How to Foster a Positive Culture of Cybersecurity

By Brett Farmiloe

In the digital age, fostering a culture of cybersecurity awareness is paramount for businesses of all sizes. We've gathered insights from CEOs and IT experts on unique initiatives they've implemented, from implementing cybersecurity training to leveraging MDR solutions for enhanced cybersecurity, to encourage proactive engagement in security practices among their teams.

How to foster a culture of cybersecurity among employees

1. Offer regular cybersecurity training sessions and workshops

"Our business has implemented regular cybersecurity training sessions and workshops. These sessions cover a range of topics, including best practices for password management, recognizing phishing attempts, safeguarding sensitive data, and understanding the latest cybersecurity threats and trends. By providing employees with ongoing education and training opportunities, we empower them with the knowledge and skills needed to identify and mitigate cybersecurity risks effectively.

"To encourage proactive engagement in security practices, we utilize gamification and incentives to incentivize participation and adherence to security protocols. For example, we organize interactive cybersecurity challenges or quizzes where employees can test their knowledge and compete with colleagues. Recognizing and rewarding employees who demonstrate exemplary cybersecurity practices, such as reporting suspicious emails or completing training modules ahead of schedule, further reinforces the importance of cybersecurity and encourages proactive engagement across the organization.

"Additionally, we cultivate a culture of open communication and collaboration, where employees feel comfortable raising concerns or reporting potential security incidents without fear of judgment or repercussion. By fostering a supportive environment where cybersecurity is everyone's responsibility, we empower employees to actively contribute to the organization's cybersecurity posture and collectively defend against cyber threats. Regular communication channels, such as internal newsletters, email updates, or dedicated Slack channels, also facilitate ongoing dialogue and awareness around cybersecurity topics, keeping security top-of-mind for employees in their day-to-day activities.

"Overall, by implementing regular training sessions, leveraging gamification and incentives, and fostering a culture of open communication and collaboration, we promote a proactive approach to cybersecurity among employees. By empowering employees to be vigilant and proactive in their security practices, we enhance our overall cybersecurity resilience and minimize the risk of cyber threats impacting our organization."
—Steve Neher, Mail King USA

2. Host an IT security boot camp with gamified learning

"We recognized early on that fostering a culture of cybersecurity awareness among our employees is crucial, especially given the rapid pace of technological change and the increasing sophistication of cyber threats. We initiated an 'IT Security Boot Camp'—a week-long immersive experience designed to bring all employees up to speed on the latest threats, defense mechanisms, and best practices in cybersecurity.

"This boot camp combines theoretical learning with practical, hands-on sessions where employees can experience real-time attacks in a controlled environment, learning to respond effectively. We've employed gamification techniques to make the learning process engaging, with employees completing daily challenges and earning badges for their achievements. This not only makes the initiative fun, but also cultivates a sense of healthy competition and camaraderie among our teams.

"To maintain engagement and encourage proactive security practices post-boot camp, we've implemented a monthly cybersecurity newsletter featuring a mix of insights, updates, and quizzes. Employees who score highest on quizzes or contribute useful security tips are recognized in an annual ceremony, receiving awards that underscore their contribution to our collective cybersecurity posture.

"Through these initiatives, we've witnessed a significant increase in our team's ability to identify and thwart potential cyber threats, demonstrating the effectiveness of integrating comprehensive education with engaging, practical experiences in building a strong culture of cybersecurity awareness."
—Remon Elsayea, Techtrone

3. Hold monthly workshops and phishing simulations

"Our cybersecurity awareness program is one of our proudest initiatives. We hold monthly workshops and conduct phishing simulations regularly. A well-informed team is a safer team. That's why our workshops focus on the most up-to-date security threats and best practices designed to address the unique challenges of global messaging.

"We've also gamified our learning experience to encourage proactive engagement. Employees can earn rewards for flagging phishing attempts and applying security best practices to workflows. This approach has helped create a culture where safety is everyone's responsibility, significantly decreasing successful phishing attacks amongst our employees. An example is when one of our team members detected a sophisticated phishing attack that attempted to imitate our internal communications. The team member's vigilance saved us from a potential breach, demonstrating the value of our active education efforts.

