Your Guide to Creating a Company Culture for Security


Two young business colleagues working on computer and discussing creating a company culture for securityEmployees may be a company’s primary liability when it comes to cybersecurity, but they can also be a critical asset. Yes, human error accounts for 84% of data breaches; yet, employees are why questionable links are not clicked, leading to ransomware infections. Often the difference between a liability and an asset depends on creating a company culture for security.

Companies that view employees as the problem tend to use fear as a motivator. Others see cybersecurity as a collaborative effort that makes for stronger defenses. While fear may be a short-term fix, it rarely solves the ongoing problem. When companies scare employees with cybersecurity statistics that point to employees as the problem, the employees become paralyzed and conflicted. As a result, they do nothing or as little as possible to avoid punishment.

Instead of viewing people as the problem, companies should see them as their last line of defense. When phishing emails make it through firewalls, virus scans, and spam filters, it’s employees that prevent them from turning into security compromises. That’s why it’s crucial that companies invest in creating a company culture for security that enables employees to successfully defend against cybercriminals.

Establish Security Groups

Companies should select individuals to become citizen security experts. These employees are trained in cybersecurity best practices, including detecting and reporting a possible compromise attempt. The individuals should come from different groups throughout the company, so they can return to their cohort to serve as a security resource.

These citizen experts receive updated training to stay current on all cybersecurity threats. They serve as a resource to the rest of their group. Letting employees ask people they work with about a questionable email is less intimidating than calling someone in IT. The trained staff can share the latest scams and phishing attempts as “stories” rather than examples of how employees failed their cybersecurity responsibilities. 

Eliminate Roadblocks

Organizations often create security policies that restrict employee behaviors without removing obstacles that make it difficult to comply. For example, companies may prohibit files from being saved to an external device such as a flash drive. The IT department wants to reduce the possibility of a virus being spread from computer to computer.

The policy is sound, but how are employees going to adhere to it? Sometimes, it’s faster to transfer a file using a flash drive than downloading it from a server. When those instances happen, provide employees with options such as encrypted memory sticks or file compression software to reduce the size of a file. 

With employees working remotely, VPNs have become a more secure way to connect employees to the office. However, installing VPN clients can be a challenge for some employees. Employees are overwhelmed when asked to:

  • Find the VPN client on the server
  • Download the correct version for their computer
  • Install the software
  • Configure the client

Instead, have the IT department install and configure the software remotely or provide a webinar that takes employees step-by-step through the process.

Provide Resources

Giving employees resources that help them execute security policies easily and effectively increases the odds of the policies being followed. For example, clearly documented procedures for responding to cyber incidents should be accessible to everyone. Put them on the intranet or in a knowledge base and let people know they exist. In a highly regulated industry, failure to follow procedures when responding to a possible breach can have a negative impact, resulting in fines and penalties. 

A friction point in most companies is passwords. Employees hate to change them and become frustrated when forced to create new ones every few months. People often increment the numbers used in a password, or they simply write them on sticky notes. When they create passwords that are easy to remember, they are most likely creating ones that hackers already know. 

Consider providing password managers. Use those citizen experts to help those in their group install and use the software. Once people are comfortable with the software, they are more likely to use it, and the more they use it, they will see how it saves time without sacrificing security.


Constructing a hardened cybersecurity culture requires collaboration and cooperation. Creating a company culture for security is about more than issuing policies. It’s listening to employees to understand what obstacles stand in the way of strong security hygiene. It balances security protocols with organizational constraints to ensure resources are available. Finding a cybersecurity partner can also help build a cybersecurity culture. At Cask Government Services, we are dedicated to making the workplace secure. Contact us for more information on how we can help.