Cybersecurity Learning: Building a Culture of Cyber Awareness


Company leaders often face immense pressure from investors, consumers, and other stakeholders to share information about how they’re working to improve their organizations’ posture on a range of important issues. Shaun McAlmont, CEO of NINJIO, shares how building a culture of cybersecurity learning could increase cyber awareness across the organization.

The end goal of any effective cybersecurity training program is sustainable cultural change. Cybersecurity should never be a check-the-box exercise – it has to be second nature for all employees, whether they’re opening an email, downloading a document, or doing anything else that involves access to company data or networks. Companies can facilitate cultural change by keeping employees actively engaged with the material they’re learning, regularly testing their knowledge, and ensuring that cybersecurity is a priority across the organization.

The direct costs of a ransomware attack are often immense, but the indirect costs can be even higher – such as a loss of brand trust and loyalty. When 81 percentOpens a new window of consumers say the potential risks of companies collecting their data outweigh the benefits, companies need to demonstrate that they responsibly manage customers’ personal information. This begins with a proactive culture that equips employees with the tools to identify and mitigate cyber threats.

The Ultimate Goal of Cultural Change

The first step toward developing an effective cybersecurity platform is establishing an engaging training program. The second step is ensuring that the program educates employees. And the third step is building that education into the company’s culture and making cybersecurity awareness second nature for all employees. 

It’s impossible to educate employees without keeping them engaged, but it’s clear that this is something companies struggle to do. According to the 2021 Gallup State of the Global Workforce reportOpens a new window , just one-fifth of employees worldwide say they’re engaged at work. This leads to turnover, collapsing morale, and low levels of productivity, and Gallup estimates that it costs the global economy $8.1 trillion per year.

Engagement is also a critical element of education. In a case studyOpens a new window conducted at Kingston University in London, researchers increased student engagement with “message boards, recorded lectures, use of social media, [and] online forums,” and this led to “improved retention and achievement figures compared to modules that were delivered without digital intervention.”

A considerable body of researchOpens a new window suggestsOpens a new window that another way to engage learners is through narrative-based content. The end goal of these strategies isn’t just information retention – it’s the creation of cultural norms that make the deployment of that information automatic for employees across the company. 

Despite the central importance of building a cyber-aware culture, many companies haven’t been able to do so. According to survey dataOpens a new window published by Quinnipiac University, 60 percent of organizations don’t believe they have successfully secured employee buy-in for their cybersecurity initiatives. In comparison, 42 percent don’t have a plan for developing a cyber-secure culture. More than half believe the CISO should “own” the process of developing a cyber-aware culture, even though cybersecurity should always be a company-wide priority. A 2019 studyOpens a new window conducted by researchers from MIT Sloan summarizes the failure to prioritize the cultural components of cybersecurity: “Managers continue to invest in upgraded technologies and, in many cases, resist investments in organizational mechanisms that would increase resilience.”

See More: How Companies Can Move from Cybersecurity Training to Learning

How to Become Cyber Secure

According to a recent PwC surveyOpens a new window , the organizations with the most advanced cybersecurity platforms are twice as likely to report progress on “instilling a culture of cybersecurity.” The MIT study outlines several ways for companies to build a cyber secure culture: 

  1. Making cybersecurity a part of performance evaluations and reward systems. 
  2. Holding employees accountable for failing to observe cybersecurity protocols (according to Accenture, just 16 percentOpens a new window of CISOs say their companies do this).
  3. Developing healthy communication around cybersecurity. 
  4. Providing consistent and up-to-date cybersecurity training. 

Beyond observing these guidelines, companies must ensure that their cybersecurity cultures keep up with emerging threats. A recent reportOpens a new window by Kaspersky Labs found that 93 percent of cybersecurity professionals recognize that their field “needs to evolve with the current and future landscape.”

But in many cases, this isn’t happening. According to a 2020 studyOpens a new window conducted by the Ponemon Institute, the proportion of companies that believed they had an effective cybersecurity platform fell from 71 percent before the COVID-19 pandemic to just 44 percent. One likely cause is that companies aren’t adapting to the shifting threat landscape – just 43 percent say they have “programs that inform and educate remote workers about the risks created by remote working.”

Human behavior remains the biggest liability – and asset – companies have in developing and maintaining their cybersecurity platforms. MultipleOpens a new window studiesOpens a new window have found that employees remain the weak link in companies’ efforts to defend themselves from cyberattacks, but this means cybersecurity education can have a powerful impact on any organization.

As more and more companies recognize the value of cybersecurity training, it has never been more important to look at what employees are learning and how they’re deploying this knowledge to keep the company safe.

Towards Proactive Cyber-awareness

Cybersecurity training is a means to an end: creating a cyber-aware culture where all employees recognize that they have a responsibility to protect themselves and the company. This is why it’s vital to incentivize proactive cybersecurity habits and measure performance (as well as engagement) with tools such as phishing tests, employee reporting mechanisms, and company-wide security assessments.

When companies take cybersecurity education seriously, they won’t be satisfied with the mere existence of training programs. They’ll build their cybersecurity platform around the facilitation of long-term behavioral change among employees, a process that will eventually lead to a robust and permanent cyber-aware culture. 

Has your organization recently taken any steps towards becoming more cyber aware and threat-conscious? Share your experience with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!