Ways to Develop a Full Security Culture

In 2017, we saw some of the biggest breaches of all time, one of which being Verizon, where 14 million customer records were exposed. According to the Data Breach Investigation Report (DBIR) for 2017, over half of last year’s breaches involved malware. 66 per cent of this malware was installed from a malicious email attachment.

Phishing still seems to be a popular choice for cybercriminals, with 1 in 14 who were targeting falling victim to the trick. Phishing succeeds due to the fact that cybercriminals use our own behaviour against us. The report also made a point that the password issue still exists, as 80 per cent of hacking is a result of stolen or easy to guess passwords.

To put an end to the cybercriminal, you must approach it from both a technological and human perspective. The fact that cybercriminals use our behaviour against us is something that cannot be resolved by technology, which is why human perspective must play a role. This can be done by creating a “security culture.”

Create a Security Culture

Firstly, it is important to understand what a security culture is. To summarise, it is based on the term “know thy enemy.” If you are prepared for the worst, you can put procedures in place to keep yourself protected. A security culture involved everyone involved in the organisation. This could extend to business associates and, in some scenarios, customers.

A security culture is encouraged by implementing training for security awareness and a positive attitude that is driven from the top. Here we have five areas to think about when building a culture of security in your organisation.


It is extremely important for all members of your organisation to be well-educated about cybercrime and typical attack scenarios. Security must be fostered and fed. Therefore, the spirit of this should start from the top. Management must be the advocates for the training. They should be taking part in its development as a company policy.

All educational aspect of security must be extended to everyone that could post a risk to your organisation. This includes all staff, contractors, freelancers, consultants and other third parties such as suppliers.

Stay Holistic

Security is the responsibility of everyone involved. Any individual team member can become the weakest link in an organisations security defences. Whether they accidentally click on a malware package or reveal their password to what appears to be a safe website, incidents can happen.

It is important that the team approaches security with a holistic perspective where they understand their role in your organisation’s security culture. From having a clean-desk policy through to developers and DevOps understanding the importance of secure coding and security logs, everyone involved should have a clear understanding of security issues.

Security Bootcamp

Security awareness training and simulation exercises are a great way to offer the first-hand experience that is essential to learning about cybersecurity and where the risks lie. By hosting a security boot camp, employees can learn through a mix of classroom-based formal training and real-life simulation exercises. The purpose of the simulation exercises is to train people to spot security problems.

Security boot camps should cover every element of security, whether it be phishing and online security, or desktop and physical security. Phishing simulation should be done on a regular basis, but also spontaneously. This is to ensure the scenario feels natural.

Rewarding a Job Well Done

If you incorporate quizzes and other activities of measurement, make them exciting and reward those who have performed well. Create a system that encourages best practices of security and is sure to do this as positively as possible. Do not use poor outcomes by an individual as punishment. Instead, look for ways to improve a program. Everyone is different, therefore different methods of learning will affect everyone in different ways.

Security Mindfulness

Once employees receive the necessary training for preventing a security breach, they should feel empowered by their new-found knowledge. A security culture, when done correctly, can play a natural role in the everyday life of an organisation.

However, you should always be aware that security culture is part of an ongoing process. Cybercriminals are everywhere, coming up with more elaborate approaches of fooling us. Training should be repeated on a regular basis, while at the same time randomly implementing phishing simulations. Having the entire organisation mindful of security will make the process and practice completely normalised.

Join us for IDM

IDM is Europe’s leading conference on the discussion and full lifecycle deployment of Identity and Access Management (IAM) systems across the industry and government. Join us in September to network and learn from hundreds of IDM thought leaders and innovators as they discuss the future of secure, risk-driven and business-centric Identity and Access Management. Join our keynote speakers as they share best practice, map the latest trends and technologies, seek out new opportunities and discuss how to transform IAM into actional and critical business resource.