A strong cybersecurity posture is as much about culture as it is about technology. In the 2022-23 financial year, 78 per cent of Australian businesses offered annual cybersecurity training to their entire workforce; however, only 39 per cent of these businesses provided specialised training for privileged users who are authorised to perform security-relevant functions that ordinary users are not.(1) One common method of training for organisations to improve cyber awareness is conducting phishing tests to see how well employees spot fake emails that could lead to security problems. While they are a good start for organisations starting to build a cyber aware culture, these tests have their limits, and businesses need to invest in more robust training opportunities for the best chance of success.

Phishing tests only look at one kind of security threat. There’s a lot more to staying safe online, such as making sure passwords are strong and keeping harmful software away. Security risks change all the time, and what worked before might not work later, meaning that, just because someone passes a phishing test today, it doesn’t mean they arere safe forever. Unfortunately, these tests don’t really show how deep a company’s culture of staying safe online goes.

Having a strong security culture means everyone thinks and acts in ways that keep information safe, not just identifying mock phishing emails on a test. There are five ways organisations can enhance their security culture:

Informed Leadership

Leadership is key to setting the tone for cybersecurity within an organisation. When leaders at the top level take cybersecurity seriously and make it a priority, it sends a clear message that security is important for everyone. This means leaders need to be visible in their support for security efforts, talk about it, and get involved. They also must ensure the organisation has the tools and training needed to stay safe.

Continuous Learning

Learning about cybersecurity isn’t something you do just once; it’s an ongoing process. To keep everyone across the latest trends and threats in the evolving threat landscape, organisations should offer regular training that’s both current and engaging. Mixing up the training formats with workshops, e-learning, and simulations can keep things interesting. It’s also important to listen to what employees have to say about these training sessions, so they can improve over time.

Policies and Teamwork

A strong security posture depends on interdepartmental collaboration and having clear policies in place. Security involves everyone, no matter their role, and clear guidelines help everyone understand what they should and shouldn’t do to keep things safe. Encouraging teams to work together on security efforts helps break down barriers and reinforces the idea that keeping the company safe is a team effort.

Personal Responsibility

Making cybersecurity personal can help make it a part of everyone’s daily routine. When employees feel empowered to take care of their digital safety at work and at home, they’re more likely to stay vigilant. Recognising and rewarding secure behaviours can also help make security a positive part of the company culture. And, when cybersecurity is connected to personal experiences, it feels more real and less like just another task.

Adaptability and Improvement

Cyber threats constantly evolve, and so should the approach to dealing with them. While it’s important to stay informed about the latest threats and trends, being flexible and ready to update policies and practices as needed is key. A culture of continuous improvement—where security measures are regularly reviewed and updated based on new information and feedback—ensures that defences stay strong against new and emerging threats.

Building a culture instilled with cybersecurity involves layers of strategies, awareness, and practices extending beyond simulated email attacks. It’s about creating a comprehensive approach to cybersecurity that encompasses everyone in the organisation, from the top executive to the newest hire. Partnering with a cybersecurity partner that aligns with an organisation’s security goals can also offer the expertise, tools, and support necessary to build a cyber aware culture. At the end of the day, making cybersecurity practices second nature in the workplace ensures we are all safer.

Reference:

1. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/commonwealth-cyber-security-posture-2023