"As CEO, I aim to set an example, stay up-to-date on the latest cybersecurity best practices, and create a culture of continual learning and awareness within our organization. This level of security safeguards our business processes and builds trust with the businesses and clients we serve."
—Uku Tomikas, Messente

4. Show engaging cybersecurity videos

"Instead of annual training sessions, we've created impactful 15-minute video content on cybersecurity topics. We found the videos to be more digestible and easily absorbed. We then recap the key takeaways in the last slide in three bullet points, e.g., create a strong password, recognize social engineering tactics, and prevent unintentional data breaches.

"After the training, we use social engineering simulations to test employees' understanding. The simulation increases the effectiveness of our training and helps us understand the areas of improvement. For employees who fall prey to the simulations, we follow up with appropriate corrective measures and reinforce the lessons."
—Serhii Antoniuk, LITSLINK

5. Adopt the principle of least privilege

"One key initiative we've taken to promote cybersecurity awareness is implementing the principle of least privilege. This means ensuring that each employee has access only to the resources necessary for their role, reducing the risk of unauthorized access and educating them on the importance of that. We've also enhanced our email security measures to include features like impersonation detection, attachment scanning for malicious content, and rigorous spam filtering.

"We continuously educate our employees about recognizing phishing attempts and other forms of cyber threats. Over 90% of all cyberattacks occur due to phishing, and we've emphasized the importance of verifying the source of emails before opening attachments or clicking on links. By combining these efforts, we've created a culture of cybersecurity awareness where employees are proactive in protecting our organization."
—Dana Majid, PCE Inc.

6. Hold cybersecurity awareness contests

"In our journey to weave cybersecurity into the fabric of our sportswear business, we've initiated cybersecurity awareness contests. It's a unique approach that's transformed what could be mundane security training into engaging, competitive events. I kicked off the first contest by sharing a story of how a simple, overlooked email led to a minor security scare in our early days. This highlighted the importance of vigilance and made the experience relatable.

"We award prizes to employees who identify security threats in simulated scenarios, encouraging everyone to think like a cybersecurity expert. This initiative has sparked a proactive culture in security practices, making our team more aware and prepared than ever."
—Jay Barton, ASRV

7. Host ongoing security showdown competitions

"In our quest to weave cybersecurity into our corporate fabric, we introduced 'security showdowns'—monthly, interactive sessions where teams compete in identifying potential security flaws in our systems and processes. These friendly competitions foster a proactive security mindset and highlight the importance of vigilance in everyday tasks.

"By rewarding the winners with perks, such as extra vacation time or tech upgrades, we've seen a remarkable increase in engagement and innovative thinking around cybersecurity, turning a critical responsibility into a team sport."
—Daniel Lynch, Empathy First Media

8. Recognize a monthly "Cybersecurity Champion"

"One innovative initiative we've embarked on to enhance cybersecurity awareness is the implementation of a monthly 'Cybersecurity Champion' program. In this program, employees are encouraged to present new cybersecurity threats or share insights on best practices in a company-wide meeting. The individual or team that contributes the most valuable insight each month is recognized as the 'Cybersecurity Champion' and is awarded perks such as extra paid time off, gift vouchers, or sponsorship for cybersecurity courses.

"This initiative not only motivates our team to stay abreast of the latest cybersecurity trends and threats, but also fosters a culture of continuous learning and vigilance. Encouraging this proactive engagement has significantly boosted our collective defense against cyber threats, making cybersecurity an integral part of our corporate identity."
—Amit Doshi, MyTurn

9. Simulate phishing campaigns with interactive training

"One initiative we've implemented is a simulated phishing campaign, coupled with interactive training modules. This approach helps employees understand the importance of cybersecurity. We ran a fake email test, sending out emails that looked like real phishing attempts to see if anyone would click on the links inside. If they did, instead of going to a dangerous website, they were taken to a short, fun training session. There, we taught them how to spot fake emails and stay safe online.

