Your Company Needs A Risk-Aware Culture

Your Company Needs A Risk-Aware Culture

Cybersecurity can look dauntingly technical at first. You need a SIEM solution, an IAM solution, a DLP solution, and so forth — but the most important part of a cybersecurity strategy isn’t technical. In fact, it doesn’t even involve a computer. The most important part of a cybersecurity strategy is having a risk-aware culture.

If a company has a risk-aware culture, every employee — from the CEO to the store associates — is aware of basic principles of cybersecurity like never sharing your password, never authenticating for other people, and never sending files over email (especially to external addresses). Companies with risk-aware cultures consider cybersecurity to be the responsibility of the entire organization, not just the responsibility of some cyber guys shoved in the corner.

Most companies, however, don’t have risk-aware cultures. Their employees sign in for each other and even share passwords. They conduct business by passing files back and forth over email. When IT imposes new cybersecurity rules, employees conspire to find shortcuts around them. And when management says it’s time for the annual cybersecurity training, everyone groans.

What A Risk-Aware Culture Looks Like

Building a risk-aware culture is a matter of educating your employees about the following kinds of threats:


One of the most common kinds of cybersecurity threats is phishing emails. Phishing emails are attempts by hackers to trick people into submitting their credentials to fake websites created by the hacker, so the hacker can use these credentials on the real company website to steal information or inject malicious code.

The best defense against phishing is simply to educate employees as to what phishing attempts look like. It is much easier for a human to identify a phishing attempt than for a computer to identify one, so a great deal of money and effort is saved by educating employees as to what they look like.

Using Proper Authentication

An organization with good cybersecurity uses an Identity Access Management (IAM) solution that utilizes Single Sign-On (SSO). What this means is that employees are able to access every software platform they need to do their job with one login.

However, sometimes employees don’t use their IAM. Sometimes they make logins from their work email on websites on their own, or they use third-party login systems to access software. These openings create security vulnerabilities for the whole organization.

The best defense against this vulnerability is to educate employees about the importance of using the company IAM.

Physical Security

In a world obsessed with the cloud, it’s easy to forget about physical infrastructure — but the physical infrastructure is critical to cybersecurity.

Thieves often take advantage of people’s oversight. For instance, to gain access to a system, some hackers pretend to be employees who have forgotten their ID cards. They ask real employees to “please let them in so they don’t have to drive home and get their card.” If the real employees haven’t been educated to decline requests like these, the infiltrator’s gambit may work.

Another important aspect of physical security is device management. Laptops, tablets, and phones used for company business can be stolen and used as an access point through which malicious code can be injected. Because of this, employees must keep careful track of their devices, and alert IT staff as soon as anything is missing or stolen.

The best defense against physical vulnerability is — again — employee education. If every company employee knows not to let people in without their scan cards and to always report missing equipment, many cybersecurity threats can be neutralized before they cause any damage.

How To Build A Risk-Aware Culture

There is a wide variety of different kinds of cybersecurity training available. If you have a cybersecurity partner, either an MSSP or a vendor, they likely have their own training available for your company’s employees. If you do cybersecurity in-house, your cybersecurity personnel likely know of training they feel comfortable recommending to the rest of your organization.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top