View of a man’s hand and upper arm holding a phone with an open laptop in the background.
Image: © REDPIXEL/

What is cybersecurity culture, and why is it important in the workplace?

17 Dec 2018

Successfully warding off cyberattacks requires a coordinated effort across all levels of a business. But what does workplace culture have to do with it?

This year, Cybersecurity Ventures estimated that cybercrime damages could amount to as much as $6trn by 2021. It’s totally feasible; our world is being increasingly digitised, and cybercriminals are only becoming more agile and cunning with time.

In response to this, many workplaces are hoping to inspire a ‘cybersecurity culture’ among employees, believing that protection from cyberattacks can only be achieved with a top-to-bottom, coordinated effort. Yet what is a cybersecurity culture, and how can employees expect to see it integrated over the coming years? More importantly, is it a help or harm to workers?

A group effort

Essentially, cybersecurity culture in the workplace amounts to the promotion of safe cybersecurity practices that integrate seamlessly with people’s work. It is making employees aware of cybersecurity threats and making them amend their behaviour accordingly in order to mitigate potential threats.

Understanding phishing attacks, promoting better password management and the basics of encryption are all things employees should be educated about if a company wants them to make better choices in this regard. These skills are, as an added benefit, entirely transferable outside the workforce. In this day and age, people should consider cybersafety in the same vein as they do road safety: eminently practical information that every person living in society needs to know.

Yet according to a recent report released by ISACA in conjunction with the CMMI Institute, a staggering 95pc of organisations still report a gulf between the desired state of cybersecurity culture and the current state. When asked to characterise the health of their organisation’s cybersecurity culture, reviews are mixed.

For most, the immediate solution is to increase employee training and better communicate behavioural policies. Almost 60pc say they have considered measures such as employee monitoring programmes, while more than half have considered hiring consultants to mediate risks.

Could it go wrong?

You could say that there’s no real downside to encouraging safety, cyber or otherwise. Everyone loses out if a company is impacted by a cyberattack.

It is also true that in many cases, cyberattacks can be precipitated by human error, particularly when hackers are clever enough to use ‘social engineering’ techniques such as creating fake login pages or incredibly convincing phishing emails.

Employee behaviour is important, of course, but it shouldn’t replace bringing in a cybersecurity/IT team to secure your network. While this may seem like an extreme leap, the aforementioned report seems to imply that this is what employers are doing. They are quicker to focus on ways that they can make their employees do the heavy lifting, by training them, offering them rewards for good practice and providing reviews of their performance in this regard.

Is this broadening an employee’s skills and knowledge, or is it burdening them with another anxiety that is too heavy a weight for any individual to carry? While many cybersecurity professionals are quick to point the finger at lazy employee practices, is this glossing over the responsibilities that an employer has to secure their network enough so that a single human error won’t bring down the entire firm?

Eva Short
By Eva Short

Eva Short was a journalist at Silicon Republic, specialising in the areas of tech, data privacy, business, cybersecurity, AI, automation and future of work, among others.

Loading now, one moment please! Loading