11 Tips for Leading Cyber Secure Cultural Change in the Workplace

25th October 2022

What’s the best cyber security asset that an organisation can have at their disposal? A top of the range next-gen firewall? The latest endpoint protection? Robust managed security ?

All are great answers, but there’s one thing that beats them to the top spot: the best cyber security asset is a cyber-aware workforce – something that only comes with a proactive, cultural approach to security.

Don’t get us wrong, the latest security widgets are a worthwhile investment. But as long as social engineering continues to be the ever-present threat that it is, your staff are always going to be your most vulnerable attack surface.

Embedding good cyber habits is much more complex than providing a simple list of “dos and don’ts” (though cheat sheets are useful). Thorough cyber-awareness requires a cultural shift in order to operate on “autopilot”.

So, let’s explore a few ways that you can lead this cultural change within your organisation.

Communicate The Risks… and What’s at Stake

When leading the charge for cultural change within a business, outright ordering people to toe a new and alien line is never going to yield good results. When people feel they’re being browbeaten into doing something without sound reasoning, they feel put upon, dictated to, and ultimately resentful.

The best cultural change is communicated with sound reasoning. People need to understand why you’re asking them to change. When they know what risks are out there and the kinds of losses that are at stake, they’re more likely to grasp the importance of cyber-culture-change.

Stakes shouldn’t just be communicated as a loss to the company either. Cyber incidents can impact staff too: they can massively dent morale; they can reveal sensitive employee information; and the costs of an incident can even result in rationalisation of jobs.

However, that said, try not to scare employees into toeing the line either. Get them to understand that cyber-aware cultural change is in everyone’s best interests.

Explain the Limitations of Your Security Platform

Cyber security tools are excellent preventative measures and no organisation should be without them. But know that they are fallible. Social engineering is a massive issue at the moment, and even the most well-defended networks can fall victim because a human operative innocently skirted defences, “letting the vulnerability in”.

Start by working with your IT provider (or a trustworthy third party) to understand the levels of security that your current solutions provide and seek to understand their limitations. Communicate these limitations to your team so they know a) where your cyber protections start and end, and b) that cyber security measures aren’t some miraculous cure-all!

You could even include some knowledge of your cyber defences in your cyber training: informing your team of what sorts of cyber protections you have in place, what these protections can do, and where to pay extra caution.

However, don’t give your non-tech teams the total ins and outs of your cyber stack. A disgruntled (or otherwise loose-lipped) employee could easily share this information around outside of your organisation – and that information could end up in the wrong hands.

Lead Cyber-Culture From the Top

Nobody likes a system where there’s “one rule for us and another for those in positions of power,” and crafting new workplace culture is no exception.

Effectively embedded cultural change comes when leaders are demonstrably doing it first. It illustrates the cultural change as a great leveller: when everyone is following the same rules in the same way – and being held to the same account when things go wrong.

When leaders lead by example, everyone else is more likely to abide by the rules. However, embedding a positive cyber culture in your top leaders has another, just as important, effect.

Criminals tend to go after the most valuable data, resources, and budgets – all things that top bosses generally have more readily to hand. Any company’s leaders are therefore valuable targets for cybercrime, especially when it comes to precision social engineering tactics like spear phishing and whaling. However, top execs are less likely to practise good cyber hygiene on the whole. 76% of CEOs admit to bypassing security to get something done faster – yikes!

Yet when everyone’s abiding by the same culturally embedded, soundly reasoned cyber habits, everyone stands to gain.

Apply Security Consistently Throughout

To continue our point around cyber-cultural inequality – be it perceived or actual – leave no stone unturned when it comes to applying security consistently, company-wide.

For example, if all of your on-prem team have to use RFID cards to access your premises or certain rooms, ensure that authorised third parties like cleaners and handy-people also have RFID cards to access those rooms. Or if all of your office teams have to use MFA to access a certain tool, make sure that all departments and levels of seniority have to do the same.

Nobody should be considered “above” or “below” the scrutiny of cybersecurity – yes, that includes the above 76% of CEOs!

Invest in Cyber Security Awareness Training

Cyber awareness training is a must nowadays, regardless of your organisation’s size or sector. Though there are countless resources online about how to stay safe, there’s nothing quite like a workshop environment, led by experts, where people can interact and ask their own questions.

But cyber security training shouldn’t be a one-off affair. Some basic cyber training should be included in any new team onboarding (including temps and contingent staff) and training events should be run between 2 and 4 times a year to keep everyone’s cybercrime-fighting tools sharp.

These skills can further be honed outside of the training room with phishing simulation tools like PhishAware and occasional quizzes and reviews.

