General security

5 Steps to Create a Security Culture within your Organization

Susan Morrow
January 9, 2018 by
Susan Morrow


We have a problem Houston...and its name is cybercrime. In 2017, we saw some of the biggest breaches of all time, including the Equifax breach, which left the company reeling from a 38% share price drop (1), and Verizon, where 14 million customer records were exposed. In the latest Ponemon Institute report, “Cost of Data Breach Study” (2), the average total cost of a breach was $3.62 million per organization. The report also went on to point out the far-reaching impact of a breach, such as the detection and remediation costs and time, as well as having to inform customers, with the knock-on effects of that on business reputation.

The Data Breach Investigation Report (DBIR) for 2017 (3) went into the detail of cybercrime and came out with some interesting information, including that over half of breaches involved malware and 66% of malware was installed from a malicious email attachment. Phishing remains, as ever, a popular choice for the cybercriminal, with 1 in 14 phished individuals falling for the trick. Phishing is successful because cybercriminals use our own behavior against us in a war of psychology. The report also pointed out that the password issue persists, as 80% of hacking is down to stolen or easily guessable passwords.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

So, how do we stifle the march of the cybercriminal? We have to approach it from a technological perspective but also a human one, too. As stated, cybercriminals feed off our own behavior and use it against us. They trick us into performing actions which seem legitimate, but aren’t. It is this aspect that technological solutions cannot resolve and which need to be bolstered by drawing in the human behavior aspect. This can be achieved by creating a ‘security culture’.

5 Ways To Create a Security Culture

So, just what is a security culture all about? In a nutshell, it is based on the adage “know they enemy”. If you know what you are up against, you can put procedures in place to protect yourself. A security culture is one that incorporates everyone who is involved in an organization - this may well extend to business associates, and in some circumstances, customers; certainly, some aspects of a security culture can include customers, for example, educating customers about phishing emails can be seen as part of the overall culture of security your organization develops. A security culture is helped by the use of security awareness training (4) and a positive attitude, driven from the top down, towards embracing security. Below is a list of the top 5 areas that you need to consider when building a culture of security in your organization.

  1. Education, education, education Knowledge is power, and education on cybercrime and typical attack scenarios is a crucial part of any security awareness training program. Security needs to be fostered and fed, and so the ethos of training should be done using a top-down approach. Management needs to be the advocates for the training, themselves taking part in its development as a company policy. The education around security needs to be extended to everyone that could pose a risk to your organization – this includes all staff, contractors, freelancers, consultants, third parties (such as suppliers), and even customers.
  2. Your company needs you! Security is everyone’s problem. Any one of us can become the weakest link in an organization's cybersecurity defenses; the finger that clicks on the malware package, the person who reveals their password to what seems like a legitimate site. A holistic view needs to be taken where everyone recognizes the part they play in the culture of the company and the impact they personally can have on security. Understanding security issues cuts across the entire organization, from having a clean-desk policy through to developers and DevOps understanding the importance of secure coding and security logs.
  3. Security bootcamp Security awareness training and simulation exercises give the vital first-hand experience needed to learn and understand where the risks lie. A security bootcamp can be created that utilizes a mix of classroom-based formal training, with real-life simulation exercises that train people to spot security problems. Security bootcamps should cover all aspects of security from phishing and online security to desktop security to physical security. Phishing simulation should be done regularly, but also randomly, to create more natural scenarios. People are your best asset, and they can also be one of the greatest security assets too.
  4. The rewards of a job well done Security awareness training and the culture it instills are measurable. If you incorporate quizzes and other measurement activities, make them fun and offer rewards for a job well done. Create a system that rewards and encourages security best practices, but conversely, don’t use poor outcomes by an individual as punishment. Instead, focus in on how to improve a program - after all, we are all different, and different styles of learning suit different types of people.
  5. Security mindfulness Employees should feel empowered after receiving the training and knowledge to help play their part in preventing a security breach. A security culture is a state of mind, and if done correctly, can become part of the way of life at an organization, sitting alongside the general day-to-day business. But it should always be remembered that a culture of security is part of an ongoing process. Cybercriminals rarely sit on their laurels. They develop new and more sophisticated techniques to trick us. All of the elements of a security culture need to be cultivated as part of an ongoing process. Training should be regularly repeated, whilst keeping the random aspect of phishing simulations. Becoming security mindful will make the act of security normalized.

Making 2018 The Year Of Security Culture

It is likely that 2018 will see as many, if not more, cyber attacks against organizations of all sizes and types. Many of these attacks will begin with the manipulation of our own behavior by the cybercriminal. To address this, we must fight fire with fire, and build defenses using our greatest asset - our people. A culture of security is about addressing insecure behavior and encouraging secure thinking. In doing so, you can build an encompassing ethos that will protect against some of the most common attack methods like phishing, potentially saving your company money, reputation, and ensuring that compliance requirements are met.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.



Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.