“85% of the time, the human factor was involved in the data breaches experienced by businesses,” says the 2021 Verizon Data Breach Investigations Report. It’s a reminder of what we’ve always said at Webifant Security: humans are the weakest link in any security system. That’s why creating a culture that tackles this vulnerability head-on and turns it into a strength is crucial for any business.
But how do you do that?
Let’s face it, managing people is already one of the toughest jobs out there. Even with skilled, trained employees, it’s hard to get everyone rowing in the same direction. Now imagine trying to change the behaviors they don’t even realize are dangerous—like clicking on a suspicious link or using “password123” for everything.
Best-case scenario? No one on your team of three to twelve employees is trying to intentionally put your company at risk. But let’s be real—there’s always that one “coconut head” who clicks every link, uses weak passwords, or engages in behavior that leaves your business wide open to threats. And in worst-case scenarios, you might even have someone intentionally trying to steal trade secrets, customer information, or other sensitive data.
Whether your staff consists of freelancers, full-timers, skilled, unskilled, trusted, or not, if they have access to any data or internal operations, you need to safeguard your business. One of the best ways to do that? Go out of your way to build a cybersecurity culture in your company.
So, how exactly do you build a cybersecurity culture within your company?
The first step to remember is that culture is the sum up of values, attitudes, and beliefs that a community has imbibes as part of their everyday life. (And no, you don’t need to Google that. Lol.) So, when you’re setting out to create a cybersecurity culture, what you’re really doing is embedding it as a normal, expected part of your team’s routine. You can do those with the following steps:
1. Start with the company leaders.
Leadership is where employees look for direction. Sure, your team might be smart and creative, but a lot of their behavior stems from what they see leaders do. You need to gather your senior team or most trusted allies and get them to understand, in no uncertain terms, that cyber threats are very real. And not just real—they’re growing at a rate of 15% annually. That’s a fact.
Before you even start these conversations, make sure you’ve consulted with a small cybersecurity team with allround expertise to evaluate your company. You’ll need to confirm the right security measures for your business size and figure out where your current setup stands. Armed with this info, you’ll be in a strong position to get your leaders on board.
If it helps, dig into the countless stories of cyber threats and attacks that are published every day. Find examples that are relevant to your business, and use them to highlight the risks. You’ve got to drive home the message: a cyber attack could hit your company hard. Make it clear that vigilance is essential—whether that’s implementing specific security protocols or encouraging employees to stay alert. Your leaders need to not only adopt these practices themselves but actively promote them within the team.
Now, if you’re already running a business without a cybersecurity plan, this is where you start. But if you’re still in the research phase and haven’t hired employees yet, then jump straight to step two.
2. Make cybersecurity part of formal employee onboarding
Making cybersecurity training a core part of your employee onboarding sends a clear message from day one: cybersecurity is non-negotiable here.
At Webifant Security, we can have a team member come in—whether in person or via Zoom—to train your employees on the cybersecurity practices specific to their roles. Why? Because while every employee poses some risk, some are bigger targets than others.
Take your web designers and developers, for example. They might seem safe, but they still need to be vigilant. Hackers can easily slip malicious code into their designs if they’re not careful. Your accountants, social media managers, and ad experts all face different levels of risk too, and their training needs to reflect that.
To ensure these practices stick, consider making cybersecurity part of your quarterly employee performance reviews. Tailor the assessments to each role’s specific risks, and encourage compliance with incentives—ribbons, awards, bonuses, you name it. And for those falling behind? Have reinforcement strategies in place to get them back on track.
3. Conduct emergency preparedness drills.
What are we going to do right now if we get attacked? That’s exactly the kind of thinking a smart entrepreneur has. Just like the rest of your business, no matter how secure you think you are, there’s always that chance things could go sideways. That’s why you get insurance, backup plans, the whole nine yards. Preparing for when things go wrong is just good security sense. It puts you two steps ahead of the cyber criminals—and that’s exactly where you want to be.
One of the most practical ways to prepare is conducting emergency drills. Picture this: your employees are suddenly told one of your systems is under attack. They need to snap into action, following the incident response plan to minimize damage, block the attack, and get everything back online as fast as possible. How do you ensure they do as much as they could correctly with the emotional turmoil? Drilling is the answer. Practicing what to do when an attack strikes and practicing it often makes it easier for the senses to actually snap into action when disaster strikes.
The perfect example of how drills save lives would be Rick Rescorla—the Head of Security at Morgan Stanley’s head office in the World Trade Center during 9/11. He was no stranger to disaster, having served and led. When he realized the building could be a target, he didn’t wait around. He set up drills, every single workday. Thousands of employees, millions of dollars traded daily, and Rick made sure everyone knew how to evacuate in case the unthinkable happened.
And then, 9/11 hit. It was chaos. Fear. Despair. But thanks to Rick, everyone knew exactly what to do. In just 14 minutes, he got 2,687 employees and 250 visitors out of the building. Thirteen lives were lost that day, including Rick’s. But without those drills, it could’ve been far worse.
You may not be in the World Trade Center, but your livelihood is on the line. So, regular drills might seem like a hassle, but they could be the thing that saves your business from disaster. A small price to pay for your legacy.
4. Appoint a Culture Owner.
Another smart way to get your team on board with cybersecurity is by appointing a culture owner. This person doesn’t need to be from HR, but they should be someone who’s eager to take on the role of championing cybersecurity practices in the workplace.
Their job? Simple—come up with ways to make sure your company’s security measures stick. If you’re working with a third-party security team like Webifant, the culture owner acts as the go-between, making sure any security issues are handled ASAP. They’re also responsible for pushing practices like multi-factor authentication and ensuring everyone’s on board.
But it’s not just about enforcing rules. A good culture owner is someone who gets the team excited about security and makes it easier for employees to report any red flags. Here’s the deal: for every employee who openly admits they might’ve clicked on a phishing link, there are probably five who keep quiet. That’s why having someone they can easily approach about even the smallest concerns can be a game-changer.
5. Make it Practical
One big reason many initiatives don’t stick in organizations is that they’re overly complicated. And while some areas might survive that, cybersecurity isn’t one of them. You need to make sure that integrating new security practices is as smooth and simple as possible.
Drop the cybersecurity jargon and corporate speak when rolling out new protocols. Use everyday language that everyone can grasp. You want employees to *get* what’s at stake and what they need to do. Also, ensure that reporting issues, asking for clarification, and suggesting improvements is easy for all employees.
In the early days of implementation, keep a close eye on how they’re adjusting—but don’t hover to the point where they feel under a microscope.
Most importantly, create a positive and supportive environment that your employees can rely on. They need to feel that they’re part of the bigger picture, not just following orders. If they believe the company values their role in protecting it, they’re more likely to stick to the new security measures and less likely to sabotage them out of frustration or apathy. You want them to think, “We’re in this together,” not “Who cares if we get hacked?”