Building a Cyber Aware Company Culture

Building a Cyber Aware Company Culture

The weakest link in a company's security is, without a doubt, the human element. Cyber criminals know this and are exploiting it with targeted attacks now more than ever. In fact, a recent study showed that 91% of cyber-attacks and the resulting data breach begin with a spear-phishing email as the point of entry. Yes, you should have the most effective security technology in place, but ultimately the most powerful way to keep your organization protected is to build up a culture of security. Weaving cyber awareness into your company culture may seem like a major undertaking, especially if you are starting at square one, but it doesn't have to be. Small incremental changes will quickly build upon themselves to position your team as a first line of defense rather than the weakest link, and will make a big difference in your security posture.


It all begins with strong leadership. Promoting security culture from the top down is the best way to encourage adoption. If your employees don’t feel like you have a strong belief in the importance of security they sure as hell won’t make it a priority either. Additionally, security is not just an “IT issue”, and overcoming that mindset will be critical in the transformation process. First identify your risk tolerance so that you’re able to set expectations about employee behavior. Then begin to educate your staff on what cybercrime looks like so that they understand how important of a role they play in keeping the company secure.


There are two crucial elements to a security focused company culture.

  1. Security Policies:  These policies should be part of a “living document” – never finished and constantly updated as technology and environmental threats evolve. They should be strong, clear, and strictly enforced. Areas to cover: Internet Activity | Workstation Security | Data Handling. For more detailed information on these three areas, read 3 Security Policies You NEED in you Company Handbook
  2. Security Awareness Training:  Once/year security training will simply not cut it. Training needs to be ongoing throughout the year in order to keep employees motivated and constantly vigilant. When you think of “training materials” you probably envision boring PowerPoint slides or brochures. There are many materials out there that are quite boring and ineffective. I recommend implementing a training program that is simple and encourages engagement. Making training “fun” may feel a bit quirky but I can assure you it is well worth it.

Training ideas could include: Contests, newsletters or videos, group games, etc. Aqueity offers a host of different Security Awareness Training materials and delivery methods to choose from, so you’re able to test options out and determine what works best for your organization.

A few rules to help you stay on track… 


  • Help employees understand their role in the first line of defense
  • Set company-wide goals
  • Encourage employees to work together to avoid security incidents
  • Expect mistakes along the way


  • Punish errors (reinforcement training is much more effective)
  • Rely on only annual training
  • View security as only an “IT issue”