How to Build a Culture of Cyber Awareness

How to Build a Culture of Cyber Awareness
October 26, 2023 6 mins

How to Build a Culture of Cyber Awareness

How to Build a Culture of Cyber Awareness

Everyone working for an organization is responsible for building a culture of cyber resilience.

Key Takeaways
  1. When it comes to cyber security, employees are an organization’s greatest asset and often its weakest link.
  2. Hybrid work environments mean that managers need to reinforce basic security principles and data protection.
  3. Executives are encouraged to take ownership of the cyber-security basics as well as prioritize threat assessments and data management strategies.

Simple training courses are no longer enough to build cyber resilience within an organization. To keep up with the increasing frequency, sophistication and severity of cyber attacks, companies should establish a culture of cyber awareness that extends to every level of the organization.

Kate Kuehn, cyber trust leader for Aon’s Cyber Solutions group, shares her ideas on how companies can work to build a culture of cyber awareness.

How critical is employee awareness and understanding to the overall cyber security strategy?

Kate Kuehn: When it comes to cyber security, employees are a company’s greatest asset and often its weakest link. Organizations should assess not only how they train employees but also how they’re raising awareness of the importance of that training. It’s that maturity of understanding that can make a difference in establishing effective cyber awareness. A good cyber culture helps protect organizations. A poor cyber culture often becomes the Achilles’ heel.

How is hybrid work affecting people’s cyber awareness?

Kate Kuehn: Employers are more reliant on hybrid work environments and technology than they’ve ever been. There used to be one set of rules for the office and one set of rules for travel, and everyone understood those boundaries. Now, we have the home, the office, travel and anywhere else someone might work.

But it’s still important to take the time to underscore basic security principles and best practices. Security is not just bricks and mortar anymore. Security is now primarily about data. We need to make sure people know what they are doing when they are accessing and interacting with data so they know how to keep that data secure.

You mentioned that cyber security is everyone’s responsibility. How should executives think about cyber security?

Kate Kuehn: When working with clients and their executive teams, I frequently encounter a mindset of “hear no evil, see no evil, speak no evil” when it comes to cyber security. Executives often feel like they don’t have to address what they don’t know. That mindset is going to be an increasingly perilous way to address cyber security, not just as cyber attacks become more damaging but also as new regulations are passed. From an executive perspective, cyber security is not a question of “Should I know?” It’s a question of “What should I know?”

It’s key for executives to have a good understanding of what solid cyber maturity looks like and how the organization is maintaining at least a base level of compliance. Whether you’re the CHRO charged with understanding how humans are being impacted by the culture and the data they’re accessing, the CFO examining the financial impact of an operational attack or a leader in any other role, you are responsible for cyber security. That doesn’t mean you have to suddenly become an expert on phishing versus smishing versus whaling, but you have to at least understand the basics to help keep your part of the organization compliant and safe.

Quote icon

From an executive perspective, cyber security is not a question of “Should I know?” It’s a question of “What should I know?”

Kate Kuehn
Cyber Trust Leader for Aon’s Cyber Solutions group
In terms of backup security and recovery, what’s the best approach: to go step by step or to define an enterprise-wide strategy?

Kate Kuehn: It should absolutely take incremental steps. It’s similar to the approach we recommend with the Zero Trust model. You can’t boil the ocean and do Zero Trust everywhere; you have to start small. The same is true with a backup strategy.

We’re seeing a significant rise again in unrecoverable ransomware. That makes backup strategies much more critical, because otherwise you may never get your data back. Given that you can’t back up everything, the executive team should work together to identify and help secure the crown jewels identified as critical for recovery. After that, it’s a question of prioritizing what’s most important. Start with those assets that keep the heartbeat of the organization going and branch out from there.

What further steps should leaders take to ensure they stay up to date on cyber awareness?

Kate Kuehn: The problem with cyber security is no matter how much money an organization spends on it, things still might fall through the cracks. Because of that, we recommend that organizations look to start with what is most basic and important and move out from there. One of the first moves is to make sure every executive has gone through a corporate threat assessment. Identify what is being said about key executives on the dark web, what the chatter is about the company or what external geopolitical, geographical or industry-specific threats the company is potentially facing.

Another step is to conduct an adversary simulation. Figure out what would happen if you were attacked in different types of scenarios. Every executive should know their role and what the organization needs them to do in response to the attack. That’s sometimes the hardest thing. Have a process in place that people can trust.

A corporate threat assessment and adversary simulation can help guide an organization on where to focus attention. Once you identify the top two or three critical threats, you can begin to build a road map based on those. Organizations shouldn’t just arbitrarily start building a plan on ransomware or phishing. If they have a better understanding of where to point the arrows, they can design and help execute a more robust cyber security plan.

Read more about the top cyber threats in the 2023 Cyber Resilience Report

Quote icon

The problem with cyber security is no matter how much money an organization spends on it, things still might fall through the cracks.

Kate Kuehn
Cyber Trust Leader for Aon’s Cyber Solutions group

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All