Around a third of government workers don't believe that their actions affect their organisation's ability to stay safe from cyberattacks, according to Ivanti research.

A similar proportion of employees failed to report phishing attacks and more than a fifth said they ‘don't care’ if their organisation is hacked.

What risk?
Oftentimes, staff may simply not comprehend the scale of damage that an attack can wreak on a company, says Daniel Lattimer, area vice president at Semperis UK & Ireland.

"Translating cyberthreats into a legitimate risk like other business risk is critical. However, it can be a complicated topic with attackers becoming ever more sophisticated. It can be difficult for employees to keep up, especially when working under time constraints or pressure to deliver on company objectives."

Not my problem
There's also a persistent belief among staff outside the IT function that security is someone else's problem.

“It's less a case of people not being aware of cyberthreats but having a greater understanding of the part they play in creating a cyber-secure culture," says Chris Harris, EMEA technical director at Thales.

"A common observation from cyber vulnerability investigations is a tendency for employees to rely on their IT department to protect them from cyberattacks. In a mature culture, everybody takes responsibility for their own cyber security,” adds Harris.

Pointing the finger
The reluctance to report mistakes or attacks, highlighted by the Ivanti report, also illustrates the fear that many people have that they will be blamed for a breach.

"Having a culture of blame within an organisation is not helpful," says Harris.

"Policies and procedures should be designed around job roles. In an ideal world, the most secure way to perform a task should not be the hardest but the easiest. To achieve this, employees need to be consulted in the design of procedures."

‘Little and often’ training
As ever, education has an important role to play in shifting attitudes. But it has to be the right kind.

"We always advise businesses to follow the 'little and often' approach," says Jamie Akhtar, CEO and co-founder of CyberSmart. "Little, because no one learns best by bombardment. Often, so that people get into the habit of thinking about cyber security regularly."

Brief exercises that fit into a lunch break or the time between meetings don't feel like a chore and nor do they interfere with employees' primary tasks.

"In an ideal world, you want cybersecurity best practices to be habits," adds Akhtar. "Some examples could include asking staff to spot potentially dodgy communications, adopting good hygiene with account permissions or setting reminders to back up data."

Make it relevant
It's important, though, that training and exercises are relatable to the daily work of your staff.

"Context is key," says Lattimer. "Phishing exercises and quarterly cyber security training is important, but teaching employees about the context of their actions allows them to live the issue and will make it more likely that the information is retained."

Build a ‘cyberculture’
However, it's even more important to develop a culture of security in the workplace. And there are opportunities to do this as the age-old barriers between the business and the security function continue to evaporate.

"By adapting security strategies to meet the needs of users and better address growing threats simultaneously, firms can ensure all employees become patrons of security – not the individuals undermining it," says Mark Guntrip, senior director, cyber security strategy at Menlo Security.

"It is critical that a cybersecurity workplace culture is created – where security becomes a primary consideration all aspects of operations; part and parcel of how work is done. It's about finding ways to create positive and effective loops of healthy security habits across the business."

Text by: Steve Mansfield-Devine