October 30, 2018

Five Ways to Develop a Cybersecurity Culture

by: Align

You're sorting through your emails at work and come across a message from your CEO, urgently asking for gift cards to be bought for customers.You're sorting through your emails at work and come across a message from your CEO, urgently asking for gift cards to be bought for customers. S/he states they are busy in meetings and tells you to send them the card numbers via email or text after they are physically bought at stores.

What do you do? 

Human oversight and cybersecurity attacks are inextricably linked. With a robust cybersecurity program in place at your company, cybersecurity education would equip you with the knowledge and tools to handle such a request.

You may be wondering, how does cybersecurity training help me order gifts for customers? It won't. What we're speaking to, is empowering you with the cyber intelligence to learn how to identify and prevent scams, such as the CEO Fraud example used above.

According to the 2018 Chubb Cyber Risk Survey, only 33% of respondents said their company had implemented some type of annual security awareness training company-wide. To ensure you and your employees are making intelligent security decisions, it's critical that organizations build a cybersecurity culture. To help you in this transition, we've detailed five key ways to develop a culture of cybersecurity. 

1. Shifting Your Risk Mindset: The Human Element

The old risk mindset of cybersecurity falling on the shoulders of the IT department does not translate to the digital era we live in today. C-suite executives must move away from this mentality and adopt a risk mindset that threats are ubiquitous and carrying their burden cannot be assigned to one department.  

According to the 2020 Verizon Data Breach Investigations Report (DBIR), 32% of data breaches were caused by internal employees for some industries. The study also reported that phishing attacks continue to dupe users and employee error, such as not implementing access controls on databases, lead to increased vulnerabilities and data leaks. Phishing is a popular social engineering method, during which cybercriminals send email scams in an attempt to trick victims into providing credentials and sensitive business information.

Rethinking risk helps firms realize the opportunity in designing an efficient cybersecurity program that will please regulators, entice investors and empower employees. Company leadership must manifest a complete buy-in to establishing cybersecurity as a top-line priority, and employees must get on board to build their conversance and understanding of these risks, how to address them and security best practices

2. Inspire Ownership: The Onus is on All Employees

Across an organization, cybersecurity should be a shared responsibility. A firm's personnel– its employees, consultants, contractors and other agents — must understand how significant cybersecurity is to your bottom line and reputation. Furthermore, they should serve as the organization's first line of defense against cyber threats. 

Albeit, how does an organization inspire employees to take ownership of security?

  • Share the Bigger Vision: Transparent communication company-wide is critical to building a foundation of trust and clarity. Define the bigger picture of the organization's objective and how creating a culture of cybersecurity fits into that goal. 
  • Explain the Why: Consider hosting a company-wide meeting at your corporate headquarters and stream the event live to other branches. Meeting topics should detail the vision, the why, methods, goals, next steps and other matters related to security training and fortifying a cybersecurity culture. 
  • Foster Collaboration: Involve employees in the conversation. Welcome their suggestions and insights. Perhaps create a security forum inviting employees to share their knowledge and ideas.

3. Instill Awareness and Cybersecurity Intelligence Through Robust Tools

With fully integrated security awareness training, companies can empower their staff with the necessary tools to identify risks and escalate alerts to the appropriate departments. Security awareness training can be provided with various means including, but not limited to:

  • Discussion forums
  • Online gaming
  • In-person training
  • Mock phishing exams

Just as a football team's defense needs to train and receive updates on the latest playbooks to advance its skills, employees and faculty members also need to be refreshed and educated on threats, nascent risks, mitigation and remediation. After all, a company that works together to protect data and prevent data breaches is much stronger than a siloed approach to cybersecurity. 

4. Performance Reporting to Hone Skills

Staff should be tested on phishing campaigns, and their performance must be evaluated and reported on. Based on reporting metrics, company's should offer to reeducate those employees who require additional training. When evaluating cybersecurity solutions, consider an IT Partner that provides on-demand, interactive employee education modules to engage users and ensure accessibility.

Enhancing cybersecurity skills and infusing secure behavior helps mitigate the risk of a data breach or other cybersecurity-related incident, protects sensitive business information and safeguards customers' data. 

5. Celebrate Success

Organizations should seek opportunities to recognize employees that successfully complete mandatory training.

  • Consider supplying tickets to sports games, allocating funds for company outings or implement a rewards program.
  • Provide opportunities for continued education and advancement for employees with an expressed interest in security.
  • Take the time to acknowledge staff one-on-one. Express your appreciation for their commitment and offer the reward of progressing their professional development with additional responsibility. 

All of these concepts further reinstate your company's commitment to security excellence and fostering a culture of cybersecurity. 


To keep pace with the evolving threat and regulatory landscapes, firms need to grow and strengthen their approach to cybersecurity risk management. The following are some key takeaways for developing a culture of cybersecurity: 

    • Clear communication and a commitment to cybersecurity from the top down is essential to building the first line of defense.
    • Transparency, outlining objectives and sharing the bigger vision are key elements to inspiring employees to take security ownership. 
    • Encouraging secure behavior through cybersecurity education is crucial to creating a culture of cybersecurity.
    • To build a sustainable cybersecurity culture, all employees must be all in, and training should be mandated company-wide.

Align Cybersecurity, Align's comprehensive risk management solution, offers engaging, advanced security awareness training, in addition to, custom “white-glove” in-person training, mock cybersecurity exams and reporting of education, retention and employee performance relating to cybersecurity risk.

For more information regarding our award-winning Cybersecurity Advisory Services, visit here or contact us by clicking the button below. 

Contact Us ➜

Continue Reading

Related Articles


“Align is our trusted provider for all our Managed Services and cybersecurity needs. They provide us best-in-class IT services that not only help drive productivity and growth, but ensure we meet both current and evolving compliance and security requirements with ease. As consultants to financial advisors, trust and reliability are indispensable to our operations, which is why we never hesitate to refer Align to our very own client base. Align isn’t just our partner, they are an extension of our team. We look forward to entrusting them with our IT infrastructure for years to come.”

Ed Fasano - Experienced Advisory Consultants LLC