"For example, let's say we sent an email that looked like it was from the company asking for login information. If someone clicked on the link, they'd be directed to the training session. This helped us to understand the increase in the number of people who could spot fake emails by 37%. This initiative not only raised awareness about cybersecurity risks, but also empowered employees to actively participate in safeguarding company data.

"To encourage proactive engagement in security practices, we regularly circulate tips, updates, and success stories, recognizing and rewarding employees who demonstrated exemplary cybersecurity behavior. We make sure to consistently educate our employees about cybersecurity and praise them for their efforts. This has created a strong commitment across the company to keep our information safe. We want every employee to know how important their role is in protecting sensitive data."
—Chaitsi Ahuja, Brown Living

10. Match inexperienced staffers with cybersecurity mentors

"We've started a comprehensive cybersecurity mentorship program which matches inexperienced staff members with cybersecurity specialists to ensure that all members of our company have a thorough awareness of data protection procedures. In addition to imparting expertise, the mentorship program seeks to increase cybersecurity awareness among team members. Meeting on a regular basis allows mentors and mentees to practice response tactics, examine case studies of cybersecurity breaches, and discuss new threats. This hands-on approach ensures the practical application of cybersecurity principles, enhancing our defensive capabilities.

"Furthermore, we've integrated cybersecurity milestones into our employees' professional development plans to promote proactive engagement in security practices. Recognizing achievements in cybersecurity awareness and defense mechanisms underscores its significance in our corporate culture and emphasizes every employee's role in safeguarding client information."
—Russell Noga, Medisupps.com

11. Closely monitor and track security incidents

"In the complex world of cybersecurity, behavior forms the bedrock of our defense strategy, and this is reflected in a scorecard or dashboard that includes various numbers, keys, and metrics like reporting rate and click rate. These two metrics serve as concrete indicators of our cybersecurity practices. By closely monitoring and understanding these key metrics—particularly the reporting rate metric, which tracks the frequency of reported security incidents, and the click rate metric, which assesses how often phishing attempts are successful—we can effectively evaluate our cybersecurity behavior.

"At the core of a strong cybersecurity stance is the accuracy of our reporting. Making sure our actions are in line with the actual situation is critically important. High reporting accuracy reduces the chance of missing threats, ensuring security incidents are reported and addressed promptly and accurately. This commitment to precise reporting strengthens our cybersecurity behavior, creating a culture where threats are identified, addressed, and neutralized effectively, thus enhancing our defenses against the continuously evolving landscape of cyber risks."
—Paw Vej, Financer.com

12. Leverage MDR solutions

"We depend on advanced cybersecurity solutions to enhance cybersecurity awareness in our law firm. It's undeniable that technology plays a crucial role in cybersecurity awareness, and lacking the right technological tools makes it difficult to foster a culture that is aware of cybersecurity threats.

"As various industries, including ours, navigate significant technological shifts—like the move to remote and hybrid work models and the introduction of AI—managing cybersecurity independently has become a daunting task for many organizations. The challenge is amplified if you're uncertain about which security programs are necessary (an antivirus alone is often insufficient, contrary to what some vendors suggest) or if you lack the resources to research, implement, and continuously manage these security solutions.

"Fortunately, the emergence of managed detection and response (MDR) solutions has been a game changer. These services allow cybersecurity professionals to provide cutting-edge technology tailored to your business, staying ahead of emerging risks and threats. They offer round-the-clock monitoring of your systems and can automate responses to detected issues, greatly reducing the potential impact of an attack or breach on your business."
—Michael Brown, Dribbin & Brown Criminal Lawyers

About the Author

Post by: Brett Farmiloe

Brett Farmiloe is the founder and CEO of Featured, a platform where business leaders can answer questions related to their expertise and get published in articles featuring their insights.

Company: Featured
Website: www.featured.com
Connect with me on LinkedIn.