Creating a Security Culture

This support article has been created to help organisations develop their security culture. 

Training and awareness should extend past an online training course and we really understand that whole process.

Creating a great security culture doesn’t mean that every member of the organisation holds a security certification or that everyone has to be a cyber security whizz. It's all about transferring some essential knowledge and creating an open environment to reduce some of the risks. Think of it as tipping the scales in our favour and keeping us secure.

If you imagine a pack of Meerkats, grazing by the den out in the Kalahari desert. On guard, stood tall and looking for incoming dangers. They are capable of detecting even the smallest rustle in the neighbouring bush and alert the clan to return to safety. The Meerkats don't worry about getting the alert wrong and don't face any barriers from their managers to present their concerns. They have constructed the perfect example of a great security culture. 

A security culture is when every member of the organisation is aware of common threats, such as Phishing. Everyone knows how to report a security concern effectively. Cyber security needs to be commonplace, not a technical taboo subject only discussed by IT and Security departments.

Our five top tips for improving your security culture are: 

1. Have open, honest conversations: Not everyone is going to have the same level of understanding about security. Some people will see that cyber security is here to protect us all; for others, cyber security is just something else to fit into their schedule. Talk to people, find out what their opinions are. 
2. Define good: Simply asking people to ‘do cyber security’ and complete their online training won’t cut it. Set out clear expectations on how everyone can improve their security habits. 
3. Unify basics: Everyone from the Managing Director to IT manager to the cleaner should all have the same, basic knowledge.
4. Support the community: Not everyone learns in the same way. Some people are visual learners; others may be hands-on. Be adaptive in your approach and flexible in your delivery. Encourage people to work together and support each other. 
5. Learn from history: Occasionally, things can go wrong. Running around in desperation to find someone to blame isn’t going to help anyone. Focusing on everyone, who can, pitching in to resolve the issue, will be much more fruitful. After the issue has been resolved, look at how everyone can learn and improve their skills. 

You can read more about creating a security culture by reading this informative blog from the National Cyber Security Centre: ncsc.gov.uk/blog-post/growing-positive-security-cultures.