.

Should we care? The answer is a resounding, "Yes!"

Here’s why:

It is not just about warding off a phantom menace looming on the internet. There are numerous reasons why we should care about these digital hazards, including:

  • Personal and Financial Safety: Cyber threats like ransomware, phishing, and identity theft can lead to significant financial loss and privacy breaches. Your personal information, including sensitive data like credit card details, social security numbers, and health records, can be exploited for fraudulent activities. Sometimes without you even knowing it until it is much too late!

  • Business Integrity and Continuity: For businesses, a cyberattack can lead to not only financial damage but also operational disruptions. A severe breach can halt business operations, leading to loss of revenue and customer trust.

  • Reputation Damage: Where a breach becomes public, it can severely damage the reputation of individuals or companies. For businesses, this can result in loss of customers, partners, and ultimately, revenue. In severe cases, this could lead to business insolvency as once trust is lost it is a constant uphill battle to regain some of it back.

  • Regulatory Compliance: In many industries, there are laws and regulations requiring businesses to protect the data they hold such as the UK Data Protection Act, the EU ePrivacy Directive, the GDPR, and US HIPAA, COPPA, and CCPA. A breach could lead to legal consequences, including hefty fines and penalties.

Gone are the days that cybersecurity is just an IT problem, it's a problem shared across all of society. As our lives become increasingly digitised, our vulnerability to digital threats grows. That's why it's important to be aware of cyber threats and take appropriate measures to protect against them.

Continuously Increase Knowledge: To paraphrase Francis Bacon, "knowledge is power," and nowhere is this more relevant than in cybersecurity. Ensuring your staff are equipped with the necessary knowledge can transform them from potential victims into empowered guardians of your organisation's cybersecurity. This proactive approach not only helps to secure your organisation but also enables individuals to protect themselves in the digital landscape, making cybersecurity a shared responsibility.

Too often, I hear that "staff can be our weakest link," but I'd argue that "staff can be our strongest defence." A team equipped with the right knowledge to identify and respond to suspicious requests can create formidable defence strategies, turning potential targets into active guardians of cybersecurity. Remember, this threat extends to everyone who interacts with your systems and services —employees, contractors, consultants, third-parties, and more.

But we have an array of tools and processes to protect us!” You may say. Yes, organisations are armed with an array of tools, processes, alerts, reports, specialists, and service providers, creating a robust defence system against cyber threats. However, it only takes one unsuspecting person clicking a deceptive link or opening a malicious attachment for a new, unknown threat to infiltrate. Technology alone is unable to protect organisations from every threat. Although, there are some that will still try to tell you otherwise. Knowledge is Power.

Striking the Right Balance – Security vs. Usability: In our business world, striking the right balance between security and usability is critical. Overly complicated or disruptive security measures can lead to user frustration and even encourage individuals to find shortcuts that may inadvertently jeopardise the organisation's protective measures. While enhancing tools, minimising weaknesses, and improving visibility can certainly make attacks more difficult to execute, even the most advanced methodologies are not immune to exploitation by motivated and resourceful adversaries.

This delicate balance also underscores the importance of fostering a comprehensive security culture. Current awareness campaigns often overlook the necessity for individuals to understand and adopt secure behaviours in their personal digital spheres, not only at work. Without fostering a habit of considering security in all aspects of online activity, the effectiveness of these campaigns diminishes, resulting in potential setbacks to an organisation's security posture over time as individuals fall back into old habits.

Evolving a security culture, therefore, involves fundamentally changing how individuals perceive security. This shift should permeate every facet of their digital interactions— be it at work, at home, at an internet café, or even while vacationing on a beach.

To achieve this, it's paramount to tailor awareness initiatives to be personally relevant, helping individuals understand the threats they face while using everyday technology. By aiding them in forming their own security strategies that dovetail with their daily life, we foster a more resilient and inclusive security culture. We develop an unconscious and natural habit of secure behaviour.

What can we practically do?

The discussion so far underscores the critical role that every individual within or associated with our organisation plays in maintaining its cyber security. You might be wondering how organisations can empower their workforce with the right knowledge and foster a persistent security culture. Or to narrow it down, how do we encourage continuously reliable security practices?

Let’s start with the most obvious point - Crafting Effective Security Awareness Programs. Security awareness is more than a box to be ticked once a year with a quick course and a set of random questions.

This approach, alone, teaches individuals how to pass a test and there is minimal or no behavioural change. Effective Security Awareness is an ongoing journey, a change of mindset.

Here are some practical strategies I have personally seen work well that can truly bolster your security culture:

Interactive Training:

To encourage the transformation of their security culture, organisations can deliver bite-sized, topic-based training modules that employees can complete at their own pace. Combining different teaching approaches – short videos, text, sample questions, match the phrase/description – can create engaging and effective learning experiences that sustain interest. Use real-world stories to illustrate the consequences of security breaches and bring it to life, such as how losing control of your personal email account can lead to identity theft, and possible financial losses.

Continuous Knowledge Assessment:

It is important to routinely validate individuals understanding of security, rather than only at a single point in time. Regular, short quizzes, enabling a personalised learning journey, can help gauge individuals’ continued understanding of security.

