Security Culture: How Employees Can Protect Your Company (or Be Your Weakest Link)

Posted on August 7, 2020 - by Darren Gallop - in Growing Your SaaS Company

security culture employee awareness

Security culture helps make cybersecurity awareness second nature, letting your team focus on business while keeping the company safe.

Your employees may be highly trained, diligent professionals. Yet, they’re often targets for cybercriminals. By integrating best-practice cybersecurity policies into your operations, you can dramatically reduce the risk of a data breach, malware, or a ransomware attack. All while building trust with your customer and winning new deals with enterprise businesses. A good security program doesn’t start with buying fancy AI monitoring software. It starts with your people and policies. 

You can start creating a security culture at your company by challenging this big misconception: cybersecurity isn’t just for the IT department. 

Employees are Often the Weakest Link

According to Verizon’s 2020 Data Breach Report, data breaches resulting from internal malicious actors have decreased considerably. However, privilege misuse and human error continue to be major internal sources of breaches. Among the most common mistakes reported have included:

  • Misconfigured accounts or permissions
  • Poor password practices
  • Confusion about access protocols or procedures
  • Logging into personal emails or unauthorized websites on company computers

While things like checking Facebook from a company laptop during a lunch break might seem innocuous, these behaviors make it easy for hackers to target unsuspecting employees. For example, social media has become a major avenue by which some hackers attempt to deploy social engineering to trick users. 

Likewise, phishing attacks designed to steal credentials often rely on users trusting an official-looking email from a sender the user knows. 

What is Security Culture?

Security culture refers to the set of behaviors or customs that a group of people takes to maximize security in everyday operations. It’s the idea that security is everyone’s responsibility, not just something for the IT department. It involves making security practices habits that your entire organization does instinctively. You might also hear people call these important and routine actions “cyber hygiene.”

Examples of security culture include: 

  • Developing the habit of locking computer screens when you step away from your workstation.
  • Using a sign-in app at a front desk for all visitors, whether they’re accompanied by staff or not.
  • Deploying the principle of least privilege for user accounts.
  • Protecting professional contact information by giving it out on a need-to-know basis. 
  • Having a set of security policies that all staff are required to review and sign.

How to Promote Good Security Practices

Security culture is powerful because it addresses the blame culture approach that many organizations take. When employees feel empowered to act, they’re less likely to hide potential breaches out of fear of repercussions. The best ways to promote smart security practices are: 

1. Make Practices Easy

Verizon noted in their report that some breaches occurred because employees weren’t following established procedures. The more convoluted and unclear the practice, the less likely people will adopt them. Clear policies make sure everyone understands their responsibilities. 

2. Have Clear Procedures for Reporting Incidents

Always establish a set of policies including what employees should do if they suspect an incident. Make sure employees are trained on these procedures so they can act quickly if the need arises.

3. Reward Good Security Habits

Get employees excited about security culture by rewarding good habits. This also helps to counteract fears that they may be punished if they make a mistake or fall for a scam. 

Get Custom Cybersecurity Recommendations for Your Business

Adopting a security culture is a smart move for businesses, especially fast-paced ones that handle sensitive information. By cultivating good security habits amongst your employees, you can mitigate the number of risks that crop up in your organization daily. 

Cybercriminals are just waiting for employees to slip up and click on a link, or overlook a suspicious download because they’re busy staying focused on work. Don’t let them have this advantage. Instead, make security a part of your company’s culture and enjoy greater freedom from bad guys who want to steal your data. 

Do you have the policies and procedures you need to create a culture of security at your business?


Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.