Four ways to build a positive cyber security culture

Steve Macmillan

A positive and effective cyber security strategy requires easy-to-understand IT security policies, a company-wide culture of adopting best practice, and a programme of ongoing training. 

Cyber security threats are an insidious problem, and countering them requires a collective approach, implemented at every level. Cyber security policies and training should be simple, relevant, consistent and workable; teams therefore need frequent reminders and refreshers to stay vigilant. 

No matter what a person’s role is within an organisation, they have a responsibility to maintain cyber security to the best of their ability. We have outlined four ways to build a positive cyber security culture. 

Drive a cyber security culture of excellence at senior executive level 

Senior leaders have a double duty here. First, by promoting cyber security, they help foster a strong culture of vigilance and best practice throughout the company. Second, they need to be very aware that they themselves – with access to commercially sensitive information and authority to transfer significant funds – can be a lucrative target for cyber criminals.  

Reputational and risk impacts can be significant; as an example, the Irish health system estimates its costs will be US$110 million to get everything back online following its 2021 cyber attack. Cyber security should therefore be a high priority for any corporate risk assessment. And with new threats coming through constantly, this is a space that never sleeps.  

With such high stakes, executives need to visibly lead the charge on behaviour and awareness.

Explain the legal and ethical responsibilities 

Keeping customers’ information safe is not simply about reputational and financial damage to an organisation – there is also a legal and ethical responsibility to look after such data. After all, customers place a high degree of trust in any organisation to which they hand over their personal information; at stake is their digital safety and well-being.  

When employees know that cyber security vigilance is critical for customer data security, it becomes more tangible and relatable. Plainly stating the legal and ethical responsibilities involved for staff and the organisation at large encourages them to get on board. 

Keep staff aware of cyber security policy changes

As technology and business requirements change, so do policies and best practices. While employees need to be kept up to date with company IT policies, it’s also critical to ensure they fully understand any policy changes.

IT Policy Management as a Service can help manage awareness company-wide by sending out reminders and notices to inform people about policy changes. The policy management software can track whether people have reviewed the policy, and record their acknowledgement that they have read and understood it. When this is underpinned with ongoing support, workshops, behaviour and awareness education, an organisation can create a robust and adaptive cyber security culture. 

Make cyber security training relevant and accessible 

Cyber security policies and training need to be specific to the organisation. Employees will also be more engaged – and therefore retain more – when policy wording and training are kept brief and delivered in simple language. Policy statements should be clear, concise and jargon-free, with accompanying explanations to aid comprehension. Training should include real-life examples and recall tests, such as quizzes.

Teams are diverse and include people with language learning difficulties and/or English as a second language. They may need help, or simply more time, to absorb the material.  

Any IT policy guidance will only be as strong as the people using it, and cyber security is no exception. With a collective approach led visibly by senior leaders – alongside policy wording and training that is accessible and relatable – you’ll have greater success at implementing and maintaining cyber security vigilance.

If you would like to find out more about how IT Policy Management as a Service can help dive and manage user engagement, visit our resources page to view a series of short videos, or contact us today to book in a demonstration of the service and software.


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233