Use their answers to influence their learning journey, for example, if they do well in understanding secure passwords, and struggle in identifying phishing emails, focus their learning further on the latter. This may change over time, so use each quiz as a chance to adjust their journey. Use these periodic quizzes to plot their awareness over time and consider trends that may mean you need to adjust your approach to training.

Phishing Awareness:

The 'bad guys' don't always need to be tech wizards to reel you in - phishing remains an alarmingly effective way for them to infiltrate. That's why it's crucial for everyone involved with your organisation to become adept at recognising these sneaky attempts at deception.

Think of phishing awareness training like swimming lessons. You start in the shallow end with easy-to-spot examples - perhaps a threatening 'Netflix account suspension' notice or a 'work password expiry' warning. Once everyone is comfortable paddling, it's time to dive deeper.

It's essential to remember, however, that this is about building confidence, not sowing fear or shame. Our goal is not to trick people into making mistakes but to cultivate 'Aha!' moments that contribute to learning. So, when someone takes the bait in a simulated phishing email, treat it as an opportunity for constructive feedback. After all, the journey to becoming a phishing guru is all about learning to navigate increasingly treacherous waters.

As the team grows more proficient, we can introduce more complex scenarios. We can also tailor the difficulty level to different groups, reflecting the particular challenges they face. For instance, a team that handles numerous emails daily or one that frequently receives unexpected attachments (like the Accounts Payable team) might need a different training approach. Instead of labelling someone as 'hopelessly lost at sea,' we should adapt our training to accommodate their unique role and environment. And remember, every 'wrong' click is just a steppingstone on the path to cyber resilience.

Security Culture Metrics:

Measuring an organisation's security culture may seem like trying to nail jelly to a wall - it's intangible and constantly shifting. But don't worry, there are ways to make sense of it all!

Think of it as checking the health of your organisation. Just like regular check-ups help you monitor your personal health, periodically taking the pulse of your security culture can reveal vital signs of your organisation's wellbeing.

There are plenty of studies on how to measure security culture, such as Measuring the security culture in organisations and A systematic review of scales for measuring information security culture, however there are some simple approaches.

You could start with culture surveys. It's like asking your staff, "How are we doing?" Do they see security as an important issue? Do they feel there's a supportive, blame-free culture where everyone plays a part in security? Do they know how and when to report security incidents?

Next, consider the self-confidence in quiz responses. Just as a doctor tracks changes in vital signs over time, monitor the evolution of the confidence level in their responses. This can reveal growth areas and where more training is needed.

Lastly, look at the ratio of staff-reported incidents to those discovered by your security team, including reports from phishing simulation exercises. Think of these as an X-ray of your organisation's security reflexes. Are your staff identifying and reporting potential threats, or are security teams doing most of the detective work? This insight can guide where to focus awareness training.

Open Door Security Dialogue:

Creating a safe space for your team to air their security concerns is crucial. The security team are often viewed as some mystifying enclave practicing dark arts. But in reality, these are friendly folks who love to chat about security!

Here's a simple yet effective method that we have found worked wonders across many companies: Create a dedicated communication channel, similar to an open-door policy. It's like setting up a cozy campfire where everyone can gather to share their security stories.

Consider establishing an email address, something like AskSecurity@'. Make sure everyone knows about it and encourage them to reach out with any questions or concerns – related to both their work and personal lives. This is not just about setting up an inbox; it's about inviting your staff to a conversation. Monitor this inbox closely and kindly respond to every query.

While you need to be cautious in how you answer some questions, this approach can spark a surge in staff engagement with security. Over time, this ongoing dialogue can build a sense of camaraderie that fosters a more robust security culture.

After all, in the world of cybersecurity, knowledge shared is a fortress strengthened.

Drop-in Sessions:

Consider running drop-in sessions at your office locations, delivering different topics relevant to your business.

There are lots of topics, and references available, such as the NCSC infographics, to help build these sessions, and they provide two obvious benefits.

  1. Direct engagement with staff, building relationships and getting the security team visible, and

  2. Providing advice and guidance, allowing staff to ask questions and get clarity.

The odd freebie and takeaways also helps gain traction, just make sure they have your security brand on them, for example Ask Security, and the contact info.


Security awareness is not merely a half-hour lecture during onboarding. It's an ongoing dialogue that impacts every aspect of your staff's digital lives.

Bring the discussion to a personal level for your staff. Illuminate the shadowy corners of the risks they face, not just within the secure walls of your business, but beyond, in their personal cyber universe. Offer them comprehensive guides and FAQs that transcend the confines of your business environment.

Cultivate an environment where curiosity is not just welcomed but celebrated. Enable them to comfortably ask security questions, work-related or otherwise, to seasoned experts. As they delve deeper into the mysteries of cybersecurity, you'll witness a transformation: a bloom in their understanding and engagement, seeding a richer, stronger security culture.

Ultimately, in the landscape of digital security, each member of your team is a guardian. And as their knowledge expands, so does the fortress of your collective safety. Your people can be your strongest defence in the war against cyber threats.

If you’re still struggling on how to get started, then talk to us, we offer a range of services around improving security awareness, and the platform from which to deliver it.


Commenting has been turned off.
bottom of page