Part 1 of 6: This blog series will detail 5 practical steps for creating a culture of cybersecurity in the workplace. Follow the series each week as we examine these steps in greater detail, and provide actionable strategies for creating your own culture of security.


The rise in corporate cyber-attacks costs businesses billions of dollars. From startups to large publicly-traded corporations, it is rare that a day goes by without another story of a cybersecurity breach.

A quality IT department or outsourced IT company is the first step in the defense against cyber threats. These professionals implement preventative measures. However, even with the most well trained, staffed, and funded IT department, your business remains just one click away from undermining those protections.

Human error is responsible for the majority of the worst reported data breaches.  A lack of cyber security awareness training leaves organizations susceptible to attacks and puts companies at risk of losing their reputation, customer loyalty, and potentially their bottom lines.

No company would allow their employees to provide customer service without undergoing training first. Yet, the majority of organizations grant access to company email, corporate documents, and even financial information without ever providing training on how to keep this important data secure.

Untrained employees are more likely to open malicious website links, fall victim to phishing scams, and unintentionally share sensitive data.  Nonexistent or insufficient company security policies compound the issue.

As Nick Wilding of AXELOS points out, "staff should be [businesses'] most effective security control but are typically one of their greatest vulnerabilities". 

The following statistics uncover some of the necessity for employee (and management) cybersecurity training, and a company-wide cybersecurity policy:

  • “One in ten confessed to downloading content at work they should not”.
  • “Two thirds (62%) admitted they have a very limited knowledge of IT Security”.
  • “More than half  (51%) had no idea how to update the anti-virus protection on their company PC”.
  • “One in five workers (21%) let family and friends use company laptops and PCs to access the Internet”.

These statistics are particularly alarming considering recent research shows that upwards of 75% of organizations fall victim to a staff-incurred security breach; half of which are the result of human error.  Many companies do not require employees to undergo cybersecurity training, because many company executives do not believe this training is “very effective” and does little to change employee behavior. But the opposite is true, regular training resulted in an 80%+ increase in keeping data secure.

The days of keeping your business safe, by investing in preventative measures, are gone.  While technical security measures will protect you from most unwanted viruses coming from malicious files, it will do nothing to prevent an untrained employee from falling victim to CEO fraud or phishing emails.  Cultivating a corporate culture that makes everyone responsible for cybersecurity is the best way to safeguard against potential data breaches.

The following 5 step process can help your organization to create a culture of security.

1. Assess

It is important to assess your organization’s current security environment before taking steps to improve it. A risk assessment can be performed in-house, but is most effective when performed by a professional cybersecurity firm. This provides an outside, unbiased point of view and most IT departments are not equipped or trained to perform this type of assessment.

2. Create Buy-In

This is possibly the most crucial step in the process, because this can make or break employee buy-in. Getting employees, board members, and c-suite executives on-board with new policies and procedures is the first step in creating the desired company culture. You need to get employees working with you rather than against you to create a security culture.

3. Train

It may be common knowledge to an IT department employee that one should never leave their computer, email, or other password on a sticky note on their monitor, but to some employees, this may be the way they’ve always done things. Worse yet, they may have never been trained or communicated with regarding this practice. It is the responsibility of senior management to provide consistent and up-to-date cybersecurity training and best-practices.

4. Recognize & Test

Develop incentives to motivate employees to utilize the training they have received. Also, devise a plan to detect small policy infringements. If you see an employee sharing a password via email, don’t just ignore it. In addition to recognizing both positive and negative employee behavior, it is important to run controlled assessments to gauge your company’s susceptibility.

5. Review

There is no doubt that hackers are smart and know that an entire company’s cybersecurity posture is only as strong as its weakest link. Additionally, new types of attacks are consistently generated, so it is important that senior management and the IT department work together to stay ahead of the hackers.

Organizations of all sizes and industries can benefit from a professional security assessment to begin creating a culture of security.  


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Jennifer Guidry, CMO | HCISPP