Insider Threat Management

Coachable Moments: Building a Healthy Workplace Cybersecurity Culture

Share with your network!


“They’re here!”

“Be afraid, be very afraid.”

Much of the dialogue around cybersecurity sounds like it came straight out of a horror movie - intended to scare people out of becoming insider threats or causing harm to their organisations. (Often regardless of intent.)


This is not a great way to build a great work environment, let alone one a secure one! Your cybersecurity practices should encourage every team member to pull their own weight. Rather than relying on these campy and outdated scare tactics, we recommend focusing on insider threat training that cultivates good habits, and builds trust among members of your organisation.

Every other week, our Coachable Moments blog series has helped people find moments in their day to pass along best-practices for employee cyber health. There are a growing number of insider threat statistics that show that two out of three insider threat incidents happen by accident. As part of the National Cyber Security Alliance (NCSA) Cybersecurity Month initiative, we’re upping the ante with cyber health tips that encourage a positive, cybersecurity-focused workplace culture.

Reframe the Existing Narrative

A big part of establishing (or reestablishing) a culture, according to Deloitte, is reframing the narrative that your current culture may reinforce.

For example, if employees generally believe that “the cybersecurity team is trying to slow me down,” or worse “the cybersecurity team is going to report me to management if I do something wrong - even if it was an accident,” it might be time to reframe the narrative.

To contrast, a healthy narrative might include, “being able to consult the cybersecurity team if something seems wrong,” or knowing that “the cybersecurity team will help me navigate potential issues or policy misunderstandings, quickly.”

To shift from a reactive, punitive approach to a proactive, helpful approach, cybersecurity teams need to first evaluate how equipped employees are to understand policy and avoid unnecessary risk. Second, they must make themselves accessible as resources to employees with positively framed, in-the-moment coaching.

Provide Regular Insider Threat Training

Do your employees understand how their actions can lead to unintentional insider threat? Having a strong, easy-to-follow policy is the first step.

Detail the processes you expect all users to follow (such as enabling multi-factor authentication on their accounts), as well as how they’re expected to use corporate IT equipment and cloud-based software --whether they’re in the office or working remotely.

The next step is ensuring that employees have a strong knowledge of how their day-to-day workflows can remain within company policy. Give employees a chance to ask questions about the policy, particularly if there’s a certain out-of-policy application they may need to do their jobs more effectively. Hearing people out shows that there’s a mutual trust and willingness to support their individual productivity needs. Oftentimes, insider threat incidents are caused by a lack of understanding.

[click_to_tweet tweet="It is important to note that insider threat training is not a once-and-done proposition." quote="It is important to note that insider threat training is not a once-and-done proposition." theme="style3"]

Follow up at regular intervals with coaching sessions on a specific aspect of cybersecurity hygiene that may be useful to employees outside your organisation’s four walls.

For example, the upcoming holiday season may be a great time to talk about password and account hygiene, so people can be reassured that their online retail accounts are protected against possible credential theft.

Reinforce Positive Behaviour

What is a culture of positivity without some aspect of celebration or fun? Celebrating a job done right could encourage further compliance with policy -- and even create some friendly competition among employees.

CISO Dan Lohrmann advises in GovTech that cybersecurity teams ask themselves the following questions: “When do you celebrate success? Assuming this is happening at all, are people rewarded for doing the right things regarding security? Any bonuses for great cyber etiquette or awards for doing the right things?”

Actions like bonuses, awards, or small celebrations could reinforce the narrative that the cybersecurity team is here to support employees, rather than punish them for doing something wrong.

And a little bit of cake doesn’t hurt, either.

Beyond Cybersecurity Month

While Cybersecurity Month may be a great time to think about transforming your organisation’s cybersecurity culture, this type of transition doesn’t happen overnight. It starts with a commitment from leadership to support employees, encourage personal vigilance over their own actions, and reward them for a job well done.

Are you ready to lead by example?

If you’re looking for additional advice on reinforcing a culture of cybersecurity awareness, read more in our Coachable Moments series, and ask us your questions on Twitter @Proofpoint.