5 Tips on How to Create a Security Culture for ECSM 2016

November 12, 2016 12:59 pm David Bisson

We at Metacompliance kicked off European Cyber Security Month (ECSM) 2016 by discussing how users can improve their security in banking and other aspects of their digital lives. Our recommendations included looking out for suspicious emails, exercising restraint on social media, and never logging into a bank account while connected to public Wi-Fi.

It’s up to individual users to protect their information at home. But at the workplace, it’s a different story. An organisation should assume at least partial responsibility for ensuring that their employees abide by corporate policies and implement security best practices. Only with their employees’ help, after all, can they strengthen the security of their data and in the process secure a brighter future for tomorrow.

Acknowledging Week 2 of ECSM 2016, we at Metacompliance strongly believe companies need to create a security culture. Here are five tips on how organisations can accomplish that aim.

  1. Develop a Policy that Focuses on the Security Basics

For a security culture to succeed, it must consist of policies that employees find relevant. Organisations should therefore make sure at least some of their policies deal with the security basics. For instance, one policy should spell out how employees are expected to create, store, and change their passwords for all business accounts. Another policy can explain to which systems employees have access. Ultimately, each one of those policies should be written down so that employees can refer to them in the future.

  1. Train Your Employees on that Plan

Policies mean nothing if employees don’t understand them. That’s why companies need to make an effort to train their workforce on their plans. There are plenty of ways to go about doing this. Organisations can create their own security programs. But considering the alternatives, third-party e-learning policy management software generally saves companies time and money.

  1. Reward Good Behaviour

Employees will follow security best practices if they have an incentive to do so. Companies should therefore consider enrolling their employees in a periodic contest that, for instance, evaluates how quickly they can spot a simulated phishing attack. Organisations can then reward those who perform the best with an Amazon gift card or an extra personal day for that quarter.

  1. Encourage Executives to Serve as an Example

Nothing articulates a company’s commitment to security quite like executive buy-in. If executives attend security awareness training sessions and read the relevant security policy materials, employees will follow their lead. Those executives will also set an important precedent in their company: anyone wishing to attain a manager position or above must take security seriously.

  1. Open Your Plan to Feedback

Nothing is perfect, and a security culture is no exception. But rather than decide upon changes behind closed doors, organisations can make the process more inclusive by asking employees and executives for feedback on an ongoing basis. A workforce should have multiple ways of voicing their questions and comments, including an open discussion following each training session and a written or email-based survey.


People are an important asset in an organisation’s efforts to strengthen its information security posture. That’s why companies should make their security policies simple, train their employees on those plans, reward good behaviour, encourage executives’ participation, and welcome feedback from the workforce. Together, those steps are critical to making organisations’ security cultures as open and inclusive as possible.

Interested in using security awareness training software to strengthen your security culture?

If so, contact MetaCompliance and see how its e-learning solutions can help your employees internalise your security policies.