For some time, we’ve focused on creating ‘cyber aware’ cultures in our organisations. This is natural, given the scale and severity of breaches we’ve seen in recent times and the integral role which employees play in protecting us against those.

But just as attacks have evolved and the sophistication of malicious actors have increased, the world around us has changed too: whether it’s remote working or changing expectations of our employers.

Therefore, focusing purely on cyberculture is now too simplified a view. To truly take a step forward in managing our cyber risk, we need to influence our overall organisational culture, including its approach to risk, and apply those values to cyber security, adapting our processes and ways of work to ensure sustainable behaviours.

And this means continuing to focus on the malicious attempts to breach our network defences, but also shifting our focus to understand the non-malicious.

Tackling ‘intentional’, non-malicious errors

Employees are clearly critical in defending organisations against malicious actors, not just through their efforts in deploying cyber security controls or implementing cyber defence capabilities, but also in their own actions as individuals.

Cybint, for example, found that 95% of breaches can be traced back to to human error in some way.

Verizon’s 2022 Data Breaches Investigation Report found that 82% of breaches involved a human element, including employees making mistakes that enabled criminals to access an organisation’s systems.

Of course, education and awareness are clearly important methods for tackling human mistakes. But so too is linking risk culture across an organisation both to a company’s headline culture and values from above, and applying risk culture to various risk types, including cyber security, below.

Developing this joined-up approach requires a significant amount of self-reflection. We all have an idea of what represents good conduct, particularly in the financial sector where conduct teams are well-established. But as well as thinking about organisational controls and our strategic approach, it requires some very specific thinking about the behaviours we want to encourage, and exactly what those mean when it comes to managing cybersecurity.

What makes a good cyberculture?

Defining and enabling a strong risk culture in cybersecurity requires us to understand the aims of the organisation as a whole – our strategy and our risk frameworks. But it also necessitates a deeper understanding of what it means for individual employees in our organisation.

Diving deeper into breaches and violations shows that while there will always be the potential for malicious intent, there are also some broader cultural considerations to account for.

Earlier this year, research from Brigham Young University and the University of Central Florida found that failures to comply with cybersecurity policies were primarily due to intentional yet non-malicious violations, with stress being one of the biggest driving factors.

Common reasons for such breaches among the workers surveyed and interviewed included ‘to better accomplish my task’ or ‘to get something I needed.’ Employees were found to be substantially more likely to break policies on days that they reported being stressed.

Among the relatively common contributors to this such as job security fears and personal demands, the policies themselves were a source of stress, with employees more likely to violate them when they worried that following them would hinder productivity, require extra time or energy or make them feel like they were being monitored.

Stick versus carrot approaches

There is a balance to find here. Developing a transparent and robust consequence management process is part of this, to ensure that employees who repeatedly make these violations understand that there is a need to learn correct behaviours.

And within this we need to account for both malicious and non-malicious actions, particularly against the backdrop of economic difficulties which will perhaps make some individuals easier targets for manipulation.

But we must also foster an environment which not only encourages adherence but also ensures that the development of policies and standards is done in consultation with the organisation and considers the conflicting demands on individuals.

Security teams often refer to cyber as an “enabler”, which it certainly can be: allowing an organisation to take calculated risk in pursuit of its objectives, perhaps even developing cyber-specific streams of business.

But for most employees, cyber can be perceived as something which adds the extra step or requires the exemption when exploring an opportunity, so we must also get the balance right between guidance and being too prescriptive.

Employees play an integral role in the cyber resilience of our organisation as a whole. It is now time to consider our overall organisational culture and to develop an embedded and joined-up approach to doing this.

By liaising with regulators, industry associations and law enforcement, Paine seeks to enhance all parties’ understanding of the critical role each plays in securing cyberspace for global communities. She previously spent over a decade at the United Kingdom’s National Crime Agency (NCA), leading European, multi-site teams in the UK and abroad to fight organised crime.