Encourage Constructive, No-Blame Reporting

Sometimes, when a cyber incident takes place and someone’s at fault, bosses tend to really rake that person over the coals. And we understand; nobody wants to find themselves on the receiving end of a cyber-crisis. But responding to honest mistakes with draconian action only serves to scare others into silence when something does happen – and can even weaponise incident disclosure between team members who may be at loggerheads.

However, no-blame doesn’t mean no accountability. The person(s) who slipped up should be fast-tracked towards further training, focused on the mistakes they made. They should be encouraged to thoroughly understand their error (and its consequences) so they can improve.

This shouldn’t feel punitive in any way. The aim here is to foster understanding rather than to mete out punishment. And the more in-depth information someone has about a certain threat or course of action, the more they are likely to share that information with others in future.

Have a Protocol for Every Cyber-Instance

What are you going to do when ransomware hits? When a data breach happens? When a persistent threat rears its ugly head? How should your team respond when they receive a phishing email? Do you know? If not, it’s time to think about putting together a disaster recovery plan .

A disaster recovery plan is basically a document that establishes a plan of action for every cyber instance, so you’re not running around in headless chicken mode when the worst happens. And when your team have documented steps to follow, they are less likely to panic and blag their own solutions that may make the situation worse.

This plan should include how to identify a threat/incident, how to report it, what to do to solve it, who needs to be involved, and how to check that the coast is clear. It all sounds so simple when put like that!

Reward Good Cyber Habits

Just because we’ve thrown out the punishing stick, that doesn’t mean we have to get rid of the rewarding carrot too.

Think of cost-effective ways you can give a “bounty” to team members who spot and appropriately report cyber infractions. This is most easily achieved with phishing attempts – provide a small reward to those who respond correctly to a simulated phishing email, potentially giving out a larger reward if they tip you off to a real phishing attempt.

This may not be too cost effective if you have to deal with loads of fraudulent emails every day. In this case, consider a leader-board situation with a 1st, 2nd, and 3rd place prize every month or every quarter.

Gamifying the right response and rewarding it with something tempting will likely get your team examining unexpected emails very closely! However, the money, time, and effort costs will need to be considered when crafting any kind of reward scheme.

You could even incorporate evaluation of cyber secure practices into annual employee reviews – as long as you can do so fairly.

Consider Industry-Relevant Cyber Knowledge and Guidance

We all need to keep an ear to the ground for the latest cybersecurity advice. But some organisations will need to be particularly switched on around threats that are relevant to their industry.

For example, we’ve all received phony emails claiming to be from HMRC or from other Gov.uk services, but companies like accountants, tax advisors, and financial advisors will need to pay extra care around any email communications claiming to be from these parties as their clients’ data may be at stake.

To give another example, companies with ecommerce websites will need to pay special attention to emails that purport to be security alerts from the likes of WordPress, Shopify, or their web host for instance.

Remember that criminals are getting smarter. They may know more about your company’s workings and offerings than you think – and they can use that knowledge to trick you.

Encourage Employees to Get a Second Opinion on Suspicious Emails

We’ve all received emails that look genuine at first glance, but something just feels off. Don’t let your team feel that they have to rely on their own knowledge – and their own gut – to discern whether an email is dodgy or not.

Normalise getting a second opinion about suspect emails from those around you, whether it’s asking your desk-neighbour for their input or sharing a screenshot with an internal group on Slack or Teams. In fact, if your team are already au-fait with collaborative tools like these, you could set up a new channel dedicated to phish-hunting!

Getting everyone involved and pooling their knowledge like this can even build a bit of camaraderie around spotting phishing attempts and scams, in turn building a community around your new cyber-aware culture. By sharing suspicious emails around, everyone gets more exposure to what makes a phony email, further adding to their lived experience of phish-fighting!

Carry Out Occasional Cyber-Incident Fire Drills

It’s likely that you’ve had your work interrupted by multiple fire drills in your working life. However, fire isn’t the only crisis that can tear through your organisation, cyber attacks can too. Therefore, “cyber drills” should become equally as commonplace.

This can be as simple as a hypothetical boardroom exercise where you kick things off with something like “let’s say I clicked on an email that let ransomware into the network”. You can then check how well people follow your documented incident protocols – they may even uncover potential wrinkles in your plans!

You could alternatively go through the motions with each individual, checking they know what they have to do in a given situation.

However, you decide to go about these drills is up to you, but consider them to be just as important as physical evacuation drills. Make sure you get everyone involved equally, regardless of department or seniority. This will further reinforce the idea that security is everyone’s responsibility. Just as a fire could equally impact everyone, so could a cyber attack.

Cultural change of any kind can feel like hard work. Need a security consultant to help you lead meaningful, security-conscious change? 

You’re in safe hands with our cyber security team