How to Build a Cybersecurity Culture

The threat of a cyberattack is a growing concern for companies across the globe, as cybercrime damage is expected to be $6 trillion annually across the globe by 2021, up from $3 trillion in 2015. In fact, 87 percent of respondents to a recent survey of more than 1,200 companies worldwide indicated that they need up to a 50 percent increase in their cybersecurity budget, and 89 percent of respondents indicated that their existing cybersecurity function doesn’t meet their needs. As a result of this:

– Global cybersecurity spending is expected to exceed over $1 trillion from 2017 through 2021 ($93B in 2018).
– External cybersecurity spending is expected to be $18.5 billion in 2018, up 11 percent from 2017.

As companies make investments to mitigate cybersecurity risk, it’s important to focus on the solutions with the highest impact. While it’s common to invest in the technologies that protect our computer systems from theft or damage to their hardware, software, or electronic data, human error is actually responsible for the majority of security breaches. In fact, the research team at IBM and the Cyber Security Intelligence Index estimates that number to be as high as 95 percent.

These human factors may include, but are not limited to, phishing attempts, poor passwords, malicious attacks from employees, and improper reporting of a threat. It’s imperative to consider these people-related risks when building and sustaining a robust cybersecurity program.

Building a Cybersecurity Culture

Establishing a strong cybersecurity culture within your company is a great way to address the non-technological side of data risk – addressing the knowledge, perceptions, assumptions, norms, and values of your employees so that cybersecurity best practices are deeply embedded in their behavior.

Sophisticated policies and cutting-edge security technology can be great assets, but they cannot fully protect your company if they are not correctly utilized. Inspiring employees to internalize security as a vital part of their job is instrumental in fostering security-minded habits and decision making.

According to a 2017 cybersecurity culture report “Indepth Insights into the Human Factor,” by cybersecurity culture expert Kai Roer, elements of cybersecurity culture that may actually be more important than the quality of IT solutions for keeping an organization safe from attacks include:

1. What employees think about taking care of sensitive information.
2. How employees perceive their role in organizational security.
3. Awareness of communication channels for reporting problems.
4. Employee awareness and adherence to organizational policies regarding security.
5. What employees know about security-related issues.
6. How employees see actions of others and are subject to peer-influence.
7. What actions employees themselves perform.

Empowering employees to take ownership of protecting valuable company data can significantly reduce their risk of being breached. You may have already found value in starting with improving one specific behavior, such as an employee’s likelihood to click on phishing emails. Taking a longer-term and more strategic view of the problem, you may want to think more deeply about transforming the culture of your organization as it applies to cybersecurity. This will require focused planning and effort, with engagement from the top down.

Contact me at [email protected] or (215) 901-0523 if you would like to discuss how best to begin planning and shaping the way your employees think and act when sensitive data is at stake.

Michael Padgeon, Senior Consultant



Change Management Done Right
Complete the form below to access the webinar recording and supplemental materials - courtesy of Navigate.
Your Information will never be shared with any third party.