How to Build a Security Culture Within Your Organization

Posted by Sam Fellerer - February 09, 2021


Security is a continuous process that involves everyone in your organization, and your security training should reflect that. You’ve probably seen news headlines for major hacks of government agencies and large corporations. Some breaches involve sophisticated attackers using novel techniques that are difficult to predict or defend against. But a far more common cause of breaches is one that starts innocently enough - simple user error.

In fact, an analysis of data from the UK Information Commissioner’s Office found that 90% of reported security breaches in 2019 were caused by user error. This points to a clear need for security awareness and training for anyone that uses technology in your organization. But just how do you help your employees be mindful of security each and every day? We have a few ideas for you to consider!


Security: It’s Not Just For IT

A common misconception in a lot of organizations is that only your IT department needs to worry about security. Although IT should take the lead, the reality is that security is everyone’s responsibility. You may have experienced a disconnect between your IT/security team and the day to day operations of your organization (we certainly have once or twice).

An example of this might be using a file sharing program to transfer documentation internally and even externally. There’s a huge variety of file sharing programs out there, and IT departments put a lot of effort into choosing one that meets security, logging, and backup requirements for your organization. But if people in your organization don’t understand the reasons behind choosing a particular program, they might just utilize whatever program is most familiar to them instead. This can lead to different programs being used; which could lead to leaks of confidential information, data loss, or other not so stellar results.

By helping get everyone understanding the “why” of security and security training, your organization will have more people looking out for potential problems. Take, for example, the dreaded phishing email. If someone in your organization receives a suspicious email, but doesn’t feel like it’s their responsibility, they may just delete it and move on (in a best case scenario). Worst case, they can fall for the trick and expose your organization to substantial risk. But if they have the training to recognize a phishing attempt, and feel empowered to raise the alarm, they can alert the IT department. Once IT knows about the issue, they can add that sender to a blocklist and let the rest of your organization know to be on the lookout for similar emails. So don’t just let IT handle security. Instead build a culture of security that everyone in your organization participates in.


Make Security Training Short, Sweet, and Personal

Security isn’t something you do once a year and then you’re done. Security is something you have to do every day throughout the year, and you should schedule your security training to match that. It might be tempting to purchase a security training course and have your organization slog through several hours of content all at once. The unfortunate reality of this approach is that your learners won’t absorb all this information in the short term, much less retain it for a full year.

When Reflection Software first started offering security training to our employees, we tried this approach, and didn’t have the best results. When it came time to schedule security training again, we took a different approach, assigning smaller chunks of training throughout the year. This way, security practices are always top of mind. We also make an effort to offer training that our employees can apply in their personal lives, or relate our training to current events. For example, we offered information on securing home networks in response to our employees working remotely during the pandemic.

Another advantage of spacing out your training is it allows your organization be more flexible and better react to trends through a “just in time” approach. The cyber-threat landscape is continuously changing. Your training should be regularly evaluated and updated to reflect that.

Get Everyone Involved in Security

If you’ve mostly left security to your IT department until now, start thinking about how to involve the rest of your organization. If you make your security training continuous, relevant, and engaging, your organization can build a culture of security. Work with your IT/Security team to involve everyone in keeping your workplace safe.

Need some help developing a training plan for your organization? Let us know! We’re happy to answer questions and if you need more support our team of instructional designers, developers, and artists is at the ready.


Topics: Compliance Training, employee training, security

Recent Posts